sort by:
Revision Author Date Message Commit Date
604ca2d Add reductions to iNTT in stack optimized code 13 October 2022, 15:57:26 UTC
b78dc00 more extensive aes tests and benchmarks 27 September 2022, 06:43:59 UTC
37e0fef more extensive aes tests and benchmarks 27 September 2022, 06:41:53 UTC
685fbbb Fix function call from assembly (#240) * change floating-point registers s(0-15) in s(16-31) in kyber matacc_asm.S matacc.i s(n) -> s(n+16) * change floating-point register s31 in s16 in kyberXXX-90s m4fspeed matacc_asm.S * consider floating-point registers clobbered calling kyber matacc_asm.S functions * save r12 register before calling C function in kyber matacc_asm.S and kyber matacc.i * amend the previous commit: fix the register Co-authored-by: Marco Palumbi <> 26 September 2022, 03:42:03 UTC
059e024 Add Richard Petri to citation 21 September 2022, 07:24:02 UTC
26f810d Fix alignment issues in Kyber (#236) * Add .vscode to gitignore * Add alignment to arrays used in Kyber to address #235 07 June 2022, 08:39:12 UTC
0b50e72 Use different FP registers, fix iNTT range (#234) * different fp registers, fix iNTT range * Remove redundant packing of signature component 'z' * benchmarks Co-authored-by: Alexandre Adomnicai <> Co-authored-by: Matthias J. Kannwischer <> 10 May 2022, 07:45:12 UTC
6182ab3 Avoid overlapping .o and .S file names (#231) Some implementations in pqm4 use the same file names for .c and .S files, .e.g., poly.[cS} in kyber. pqm4 does not have a problem with that, but it has been brought to my attention that other projects relying on pqm4 can not correctly handle that. I renamed the .S files accordingly. 23 March 2022, 04:18:34 UTC
3bfbbfd Faster Kyber and Dilithium (#221) * Faster Faster Kyber and Dilithium * benchmarks for kyber and dilithium * update skiplist * more dilithium benchmarks Co-authored-by: amin <> Co-authored-by: Matthias J. Kannwischer <> 31 January 2022, 02:01:55 UTC
c37e541 More readable and improved NTTs for NTRU (#219) * ntruhps2048509 * ntruhps2048677, ntruhrss701 * ntruhps4096821 * update benchmarks Co-authored-by: Matthias J. Kannwischer <> 29 January 2022, 01:24:18 UTC
2691b49 NTRU m4 polynomial inversion implementation for four parameter sets (#218) * NTRU m4 polynomial inversion implementation for four parameter sets * add benchmarks Co-authored-by: Matthias J. Kannwischer <> 29 November 2021, 10:05:01 UTC
82650eb Avoid aux.S filename to please Windows. Fix #216 (#217) 05 November 2021, 14:44:13 UTC
e47864b Merge pull request #213 from mupq/picnic Add Picnic implementations from 01 October 2021, 16:16:12 UTC
0dd7285 Update mupq 01 October 2021, 16:15:28 UTC
0197728 move opt-mem implementation from mupq to pqm4/pqm3 29 September 2021, 05:34:06 UTC
9c7be01 Fix #161. I wish people would just submit a patch to pqm4 instead of writing another paper about a bug that is well known... Anyway, I fixed this now... 26 September 2021, 17:35:32 UTC
8970d37 Fix two bugs in Kyber Fixes two minor bugs in matacc. They did not actually result in wrong outputs. In the uniform sampling, we use 3 bytes to sample 2 coefficients. In case the sampled coefficient is too large, we throw it away. Once we sampled 256 coefficients it is possible that we still have one coefficient left which needs to be discarded. The check if we are at the end of a polynomial already was wrongly implemented by checking for ctr < KYBER_Q/4 rather than ctr < KYBER_N/4 in two places. Luckily, it has no effect in both cases. In the first, ctr = KYBER_N/4 implies k=0 and hence the the code does nothing. In the second, an additional Keccak squeeze is triggered, but the output is never used. 26 September 2021, 17:25:47 UTC
