Add a simulation project as example

projects/.gitignore

-/**
+/*
 !/.gitignore
 !/Examples/

projects/Examples/KyberNTT/.gitignore

+*.elf
+*.list
+*.bin
+*.map
+*.d
+*.o
+!vector.o
+!elmoasmfunctions.o

projects/Examples/KyberNTT/Makefile

+##
+## University of Bristol – Open Access Software Licence
+## Copyright (c) 2016, The University of Bristol, a chartered
+## corporation having Royal Charter number RC000648 and a charity
+## (number X1121) and its place of administration being at Senate
+## House, Tyndall Avenue, Bristol, BS8 1TH, United Kingdom.
+## All rights reserved
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted provided that the following conditions
+## are met:
+##
+## 1. Redistributions of source code must retain the above copyright
+## notice, this list of conditions and the following disclaimer.
+##
+## 2. Redistributions in binary form must reproduce the above
+## copyright notice, this list of conditions and the following
+## disclaimer in the documentation and/or other materials provided
+## with the distribution.
+##
+## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+## "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+## LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+## FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+## COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+## INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+## (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+## SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+## STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+## OF THE POSSIBILITY OF SUCH DAMAGE.
+##
+## Any use of the software for scientific publications or commercial
+## purposes should be reported to the University of Bristol
+## (OSI-notifications@bristol.ac.uk and quote reference 2668). This is
+## for impact and usage monitoring purposes only.
+##
+## Enquiries about further applications and development opportunities
+## are welcome. Please contact elisabeth.oswald@bristol.ac.uk
+##
+
+##
+## This file was based on files that are part of the libopencm3 project.
+## See below for licecning information.
+##
+## Copyright (C) 2009 Uwe Hermann <uwe@hermann-uwe.de>
+## Copyright (C) 2010 Piotr Esden-Tempski <piotr@esden.net>
+## Copyright (C) 2011 Fergus Noble <fergusnoble@gmail.com>
+##
+## This library is free software: you can redistribute it and/or modify
+## it under the terms of the GNU Lesser General Public License as published by
+## the Free Software Foundation, either version 3 of the License, or
+## (at your option) any later version.
+##
+## This library is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU Lesser General Public License for more details.
+##
+## You should have received a copy of the GNU Lesser General Public License
+## along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# Remove to display makefile output
+Q		:= @
+
+BINARY = project
+
+FP_FLAGS	?= -msoft-float
+ARCH_FLAGS	= -mthumb -mcpu=cortex-m0 $(FP_FLAGS)
+
+###############################################################################
+# Executables
+
+PREFIX		?= arm-none-eabi
+CC		:= $(PREFIX)-gcc
+LD		:= $(PREFIX)-gcc
+OBJCOPY		:= $(PREFIX)-objcopy
+OBJDUMP		:= $(PREFIX)-objdump
+
+###############################################################################
+# Source files
+
+LDSCRIPT	= $(BINARY).ld
+#OBJS		+= $(BINARY).o
+ELMOASMFUNCTIONS = elmoasmfunctions.o
+
+#!!! PLEASE ADD YOUR SOURCES, HEADERS AND OBJECTS HERE !!!
+SOURCES = ntt.c poly.c polyvec.c reduce.c $(BINARY).c
+HEADERS = ntt.h poly.h polyvec.h reduce.h params.h
+OBJECTS = ntt.o poly.o polyvec.o reduce.o $(BINARY).o
+
+###############################################################################
+# C flags
+
+CFLAGS += -Os -g
+CFLAGS += -Wextra -Wshadow -Wimplicit-function-declaration
+CFLAGS += -Wredundant-decls -Wmissing-prototypes -Wstrict-prototypes
+CFLAGS += -fno-common -ffunction-sections -fdata-sections
+
+###############################################################################
+# C & C++ preprocessor common flags
+
+CPPFLAGS	+= -MD
+CPPFLAGS	+= -Wall -Wundef
+
+###############################################################################
+# Linker flags
+
+LDFLAGS		+= --static -nostartfiles
+LDFLAGS		+= -T$(LDSCRIPT)
+LDFLAGS		+= -Wl,-Map=$(*).map
+LDFLAGS		+= -Wl,--gc-sections
+
+
+###############################################################################
+# Used libraries
+
+LDLIBS		+= -Wl,--start-group -lc -lgcc -lnosys -Wl,--end-group
+
+###############################################################################
+###############################################################################
+###############################################################################
+
+all: elf bin list
+elf: $(BINARY).elf
+bin: $(BINARY).bin
+list: $(BINARY).list
+
+images: $(BINARY).images
+
+$(BINARY).images: $(BINARY).bin $(BINARY).list $(BINARY).map
+
+$(BINARY).bin: $(BINARY).elf
+	$(Q)$(OBJCOPY) -Obinary $(BINARY).elf $(BINARY).bin
+
+$(BINARY).list: $(BINARY).elf
+	$(Q)$(OBJDUMP) -S $(BINARY).elf > $(BINARY).list
+
+$(BINARY).elf $(BINARY).map: $(OBJECTS) $(LDSCRIPT)
+	$(Q)$(LD) $(LDFLAGS) vector.o $(ARCH_FLAGS) $(OBJECTS) $(ELMOASMFUNCTIONS) $(LDLIBS) -o $(BINARY).elf
+
+%.o: %.c $(HEADER)
+		$(Q)$(CC) $(CFLAGS) $(CPPFLAGS) $(ARCH_FLAGS) -c -o $@ $<
+
+clean:
+	$(Q)$(RM) $(OBJECTS) $(BINARY).d $(BINARY).elf $(BINARY).bin $(BINARY).list $(BINARY).map

