--- /home/rmisoczk/Documents/bike/Optimized_Implementation.2017.11.30/Optimized_Implementation/decode.c +++ /home/rmisoczk/Documents/bike/Optimized_Implementation.2018.06.29/Optimized_implementation/decode.c @@ -314,7 +314,7 @@ } // LINES 7-10 of One-Round Bit Flipping Algorithm: - while (getHammingWeight(s, R_BITS) > S_BIT_FLIPPING) + for (uint32_t i = 0; getHammingWeight(s, R_BITS) > S_BIT_FLIPPING && i < MAX_IT_LOOP1; i++) { for (int l = 0; l < DELTA_BIT_FLIPPING; l++) { @@ -378,7 +378,7 @@ } // LINES 13-15 of One-Round Bit Flipping Algorithm: - while (getHammingWeight(s, R_BITS) > u) + for (uint32_t k = 0; getHammingWeight(s, R_BITS) > u && k < MAX_IT_LOOP2; k++) { // find a random non-zero position in the syndrome: uint32_t i = 0; @@ -416,7 +416,8 @@ } DMSG("\t\t\t\tStep 4 (loop). Weight(syndrome): %d Weight(error): %d\n", getHammingWeight(s, R_BITS), getHammingWeight(e, N_BITS)); } - // check if decoding finished: + + // check if decoding succeeded: if (getHammingWeight(s, R_BITS) <= u) { DMSG("\t\tWeight(syndrome): %d\n", getHammingWeight(s, R_BITS)); --- /home/rmisoczk/Documents/bike/Optimized_Implementation.2017.11.30/Optimized_Implementation/defs.h +++ /home/rmisoczk/Documents/bike/Optimized_Implementation.2018.06.29/Optimized_implementation/defs.h @@ -40,8 +40,8 @@ /////////////////////////////////////////// // UNCOMMENT TO SELECT BIKE 1, 2, OR 3: -#define BIKE1 -//#define BIKE2 +//#define BIKE1 +#define BIKE2 //#define BIKE3 // UNCOMMENT TO SELECT THE NIST SECURITY LEVEL 1, 3 OR 5: @@ -49,7 +49,7 @@ //#define PARAM96 // NIST LEVEL 3 #define PARAM128 // NIST LEVEL 5 -// DEFINE BATCH COUNT FOR SIMULTANEOUS INVERSION +// DEFINE BATCH COUNT FOR SIMULTANEOUS INVERSION. BATCH_SIZE must be greater than 1. #define BATCH_SIZE 16 // BIKE shared-secret size: @@ -132,13 +132,26 @@ // Divide by the divider and round up to next integer: #define DIVIDE_AND_CEIL(x, divider) ((x/divider) + (x % divider == 0 ? 0 : 1ULL)) + // Round the size to the nearest byte. // SIZE suffix, is the number of bytes (uint8_t). #define N_BITS (R_BITS*2) #define R_SIZE DIVIDE_AND_CEIL(R_BITS, 8ULL) #define N_SIZE DIVIDE_AND_CEIL(N_BITS, 8ULL) #define R_DQWORDS DIVIDE_AND_CEIL(R_SIZE, 16ULL) -#define MAX_J_SIZE 5*T1 + +// We conservatively set MAX_J_SIZE=n to ensure that matrix J (used in decoder) +// always has enough allocated memory to store (a variable number of) indices: +#define MAX_J_SIZE N_BITS + +// Regarding the while-loops presented in Algorithm 3 (One-Round Bit-Flipping), +// we establish a maximum number of iterations in our implementation to ensure +// that the execution always terminates, even in case of decoding failures. +// As a conservative approach, we assume N_BITS for such upper bound. Note that +// for the recommended parameters (and well-chosen parameters in general), +// these loops will usually terminate within few iterations (far less than N). +#define MAX_IT_LOOP1 N_BITS +#define MAX_IT_LOOP2 N_BITS //////////////////////////////////////////// // Debug --- /home/rmisoczk/Documents/bike/Optimized_Implementation.2017.11.30/Optimized_Implementation/kem.c +++ /home/rmisoczk/Documents/bike/Optimized_Implementation.2018.06.29/Optimized_implementation/kem.c @@ -32,8 +32,9 @@ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ******************************************************************************/ -#include "stdio.h" -#include "string.h" +#include +#include +#include #include "parallel_hash.h" #include "openssl_utils.h" @@ -183,6 +184,9 @@ // sk = (h0, h1) #ifdef BIKE2 + // ensuring BATCH_SIZE > 1 + assert (BATCH_SIZE > 1); + static int key_gen_cnt = 0; static uint8_t h0[BATCH_SIZE][R_SIZE]; #else