1442c6e update mupq 06 September 2021, 08:23:53 UTC
33de42d add benchmarks 06 September 2021, 08:10:41 UTC
bdb173a add picnic 03 September 2021, 06:49:00 UTC
844e7ca Use T-Table AES for public inputs in ntrulpr (again) (#212) * use publicinputs AES for ntrulpr * new benchmarks 31 August 2021, 07:49:19 UTC
34e5da0 Merge branch 'rainbow' 30 August 2021, 20:55:14 UTC
0843a8e automatically build binaries; Resolves #205 18 August 2021, 21:40:27 UTC
b2c37fd switch to symlinks for files that are shared 18 August 2021, 09:08:18 UTC
62d8710 add rainbow to skiplist 16 August 2021, 08:36:26 UTC
4fee0f7 add Rainbow implementations 16 August 2021, 08:32:42 UTC
b4c5d7a fix Saber typings (#208) 13 August 2021, 08:19:16 UTC
a0e520d Inclusion of speed optimized and stack optimized Saber from (#206) * add saber * rm unused * update all * add all * saber * soft links * link all * benchmarks Co-authored-by: Matthias J. Kannwischer <> 13 August 2021, 02:14:47 UTC
9ff685e NTRU Prime m4 implementation for six parameter sets (#203) * NTRU Prime m4 implementation for six parameter sets * NTRU Prime m4 implementation for six parameter sets * delete .DS_Store * delete useless files & change to asm function [jump753divsteps.c] * update mupq to include ntruprime round 3 parameter sets * modified arith.h * delete useless comment * using stack memory instead of static memory * update mupq * fix buffer size * add basemul_8x8_156 * update skiplist * add benchmarks * eliminate more bss * update benchmarks for sntrup761 Co-authored-by: Matthias J. Kannwischer <> Co-authored-by: Trista Li <> 12 August 2021, 08:50:15 UTC
0b3519d Add support for Nucleo-L4R5ZI board (#193) * Add an optional memory timing test to the boardtest.elf * Add support for the Nucleo-L4R5ZI board * Add a PQM4 preprocessor definition flag * Properly detect PQM4/MUPQ in bikel{1,3} sources * Include the nucleo-l4r5zi in the README * Update mupq 03 August 2021, 07:27:59 UTC
cf6f358 Improve reliability of benchmarking scripts. (#190) On my Raspberry Pi I often ran into the problem that the Pi would miss the beginning of the serial output and then get stuck in an infinite loop trying to reflash again and again. By waiting a couple of hundred ms when starting up, this can be prevented. For me this heavily improved reliability. 30 July 2021, 06:14:50 UTC
bf8a921 Update Resolve #199 23 July 2021, 07:33:41 UTC
dd629a2 change licensing for Dilithium NTT (#201) Closes #198 23 July 2021, 07:21:21 UTC
b4c013e Fixes #195: Bug in ntrup761/ntrulpr761 decaps. (#200) 23 July 2021, 05:47:09 UTC
834a03d Restore and add default uart (#194) The previous version of pqm4 had a build everything script that would spit out all the binaries. With the multiplatform pqm4, this is no longer needed. One can simply make -j4 PLATFORM=stm32f4discovery However, we currently still have a non-functional script sitting around. I've fixed it, but we could also remove it. Additionally, to allow users to simply run ./, I added a default uart device "/dev/ttyUSB0". The old pqm4 also assumed that serial device. Right now pqm4 miserably fails without a --uart argument and a reasonable error message. 24 June 2021, 11:25:18 UTC
725badd fix baudrate in manual hostside script 14 June 2021, 08:03:06 UTC
9075f55 set default extraargs for stlink platform 08 June 2021, 16:04:36 UTC
