-rw-r--r-- 1425 libmceliece-20240812/crypto_kem/6960119/avx/kem_dec.c raw
// 20240805 djb: more mask usage // 20221230 djb: add linker lines // 20221230 djb: split out of operations.c // linker define operation_dec // linker use decrypt #include "operations.h" #include "hash.h" #include "decrypt.h" #include "params.h" #include "util.h" #include <stdint.h> #include <string.h> #include "crypto_int8.h" #include "crypto_int64.h" /* check if the padding bits of c are all zero */ static int check_c_padding(const unsigned char * c) { unsigned char b; b = c[ SYND_BYTES-1 ] >> (PK_NROWS % 8); return crypto_int8_nonzero_mask(b); } int operation_dec( unsigned char *key, const unsigned char *c, const unsigned char *sk ) { int i, padding_ok; unsigned char mask; unsigned char ret_decrypt = 0; uint16_t m; unsigned char e[ SYS_N/8 ]; unsigned char preimage[ 1 + SYS_N/8 + SYND_BYTES ]; unsigned char *x = preimage; const unsigned char *s = sk + 40 + IRR_BYTES + COND_BYTES; // padding_ok = check_c_padding(c); ret_decrypt = decrypt(e, sk + 40, c); m = ret_decrypt; m -= 1; m >>= 8; *x++ = crypto_int64_bottombit_01(m); for (i = 0; i < SYS_N/8; i++) *x++ = (~m & s[i]) | (m & e[i]); for (i = 0; i < SYND_BYTES; i++) *x++ = c[i]; crypto_hash_32b(key, preimage, sizeof(preimage)); // clear outputs (set to all 1's) if padding bits are not all zero mask = padding_ok; for (i = 0; i < 32; i++) key[i] |= mask; return padding_ok; }