projects/Examples/KyberNTT/elmoasmfunctions.s

+##
+## University of Bristol – Open Access Software Licence
+## Copyright (c) 2016, The University of Bristol, a chartered
+## corporation having Royal Charter number RC000648 and a charity
+## (number X1121) and its place of administration being at Senate
+## House, Tyndall Avenue, Bristol, BS8 1TH, United Kingdom.
+## All rights reserved
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted provided that the following conditions
+## are met:
+##
+## 1. Redistributions of source code must retain the above copyright
+## notice, this list of conditions and the following disclaimer.
+##
+## 2. Redistributions in binary form must reproduce the above
+## copyright notice, this list of conditions and the following
+## disclaimer in the documentation and/or other materials provided
+## with the distribution.
+##
+## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+## "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+## LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+## FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+## COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+## INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+## (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+## SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+## STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+## OF THE POSSIBILITY OF SUCH DAMAGE.
+##
+## Any use of the software for scientific publications or commercial
+## purposes should be reported to the University of Bristol
+## (OSI-notifications@bristol.ac.uk and quote reference 2668). This is
+## for impact and usage monitoring purposes only.
+##
+## Enquiries about further applications and development opportunities
+## are welcome. Please contact elisabeth.oswald@bristol.ac.uk
+##
+
+.syntax unified
+.text
+.thumb
+
+.func starttrigger
+.global starttrigger
+
+starttrigger:
+    push {r0-r7}
+    movs r4, #0xE0
+    lsls r4, #24
+    movs r5, #0x04
+    eors r4, r5
+    movs r5, #1
+    str r5, [r4, #0]
+    pop {r0-r7}
+bx lr
+
+.endfunc
+
+.func endtrigger
+.global endtrigger
+
+endtrigger:
+    push {r0-r7}
+    movs r4, #0xE0
+    lsls r4, #24
+    movs r5, #0x04
+    eors r4, r5
+    movs r5, #0
+    str r5, [r4, #0]
+    pop {r0-r7}
+bx lr
+
+.endfunc
+
+.func readbyte
+.global readbyte
+
+readbyte:
+    push {r0-r7}
+    movs r4, #0xE1
+    lsls r4, #24
+    ldr r1, [r4, #0]
+    strb r1, [r0, #0]
+    pop {r0-r7}
+
+bx lr
+
+.endfunc
+
+.func LoadN
+.global LoadN
+
+LoadN:
+    push {r0-r7}
+    movs r4, #0xE1
+    lsls r4, #24
+    movs r5, #0x10
+    eors r4, r5
+    ldr r1, [r4, #0]
+    str r1, [r0, #0]
+    pop {r0-r7}
+
+bx lr
+
+.endfunc
+
+.func randbyte
+.global randbyte
+
+randbyte:
+    push {r0-r7}
+    movs r4, #0xE1
+    lsls r4, #24
+    movs r5, #0x04
+    eors r4, r5
+    ldr r1, [r4, #0]