12d5e56 Multiplatform support (#174) * Adapt the PQM3 Multiplatform & Scheme Discovery to PQM4 * Add HAL support for CW308T-STM32F3 * Adapt platform interfaces * Implement simplified platform running interface * Simplify chipwhisperer interface * Fix for systems without the GNU findutils * Add the mps2-an386 platform, which is also supported by QEMU * Speed up scheme search * Skip scheme list generation if IMPLEMENTATION_PATH is given * Optionally push all data/bss into the "flash" portion of the MPS2 The flash is actually just a RAM. The main purpose of the board here is stack testing and this will allow us to use all 4MB of the "ram" memory region for stack/heap. * Implement stack size querying * Don't capture stdin for QEMU platforms * Fix argument parsing for benchmarks * Add possibility to run QEMU benchmarks directly from make * Fix scheme list generation * Remove automatic call to git * Add some comments for the scheme finding mechanism * Add the possibility for scheme specific makefiles * Clean up makefiles * Generate a skiplist for each platform * Move reusable buildsystem and interface code to mupq * Move randombytes implementation to hal for testvector test * Make all-in-one compilation the default * Document the new platforms in the * Update mupq * Add _sbrk wrapping to opencm3 * Update mupq * adjust pqm4 to run multiple iterations in a single binary * Always add LTO flag * Update mupq * Reorganize symmetric crypto sources * Include HAL and crypto sources in AIO compilation * Fix LTO compilation * Use existing linker script if present * Update mupq * Don't use the nano libc (worse performance) * Fix compilation for self-tests * Quick-fix build error for bikel1 on mps2-an386 platform * Update benchmarks * Use full ram for some frodokem schemes * Fix compilation on mps2-an386 platform * Update * switch to mupq master Co-authored-by: Matthias J. Kannwischer <> 06 June 2021, 20:12:45 UTC
8274c41 SPHINCS+ benchmarks (#192) 04 June 2021, 08:24:25 UTC
5ebac3b Fix 30 May 2021, 02:05:04 UTC
8f5b115 Remove static buffers in NTRU (#191) * remove static from NTT buffers in NTRU * ntru benchmarks 25 May 2021, 08:20:13 UTC
65f12c6 update bikel1/m4f and bikel3/m4f to ches2021 (#188) * update bikel[1,3]/m4f to ches2021 * updated bike in mupq * new bike benchmarks Co-authored-by: Matthias J. Kannwischer <> 25 May 2021, 02:47:22 UTC
175903d Stack-optimized fips202 (#189) * stack-optimized fips202 * fips202stack benchmarks * switch to mupq master 24 May 2021, 03:45:55 UTC
bc2ecc9 Update PQClean to include new SPHINCS+ parameter sets (#187) * update pqclean to include new SPHINCS+ parameter sets * add SPHINCS+ benchmarks * switch mupq to master 08 April 2021, 02:09:08 UTC
438ab82 Update README to not reference obsolete schemes 23 March 2021, 07:26:35 UTC
17e43e5 fix a bug with very low prabability (#185) 08 March 2021, 09:09:53 UTC
27c7089 Merge implementation of Rader's trick of sntrup761 and ntrulpr761 from (#184) * add Darwin option to host_unidirectional * rm everything about sntrup761 * sntrup761 success; ntrulpr failed * rm ntrulpr files from sntrup * add missing files for sntrup * add missing sntrup file * ntrulpr compilable but ERROR KEYS * we start with rm everything in ntrulpr * all files tested * rm unsued files * add soft liks * more soft links * more soft links * add NTRUPrime benchmarks * updated kem.c from NTRUPrime-PolyMul * another attempt at the ntrulpr benchmarks * slightly tweak the check for MacOS Co-authored-by: Matthias J. Kannwischer <> 03 March 2021, 07:48:06 UTC
8a6fcf6 Port Dilithium 3.1 changes to M4 implementation (#183) 18 February 2021, 06:55:29 UTC
