Merge branch 'nist-submission-round-2' into lenerd/debug

faest_aes.c

@@ -3763,7 +3763,7 @@ static void aes_192_prover(uint8_t* a0_tilde, uint8_t* a1_tilde, uint8_t* a2_til
   unsigned int ell = params->faest_param.l;
 
   // ::1-5
-  // V becomes the w_tag
+  // V becomes the w_tag: ell + 2*lambda field elements
   bf192_t* w_tag = column_to_row_major_and_shrink_V_192(V, ell); // This is the tag for w
 
   // ::6-7 embed VOLE masks
@@ -3805,9 +3805,9 @@ static void aes_192_prover(uint8_t* a0_tilde, uint8_t* a1_tilde, uint8_t* a2_til
   free(z1_val);
   free(z2_gamma);
 
-  zk_hash_192_finalize(a0_tilde, &a0_ctx, bf_u_star_0);
-  zk_hash_192_finalize(a1_tilde, &a1_ctx, bf192_add(bf_v_star_0, bf_u_star_1));
-  zk_hash_192_finalize(a2_tilde, &a2_ctx, bf_v_star_1);
+  zk_hash_192_finalize(a0_tilde, &a0_ctx, bf_v_star_0);
+  zk_hash_192_finalize(a1_tilde, &a1_ctx, bf192_add(bf_u_star_0, bf_v_star_1));
+  zk_hash_192_finalize(a2_tilde, &a2_ctx, bf_u_star_1);
 
   free(bf_u_bits);
   free(w_tag);
@@ -3820,7 +3820,7 @@ static void aes_256_prover(uint8_t* a0_tilde, uint8_t* a1_tilde, uint8_t* a2_til
   unsigned int ell = params->faest_param.l;
 
   // ::1-5
-  // V becomes the w_tag
+  // V becomes the w_tag: ell + 2*lambda field elements
   bf256_t* w_tag = column_to_row_major_and_shrink_V_256(V, ell); // This is the tag for w
 
   // ::6-7 embed VOLE masks
@@ -3863,9 +3863,9 @@ static void aes_256_prover(uint8_t* a0_tilde, uint8_t* a1_tilde, uint8_t* a2_til
   free(z1_val);
   free(z2_gamma);
 
-  zk_hash_256_finalize(a0_tilde, &a0_ctx, bf_u_star_0);
-  zk_hash_256_finalize(a1_tilde, &a1_ctx, bf256_add(bf_v_star_0, bf_u_star_1));
-  zk_hash_256_finalize(a2_tilde, &a2_ctx, bf_v_star_1);
+  zk_hash_256_finalize(a0_tilde, &a0_ctx, bf_v_star_0);
+  zk_hash_256_finalize(a1_tilde, &a1_ctx, bf256_add(bf_u_star_0, bf_v_star_1));
+  zk_hash_256_finalize(a2_tilde, &a2_ctx, bf_u_star_1);
 
   free(bf_u_bits);
   free(w_tag);