+    strb r1, [r0, #0]
+    pop {r0-r7}
+
+bx lr
+
+.endfunc
+
+.func getstart
+.global getstart
+
+getstart:
+    push {r0-r7}
+    movs r4, #0xE1
+    lsls r4, #24
+    movs r5, #0x08
+    eors r4, r5
+    ldr r1, [r4, #0]
+    str r1, [r0, #0]
+    pop {r0-r7}
+
+bx lr
+
+.endfunc
+
+
+.func getruncount
+.global getruncount
+
+getruncount:
+    push {r0-r7}
+    movs r4, #0xE1
+    lsls r4, #24
+    movs r5, #0x0C
+    eors r4, r5
+    ldr r1, [r4, #0]
+    str r1, [r0, #0]
+    pop {r0-r7}
+
+bx lr
+
+.endfunc
+
+
+
+.func printbyte
+.global printbyte
+
+printbyte:
+    push {r0-r7}
+    movs r4, #0xE0
+    lsls r4, #24
+    ldrb r5, [r0]
+    str r5, [r4]
+    pop {r0-r7}
+bx lr
+
+.endfunc
+
+.func endprogram
+.global endprogram
+
+endprogram:
+    push {r0-r7}
+    movs r4, #0xF0
+    lsls r4, #24
+    movs r5, #0
+
+    str r5, [r4]
+    pop {r0-r7}
+bx lr
+
+.endfunc
+
+.func initialisemaskflow
+.global initialisemaskflow
+
+# Takes address of key as input (r0)
+initialisemaskflow:
+    push {r0-r7}
+    movs r4, #0xE0
+    lsls r4, #24
+    movs r5, #0x40
+    eors r4, r5
+    str r0, [r4]
+    pop {r0-r7}
+bx lr
+
+.endfunc
+
+.func resetmaskflow
+.global resetmaskflow
+
+resetmaskflow:
+    push {r0-r7}
+    movs r4, #0xE0
+    lsls r4, #24
+    movs r5, #0x42
+    eors r4, r5
+    movs r5, #0
+    str r5, [r4]
+    pop {r0-r7}
+bx lr
+
+.endfunc
+
+.func setmaskflowstart
+.global setmaskflowstart
+
+# Takes r0 as start number
+
+setmaskflowstart:
+    push {r0-r7}
+    movs r4, #0xE0
+    lsls r4, #24
+    movs r5, #0x44
+    eors r4, r5
+    str r0, [r4]
+    pop {r0-r7}
+bx lr
+
+.endfunc
+
+.func resetdatafile
+.global resetdatafile
+
+resetdatafile:
+    push {r0-r7}
+    movs r4, #0xE0
+    lsls r4, #24
+    movs r5, #0x46
+    eors r4, r5
+    movs r5, #0
+    str r5, [r4]
+    pop {r0-r7}
+bx lr
+
+.endfunc

projects/Examples/KyberNTT/elmoasmfunctionsdef-extension.h

+#include "elmoasmfunctionsdef.h"
+
+// Extension of the ELMO API for 2-bytes types
+static void rand2bytes(uint16_t* elt) {
+  randbyte((uint8_t*) elt+1);
+  randbyte((uint8_t*) elt);
+}
+static void print2bytes(uint16_t* elt) {
+  printbyte((uint8_t*) elt+1);
+  printbyte((uint8_t*) elt);
+}
+static void read2bytes(uint16_t* elt) {
+  readbyte((uint8_t*) elt+1);
+  readbyte((uint8_t*) elt);
+}
+
+// Extension of the ELMO API for 4-bytes types
+static void rand4bytes(uint32_t* elt) {
+  randbyte((uint8_t*) elt+3);
+  randbyte((uint8_t*) elt+2);
+  randbyte((uint8_t*) elt+1);
+  randbyte((uint8_t*) elt);
+}
+static void print4bytes(uint32_t* elt) {
+  printbyte((uint8_t*) elt+3);
+  printbyte((uint8_t*) elt+2);
+  printbyte((uint8_t*) elt+1);
+  printbyte((uint8_t*) elt);
+}
+static void read4bytes(uint32_t* elt) {
+  readbyte((uint8_t*) elt+3);
+  readbyte((uint8_t*) elt+2);
+  readbyte((uint8_t*) elt+1);
+  readbyte((uint8_t*) elt);
+}