992f0f2 Stack optimizations and refactoring of NTT-based Saber (#181) * This is a large commit, grouping two types of changes on top of the NTT-based Saber. Firstly, this commit merges improvements between different Saber implementations. 1) For round 3, the Saber reference code was thoroughly refactored and the codebase reduced []. These changes are now integrated into the m4 code. 2) All unnecessary modular reductions have been removed. The only modular reductions are now in the packing functions. 3) Packing/unpacking functions are simplified [PQClean, commit f8503cb]. 4) The secret-key is stored in compressed format [, Section 4.1]. This reduces the secret-key size, and the packing/unpacking functions are faster. (This requires a fix in pqm4’s testvectors.c, as the secret-key is checked against the one produced by PQclean). 5) During re-encryption, the verification of the ciphertext is performed in place [, Section 4.2]. 6) Use symlinks for Light/FireSaber to make (minimal) differences with Saber more clear. Secondly, this commit implements some optimizations and reduces the memory footprint of the NTT-based multiplication. 1) Saber does not require any modular reduction apart from bitstream packing. Elements can be kept in int16_t (central-reduced) format. 1.a) The secret-key is sign-extended from 4-bit to 16-bit when unpacked. 1.b) The vectors b and b' are sign-extended from 10-bit to 16-bit when unpacked. 1.c) 1.a and 1.b allow to remove NTT_pk (with central reduction) and use NTT (without central reduction) uniformly. 1.d) NTT_inv and NTT_inv_inner include a final step that converts from int16_t back to mod_p or mod_q. This is not necessary and removed. 2) During encryption, the NTT of s' is only computed once and reused between A*s' and b*s'. 3) Some just-in-time memory optimizations of [, Section 2.2] are implemented for the NTT-based multiplication. Polynomial vectors are generated from their seed just-in-time, converted to NTT domain, and pointwise multiplied. The next polynomial vectors can reuse all the buffers. The idea is to extend this from polynomial vectors to individual polynomials. This still requires a new my_mul function. For {Fire,Light}Saber (keygen/encaps/decaps) the resulting implementation is approximately (2.3-2.6%/4.7-5.5%/7.4-9.5%) faster and uses (27-36%/47-61%/49-62%) less dynamic memory than the current version in pqm4. * Add central reduction for matrix A * Add benchmarks * WIP : more memory-efficient NTT implementation * Make secret key compression optional and comment out non-stack-optimized (very slightly faster) functions * Reclaim ~1kB more stack space shake_out was SABER_POLYVECBYTES instead of only SABER_POLYBYTES. Introduced a few unions to overlap memory. * rm redundant files * clean ups; add soft links * Reclaim ~1kB more stack space shake_out was SABER_POLYVECBYTES instead of only SABER_POLYBYTES. Introduced a few unions to overlap memory. * typo * Noinline no longer needed without fast funcs * add benchmarks Co-authored-by: vincentvbh <> Co-authored-by: Matthias J. Kannwischer <> 18 February 2021, 05:57:25 UTC
5fb6938 BIKE submission for PQM4 (#175) * submission for PQM4 * re-org implementations * use C version cshift() temporarily * 1. fix incorrect key-gen for arm-none-eabi-gcc ver.10.2.1 2. remove usage of CCM for bikel1 * rip out openssl; always default to sha and aes shipped in mupq * remove usage of CCM in all implementations * move BIKE reference implementations to mupq * skip bikel3 for now * add BIKE benchmarks Co-authored-by: Matthias J. Kannwischer <> 18 February 2021, 05:11:19 UTC
4fc31d7 Udpated dilithium round2 to dilithium round 3 from NIST PQC Standariz… (#178) * Udpated dilithium round2 to dilithium round 3 from NIST PQC Standarization process. * update dilithium in pqclean * redo Dilithium benchmarks Co-authored-by: Matthias J. Kannwischer <> 01 February 2021, 09:31:36 UTC
20bcf68 remove debugging artifact 22 January 2021, 03:17:01 UTC