projects/Examples/KyberNTT/elmoasmfunctionsdef.h

+/*
+ * University of Bristol – Open Access Software Licence
+ * Copyright (c) 2016, The University of Bristol, a chartered
+ * corporation having Royal Charter number RC000648 and a charity
+ * (number X1121) and its place of administration being at Senate
+ * House, Tyndall Avenue, Bristol, BS8 1TH, United Kingdom.
+ * All rights reserved
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Any use of the software for scientific publications or commercial
+ * purposes should be reported to the University of Bristol
+ * (OSI-notifications@bristol.ac.uk and quote reference 2668). This is
+ * for impact and usage monitoring purposes only.
+ *
+ * Enquiries about further applications and development opportunities
+ * are welcome. Please contact elisabeth.oswald@bristol.ac.uk
+ */
+
+extern void starttrigger(void);
+extern void endtrigger(void);
+extern void randbyte(unsigned char * pointer);
+extern void LoadN(void* addr);
+extern void readbyte(unsigned char * pointer);
+extern void printbyte(unsigned char * pointer);
+extern void endprogram(void);
+extern void getstart(unsigned int * pointer);
+extern void getruncount(unsigned int * pointer);
+extern void initialisemaskflow(unsigned char * pointer);
+extern void resetmaskflow(void);
+extern void setmaskflowstart(unsigned int start);
+extern void resetdatafile(void);

projects/Examples/KyberNTT/ntt.c

+#include <stdint.h>
+#include "params.h"
+#include "ntt.h"
+#include "reduce.h"
+
+int16_t zetas[128] = {
+  2285, 2571, 2970, 1812, 1493, 1422, 287, 202, 3158, 622, 1577, 182, 962, 2127, 1855, 1468, 
+  573, 2004, 264, 383, 2500, 1458, 1727, 3199, 2648, 1017, 732, 608, 1787, 411, 3124, 1758, 
+  1223, 652, 2777, 1015, 2036, 1491, 3047, 1785, 516, 3321, 3009, 2663, 1711, 2167, 126, 1469, 
+  2476, 3239, 3058, 830, 107, 1908, 3082, 2378, 2931, 961, 1821, 2604, 448, 2264, 677, 2054, 
+  2226, 430, 555, 843, 2078, 871, 1550, 105, 422, 587, 177, 3094, 3038, 2869, 1574, 1653, 
+  3083, 778, 1159, 3182, 2552, 1483, 2727, 1119, 1739, 644, 2457, 349, 418, 329, 3173, 3254, 
+  817, 1097, 603, 610, 1322, 2044, 1864, 384, 2114, 3193, 1218, 1994, 2455, 220, 2142, 1670, 
+  2144, 1799, 2051, 794, 1819, 2475, 2459, 478, 3221, 3021, 996, 991, 958, 1869, 1522, 1628};
+
+/*************************************************
+* Name:        fqmul
+*
+* Description: Multiplication followed by Montgomery reduction
+*
+* Arguments:   - int16_t a: first factor
+*              - int16_t b: second factor
+*
+* Returns 16-bit integer congruent to a*b*R^{-1} mod q
+**************************************************/
+static int16_t fqmul(int16_t a, int16_t b) {
+  return montgomery_reduce((int32_t)a*b);
+}
+
+/*************************************************
+* Name:        ntt
+*
+* Description: Inplace number-theoretic transform (NTT) in Rq
+*              input is in standard order, output is in bitreversed order
+*
+* Arguments:   - int16_t r[256]: pointer to input/output vector of elements of Zq
+**************************************************/
+void ntt(int16_t r[256]) {
+  unsigned int len, start, j, k;
+  int16_t t, zeta;
+
+  k = 1;
+  for(len = 128; len >= 2; len >>= 1) {
+    for(start = 0; start < 256; start = j + len) {
+      zeta = zetas[k++];
+      for(j = start; j < start + len; ++j) {
+        t = fqmul(zeta, r[j + len]);
+
+        r[j + len] = r[j] - t;
+        r[j] = r[j] + t;
+      }
+    }
+  }
+}
+

projects/Examples/KyberNTT/ntt.h

+#ifndef NTT_H
+#define NTT_H
+
+#include <stdint.h>
+
+extern int16_t zetas[128];
+
+void ntt(int16_t *poly);
+
+#endif

projects/Examples/KyberNTT/params.h

+#ifndef PARAMS_H
+#define PARAMS_H
+
+#ifndef KYBER_K
+#define KYBER_K 2 /* Change this for different security strengths */
+#endif
+
+/* Don't change parameters below this line */
+
+#define KYBER_N 256
+#define KYBER_Q 3329
+
+#define KYBER_ETA 2
+
+#define KYBER_SYMBYTES 32   /* size in bytes of hashes, and seeds */
+#define KYBER_SSBYTES  32   /* size in bytes of shared key */
+
+#define KYBER_POLYBYTES              384
+#define KYBER_POLYVECBYTES           (KYBER_K * KYBER_POLYBYTES)
+
+
+#if KYBER_K == 2
+#define KYBER_POLYCOMPRESSEDBYTES    96
+#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320)
+#elif KYBER_K == 3
+#define KYBER_POLYCOMPRESSEDBYTES    128
+#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320)
+#elif KYBER_K == 4
+#define KYBER_POLYCOMPRESSEDBYTES    160
+#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 352)
+#endif
+
+#define KYBER_INDCPA_MSGBYTES       KYBER_SYMBYTES
+#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES)
+#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES)
+#define KYBER_INDCPA_BYTES          (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES)
+
+#define KYBER_PUBLICKEYBYTES  (KYBER_INDCPA_PUBLICKEYBYTES)
+#define KYBER_SECRETKEYBYTES  (KYBER_INDCPA_SECRETKEYBYTES +  KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES) /* 32 bytes of additional space to save H(pk) */
+#define KYBER_CIPHERTEXTBYTES  KYBER_INDCPA_BYTES
+
+#endif

projects/Examples/KyberNTT/poly.c

+#include <stdint.h>
+#include "params.h"
+#include "poly.h"
+#include "ntt.h"
+#include "reduce.h"
+
+/*************************************************
+* Name:        poly_ntt
+*
+* Description: Computes negacyclic number-theoretic transform (NTT) of
+*              a polynomial in place;
+*              inputs assumed to be in normal order, output in bitreversed order
+*
+* Arguments:   - uint16_t *r: pointer to in/output polynomial
+**************************************************/
+void poly_ntt(poly *r)
+{
+  ntt(r->coeffs);
+  poly_reduce(r);
+}
+
+/*************************************************
+* Name:        poly_reduce
+*
+* Description: Applies Barrett reduction to all coefficients of a polynomial
+*              for details of the Barrett reduction see comments in reduce.c
+*
+* Arguments:   - poly *r:       pointer to input/output polynomial
+**************************************************/
+void poly_reduce(poly *r)
+{
+  int i;
+
+  for(i=0;i<KYBER_N;i++)
+    r->coeffs[i] = barrett_reduce(r->coeffs[i]);
+}
+
+

projects/Examples/KyberNTT/poly.h

+#ifndef POLY_H
+#define POLY_H
+
+#include <stdint.h>
+#include "params.h"
+
+/*
+ * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial
+ * coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1]
+ */
+typedef struct{
+  int16_t coeffs[KYBER_N];
+} poly;
+
+void poly_ntt(poly *r);
+
+void poly_reduce(poly *r);
+
+#endif

projects/Examples/KyberNTT/polyvec.c

+#include <stdint.h>
+#include "polyvec.h"
+#include "poly.h"
+
+/*************************************************
+* Name:        polyvec_ntt
+*
+* Description: Apply forward NTT to all elements of a vector of polynomials
+*
+* Arguments:   - polyvec *r: pointer to in/output vector of polynomials
+**************************************************/
+void polyvec_ntt(polyvec *r)
+{
+  int i;
+  for(i=0;i<KYBER_K;i++)
+    poly_ntt(&r->vec[i]);
+}

projects/Examples/KyberNTT/polyvec.h

+#ifndef POLYVEC_H
+#define POLYVEC_H
+
+#include "params.h"
+#include "poly.h"
+
+typedef struct{
+  poly vec[KYBER_K];
+} polyvec;
+
+void polyvec_ntt(polyvec *r);
+
+#endif