6841a6b Constant-time AES ( (#173) * switch to fixsliced AES * tweak kyber-90s to use t-table AES for public inputs * update kyber-90s benchmarks with fixsliced AES * use t-tabe AES in Frodo for public matrix A * make ntrulpr work with fixsliced AES * update fixsliced AES from upstream * update performance of kyber-90s, ntrulpr, and hqc with new fixsliced AES * update AES information in README * rename _leaktime to _publicinputs * switch to mupq master; simply change include order 04 January 2021, 02:41:56 UTC
157e271 Update PQClean (#172) * Updated sampling of uniform matrix of Kyber to round-3 tweaked approach * Integrated changes to noise sampling in Kyber512 * Updated links in kyber512-90s/m4 to use round-3 noise generation of kyber512/m4 * source ntruprime from pqclean * * add HQC benchmarks. Closes #57 * Port This ports a fix from upstream. This does not change performance by more than a few cycles. For details see * Port Fixes a typo in sample.c in PQClean which was also present in the pqm4 implementations. This changes testvectors, but not performance. * * * * * Co-authored-by: Peter Schwabe <> 09 December 2020, 20:02:30 UTC
3fd51a9 Save memory space on stack measurement for signatures (#171) 08 December 2020, 16:16:49 UTC
34d6ed0 Clarify pyserial installation instructions (#169) Fixes #168 20 November 2020, 19:51:38 UTC
68007db NTT-based multiplication for Saber and NTRU (#167) * add new Saber and NTRU code * add benchmarks 18 November 2020, 11:34:45 UTC
f7a99d8 fix ntruprime implementation for old gcc versions (#165) Some older gcc versions complain about mov.w with constants being too large. changing those to movw fixes this. 27 October 2020, 13:01:44 UTC
a912d1c Merge pull request #163 from mupq/dilithiumm4 Faster and smaller Dilithium 19 October 2020, 10:56:53 UTC
4178be9 dilithium benchmarks 19 October 2020, 10:42:30 UTC
8c23cf3 Add speed and stack optimized implementations from See 19 October 2020, 08:28:14 UTC
56417d9 clean-up interface 24 July 2020, 07:55:01 UTC
cb2caa2 remove non-round3 schemes (#162) NIST announced the Round 3 finalists and alternate candidates: PQClean removed threebears, ledakem, newhope, mqdss, qtesla in MUPQ removed LUOV, RQC, ROLLO, Round5, ThreeBears, and LAC in This commit removes the M4 implementations of schemes that did not make it to round 3 from pqm4 (Round5 and NewHope). It also removes the corresponding benchmark results. 24 July 2020, 01:43:46 UTC
c32bcd0 Revert "clean up Makefile" This reverts commit b64e5f1073cc24097579417a91bcee3ee85eb260. Those lines were not unused. 15 June 2020, 18:45:45 UTC
b64e5f1 clean up Makefile there were some unused rules in our Makefile that still originate from the messy first round Makefile 11 June 2020, 02:34:52 UTC
28eb2d8 New Dilithium Code (#159) * Update Dilithium * Re-add optimizations from #105 * update dilithium benchmarks 11 June 2020, 02:32:37 UTC
aac104e Update NewHope to v1.1 (#158) * Update mupq; updates NewHope clean to v1.1 * Update NewHope m4 to v1.1 * Redo NewHope benchmarks 30 May 2020, 10:58:54 UTC
1cb728b Update Round5 to new version (#157) * Update mupq; integrates new version of Round5 opt * Update r5nd-1cca-5d m4 to new version * Update other Round5 m4 implementations to new version * Update benchmarks for Round5 30 May 2020, 09:29:13 UTC
bfef406 add gcc10 benchmarks 30 May 2020, 09:21:49 UTC
af4b38f update mupq (more robust result parsing) 29 May 2020, 06:12:56 UTC
84c5f91 Update ROLLO implementation (#155) * Update mupq; integrate new ROLLO ref implementation * Benchmark new ROLLO ref implementation 28 April 2020, 20:22:05 UTC
a1bbbd9 fix lac to adhere to the new aes keyexp api 27 April 2020, 23:26:41 UTC
479f4a5 Fix {sntrup,ntrulpr}761/m4f such that they compile Calls to aes256_keyexp were left in e1c6949 (#150) after attempting to rebase them after 1a6ee85 (#148). This changes the calls to aes256_ctr_keyexp. 27 April 2020, 20:06:25 UTC