projects/Examples/KyberNTT/project.c

+#include <stdio.h>
+#include <stdlib.h>
+
+#include "elmoasmfunctionsdef-extension.h"
+
+// ELMO API :
+//  - printbyte(addr): Print single byte located at address 'addr' to output file;
+//  - randbyte(addr): Load byte of random to memory address 'addr';
+//  - readbyte(addr): Read byte from input file to address 'addr'.
+// ELMO API (extension) :
+//  - print2bytes, rand2bytes and read2bytes: idem, but for an address pointing on 2 bytes;
+//  - print4bytes, rand4bytes and read4bytes: idem, but for an address pointing on 4 bytes.
+
+#include "polyvec.h"
+#include "params.h"
+
+int main(void) {
+  uint16_t num_challenge, nb_challenges;
+  int j, k;
+  polyvec skpv;
+
+  read2bytes(&nb_challenges);
+  for(num_challenge=0; num_challenge<nb_challenges; num_challenge++) {
+
+    // Load the private vector s
+    for(j=0;j<KYBER_K;j++)
+      for(k=0;k<KYBER_N;k++)
+        read2bytes((uint16_t*) &skpv.vec[j].coeffs[k]);
+
+    starttrigger(); // To start a new trace
+
+    // Do the leaking operations here...
+    polyvec_ntt(&skpv);
+    
+    endtrigger(); // To end the current trace
+
+    // Print the results of the computation
+    for(j=0;j<KYBER_K;j++)
+      for(k=0;k<KYBER_N;k++)
+        print2bytes((uint16_t*) &skpv.vec[j].coeffs[k]);
+  }
+
+  endprogram(); // To indicate to ELMO that the simulation is finished
+
+  return 0;
+}

projects/Examples/KyberNTT/project.ld

+/*
+* University of Bristol – Open Access Software Licence
+* Copyright (c) 2016, The University of Bristol, a chartered
+* corporation having Royal Charter number RC000648 and a charity
+* (number X1121) and its place of administration being at Senate
+* House, Tyndall Avenue, Bristol, BS8 1TH, United Kingdom.
+* All rights reserved
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that the following conditions
+* are met:
+*
+* 1. Redistributions of source code must retain the above copyright
+* notice, this list of conditions and the following disclaimer.
+*
+* 2. Redistributions in binary form must reproduce the above
+* copyright notice, this list of conditions and the following
+* disclaimer in the documentation and/or other materials provided
+* with the distribution.
+*
+* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+* OF THE POSSIBILITY OF SUCH DAMAGE.
+*
+* Any use of the software for scientific publications or commercial
+* purposes should be reported to the University of Bristol
+* (OSI-notifications@bristol.ac.uk and quote reference 2668). This is
+* for impact and usage monitoring purposes only.
+*
+* Enquiries about further applications and development opportunities
+* are welcome. Please contact elisabeth.oswald@bristol.ac.uk
+*/
+
+/*
+ * This file was based on files that are part of the libopencm3 project.
+ * See below for licecning information.
+ *
+ * Copyright (C) 2009 Uwe Hermann <uwe@hermann-uwe.de>
+ * Copyright (C) 2011 Stephen Caudle <scaudle@doceme.com>
+ *
+ * This library is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/* Linker script for ST STM32F0DISCOVERY (STM32F051R8T6, 64K flash, 8K RAM). */
+
+/* Define memory regions. */
+MEMORY
+{
+	rom (rx) : ORIGIN = 0x08000000, LENGTH = 64K
+	ram (rwx) : ORIGIN = 0x20000000, LENGTH = 8K
+}
+
+/* Generic linker script for STM32 targets using libopencm3. */
+
+/* Memory regions must be defined in the ld script which includes this one. */
+
+/* Enforce emmition of the vector table. */
+EXTERN (vector_table)
+
+/* Define the entry point of the output file. */
+ENTRY(reset_handler)
+
+/* Define sections. */
+SECTIONS
+{
+	.text : {
+		*(.vectors)	/* Vector table */
+		*(.text*)	/* Program code */
+		. = ALIGN(4);
+		*(.rodata*)	/* Read-only data */
+		. = ALIGN(4);
+	} >rom
+
+	/* C++ Static constructors/destructors, also used for __attribute__
+	 * ((constructor)) and the likes */
+	.preinit_array : {
+		. = ALIGN(4);
+		__preinit_array_start = .;
+		KEEP (*(.preinit_array))
+		__preinit_array_end = .;
+	} >rom
+	.init_array : {
+		. = ALIGN(4);
+		__init_array_start = .;
+		KEEP (*(SORT(.init_array.*)))
+		KEEP (*(.init_array))
+		__init_array_end = .;
+	} >rom
+	.fini_array : {
+		. = ALIGN(4);
+		__fini_array_start = .;
+		KEEP (*(.fini_array))
+		KEEP (*(SORT(.fini_array.*)))
+		__fini_array_end = .;
+	} >rom
+
+	/*
+	 * Another section used by C++ stuff, appears when using newlib with
+	 * 64bit (long long) printf support
+	 */
+	.ARM.extab : {
+		*(.ARM.extab*)
+	} >rom
+	.ARM.exidx : {
+		__exidx_start = .;
+		*(.ARM.exidx*)
+		__exidx_end = .;
+	} >rom
+
+	. = ALIGN(4);
+	_etext = .;
+
+	.data : {
+		_data = .;
+		*(.data*)	/* Read-write initialized data */
+		. = ALIGN(4);
+		_edata = .;
+	} >ram AT >rom
+	_data_loadaddr = LOADADDR(.data);
+
+	.bss : {
+		*(.bss*)	/* Read-write zero initialized data */
+		*(COMMON)
+		. = ALIGN(4);
+		_ebss = .;
+	} >ram
+
+	/*
+	 * The .eh_frame section appears to be used for C++ exception handling.
+	 * You may need to fix this if you're using C++.
+	 */
+	/DISCARD/ : { *(.eh_frame) }
+
+	. = ALIGN(4);
+	end = .;
+}
+
+PROVIDE(_stack = ORIGIN(ram) + LENGTH(ram));
+

projects/Examples/KyberNTT/projectclass.py

+class KyberNTTSimulation(SimulationProject):
+    @classmethod
+    def get_binary(cl):
+        return 'project.bin'
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+    def set_input(self, input):
+        """ Write into the 'input' file of ELMO tool
+                the parameters and the challenges for the simulation """
+        super().set_input(input)
+
+    def set_input_for_each_challenge(self, input, challenge):
+        """ Write into the 'input' file of ELMO tool
+                the 'challenge' for the simulation """
+        secret = challenge
+
+        # Write the secret vector
+        for j in range(2): #k=2 for Kyber512
+            for k in range(256): #n=256 for Kyber512
+                write(input, secret[j,k])

projects/Examples/KyberNTT/reduce.c

+#include <stdint.h>
+#include "params.h"
+#include "reduce.h"
+
+/*************************************************
+* Name:        montgomery_reduce
+*
+* Description: Montgomery reduction; given a 32-bit integer a, computes
+*              16-bit integer congruent to a * R^-1 mod q,
+*              where R=2^16
+*
+* Arguments:   - int32_t a: input integer to be reduced; has to be in {-q2^15,...,q2^15-1}
+*
+* Returns:     integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q.
+**************************************************/
+int16_t montgomery_reduce(int32_t a)
+{
+  int32_t t;
+  int16_t u;
+
+  u = a * QINV;
+  t = (int32_t)u * KYBER_Q;
+  t = a - t;
+  t >>= 16;
+  return t;
+}
+
+/*************************************************
+* Name:        barrett_reduce
+*
+* Description: Barrett reduction; given a 16-bit integer a, computes
+*              16-bit integer congruent to a mod q in {0,...,q}
+*
+* Arguments:   - int16_t a: input integer to be reduced
+*
+* Returns:     integer in {0,...,q} congruent to a modulo q.
+**************************************************/
+int16_t barrett_reduce(int16_t a) {
+  int32_t t;
+  const int32_t v = (1U << 26)/KYBER_Q + 1;
+
+  t = v*a;
+  t >>= 26;
+  t *= KYBER_Q;
+  return a - t;
+}

projects/Examples/KyberNTT/reduce.h

+#ifndef REDUCE_H
+#define REDUCE_H
+
+#include <stdint.h>
+
+#define MONT 2285 // 2^16 % Q
+#define QINV 62209 // q^(-1) mod 2^16
+
+int16_t montgomery_reduce(int32_t a);
+
+int16_t barrett_reduce(int16_t a);
+
+#endif