7aa3be8 Extend SIKE M4 benchmarks Now with 100 executions instead of 1. Doesn't change the results at all though. 22 April 2020, 14:14:14 UTC
87dd5c1 Update RQC implementation (#153) * Update mupq; integrates new RQC implementations * Add rqc256 to skip_list On the host, rqc256 takes about 132KiB according to Valgrind * Increase stack to 128K for rqc192 On the host, Valgrind reported around 105KiB. On the board, test and testvectors ran fine with 112K, but the stack binary crashed, so it must have been very close. Increasing to 128K solved this. * Update RQC benchmarks Note that the stack numbers are not too interesting as the implementation uses dynamic memory allocation. 22 April 2020, 12:40:58 UTC
e1c6949 Add m4f Implementations of ntrulpr761 and sntrup761 (#150) * integrate sha512 from supercop20200409 * add sntrup761 m4 implementation * switch to m4f sha512 implementation * fix ntrup761 * rename implementation to m4f * ntrulpr761 * small changes to ntrulpr * another small speedup for sntrup761 * fix * another ntruprime update * NTRUPrime benchmarks 22 April 2020, 07:15:40 UTC
1da1518 LACv3 Benchmarks (#147) 21 April 2020, 07:08:26 UTC
1a6ee85 Update PQClean (#148) * integrate sha512 from supercop20200409 * skip mceliece * Port I'm not a big fan of this change, but we have to do it to be compatible with PQClean. * Port HQC; skip because it does not fit 21 April 2020, 07:05:29 UTC
04a8be2 Integrate SIKE M4 implementation (#146) * Add SIKE m4 implementations Taken from * update sike LICENSE * Fix bug by adding naked attribute to two functions sikep434 and sikep751 now terminate at least, but testvectors still don't match * Change cSHAKE_simple back to SHAKE * Change CRYPTO_BYTES for p503 from 16 back to 24 * Change wrong number in comment to avoid confusion * Add benchmarks Co-authored-by: Matthias J. Kannwischer <> 17 April 2020, 16:58:06 UTC
90754b1 Faster SHA512 (#136) * integrate sha512 from supercop20200409 * update benchmarks with new SHA512 17 April 2020, 04:51:51 UTC
20f1dff Update libopencm3 to fix build with make >= 4.3 make 4.3 changed the behaviour of '+=' in a backward-incompatible way. (See This broke the libopencm3 build and got fixed in 05 April 2020, 09:20:26 UTC
7e7703c Update Round5 to third round (#135) * Update mupq; Round5 opt implementations * Remove SNEIK variants * Rename Round5 m4 CCA variants * Update r5nd-1cca-5d m4 implementation * Update symlinks other Round5 m4 implementations * Add Round5 m4 CPA variants * Force assembly addsub for Round5 m4 * Update round5 benchmarks (#134) * Update Round5 opt benchmarks Co-authored-by: Daan Sprenkels <> 25 March 2020, 08:35:03 UTC
3b0ca85 Update mupq to make serial output processing more robust See 05 March 2020, 09:41:47 UTC
0972616 Fixes #132 (#133) 15 February 2020, 09:41:15 UTC
7b37f04 Take clean CPA three bears from PQClean (#131) * update three bears benchmarks for clean implementation * update mupq 04 February 2020, 11:52:48 UTC
2f3b8bd Remove unneeded file in NewHope m4 (#130) 30 January 2020, 13:35:35 UTC
f0f573e Integrate faster NewHope m4 implementation (#129) In Erdem Alkim, Yusuf Alper Bilgin, Murat Cenk, and François Gérard propose more optimizations to the NewHope M4 implementation. This integrates their nice work. We report a slightly higher cycle count than in that paper because of an extra bit reversal and because we currently don't use -flto. 30 January 2020, 10:08:04 UTC
944b3c3 Integrate faster Kyber m4 implementation (#128) In Erdem Alkim, Yusuf Alper Bilgin, Murat Cenk, and François Gérard propose more optimizations to the Kyber M4 implementation. This integrates their nice work. We report a slightly higher cycle count than in that paper because of an extra Barrett reduction and because we currently don't use -flto. 20 January 2020, 16:43:41 UTC
8136c82 Fix Round5 CCA KEMs (#127) * Update mupq; fixes Round5 opt CCA KEMs * Fix Round5 m4 CCA KEMs * Update Round5 benchmarks 03 December 2019, 08:05:37 UTC
89e9eb1 Update libopencm3 (#125) In libopencm3 slightly changed the clock setup so we need to adjust that as well. As all changes are in the clock setup, this does not affect benchmarks at all. 25 November 2019, 13:33:26 UTC
1624ff1 add benchmarks of clean threebears (#124) 18 November 2019, 09:34:49 UTC
6ba5207 len and flag were flipped (#123) * len and flag were flipped * apply same fix to mupq 15 November 2019, 12:34:27 UTC
670ec38 update mupq (#122) refactors our number printing to reduce code size. For pqm4 this does not matter that much, but let's keep it in sync with mupq. Our code benchmarks exclude this common code, so there is no need to update those numbers. This also pulls in a newer version of PQClean, which now includes qTesla ( Unfortunately, qtesla-I-p needs 174.5 KiB and qtesla-p-III needs 403.2 KiB of RAM, so it does not fit on our platform. 29 October 2019, 13:52:15 UTC
f25922b Add RQC{128,192,256} ref implementations (#121) * Update mupq; adds rqc ref implementations * Add RQC benchmarks 08 October 2019, 11:15:00 UTC
20bdec1 Add ROLLO-{I,II,III}-{128,192,256} ref implementations (#120) * Update mupq; adds ROLLO ref implementations * Add ROLLO benchmarks 08 October 2019, 10:48:50 UTC
970afc2 Add optimized Kyber-90s and update Kyber-90s from PQClean (#119) * change naming of falcon parameter sets to pqclean naming * add kyber-90 parameter sets * use our AES API in Kyber * fix symlinks * update pqclean; make kyber use fast aes * update kyber-90s benchmarks 07 October 2019, 13:43:24 UTC
fdd41fa Add missing fields in benchmarkclock struct The missing fields are initialized with default values following the conventions of the predefined profiles from <>. I did not test this patch on the M4 hardware. 07 October 2019, 12:07:29 UTC
667d80b Update PQClean (#116) * change naming of falcon parameter sets to pqclean naming * ignore rainbow paramter sets * add benchmarks for clean implementations of kyber-90s, falcon, and saber * update mupq to fix SHA2 SPHINCS+ builds 01 October 2019, 23:48:38 UTC
7514870 Fix kyber (#115) * fix inlined comparison * update documentation of indcpa_enc_cmp The `cmov` that is used in `crypto_kem_dec` to either derive the shared secret from the pre-key or the random `z` expects the `fail` input to be either 0 (if re-encryped ciphertext was the same as input ciphertext) or 1 (otherwise). We've inlined the comparison that used to be done by `verify` into `indcpa_enc` (renamed to `indcpa_enc_cmp`) to reduce the stack footprint. We made a small mistake in there so that it returned 0 in case of no failure and some other byte otherwise. This means that in case of a mismatch, cmov would write a mix of the pre-key and `z`. As this is hashed together with the ciphertext later this will still result in some shared secret different from the correct one, but this is not what you want. 30 September 2019, 11:58:39 UTC
b4fea3f Update Falcon to new fixed upstream version (#114) * Update Falcon to new fixed upstream version. On the 2019-09-18 the Falcon team announced that their implementation had two severe bugs that caused signatures to leak information about the secret key. These bugs also affected the implementations that were in pqm4. This commit updates our falcon implementation to the new upstream version from which fixes these bugs. * Update Falcon benchmarks 25 September 2019, 08:44:35 UTC
back to top