Fix Nwd

faest-sign · Feb 6, 2025 · d5e7693 · d5e7693
1 parent e85cf4c
commit d5e7693
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/aes.c b/aes.c
@@ -413,6 +413,7 @@ uint8_t* aes_extend_witness(const uint8_t* key, const uint8_t* in, const faest_p
   const unsigned int l          = params->faest_param.l;
   const unsigned int S_ke       = params->faest_param.Ske;
   const unsigned int num_rounds = params->faest_param.R;
+  const unsigned int nk         = lambda / 32;
 
   uint8_t* w           = malloc((l + 7) / 8);
   uint8_t* const w_out = w;
@@ -470,12 +471,12 @@ uint8_t* aes_extend_witness(const uint8_t* key, const uint8_t* in, const faest_p
   // Step 4
   if (!faest_is_em(params)) {
     // Key schedule constraints only needed for normal AES, not EM variant.
-    for (unsigned int i = 0; i != params->faest_param.Nwd; ++i) {
+    for (unsigned int i = 0; i != nk; ++i) {
       memcpy(w, round_keys.round_keys[i / 4][i % 4], sizeof(aes_word_t));
       w += sizeof(aes_word_t);
     }
 
-    for (unsigned int j = 0, ik = params->faest_param.Nwd; j < S_ke / 4; ++j) {
+    for (unsigned int j = 0, ik = nk; j < S_ke / 4; ++j) {
       memcpy(w, round_keys.round_keys[ik / 4][ik % 4], sizeof(aes_word_t));
       w += sizeof(aes_word_t);
       ik += lambda == 192 ? 6 : 4;

diff --git a/meson.build b/meson.build
@@ -215,7 +215,7 @@ param_192s = configuration_data()
 param_192s.set('PARAM', '192S')
 param_192s.set('PARAM_L', '192s')
 param_192s.set('LAMBDA', 192)
-param_192s.set('Nwd', 6)
+param_192s.set('Nwd', 4)
 param_192s.set('Ske', 32)
 param_192s.set('R', 12)
 param_192s.set('Senc', 192)
@@ -239,7 +239,7 @@ param_192f = configuration_data()
 param_192f.set('PARAM', '192F')
 param_192f.set('PARAM_L', '192f')
 param_192f.set('LAMBDA', 192)
-param_192f.set('Nwd', 6)
+param_192f.set('Nwd', 4)
 param_192f.set('Ske', 32)
 param_192f.set('R', 12)
 param_192f.set('Senc', 192)
@@ -311,7 +311,7 @@ param_256s = configuration_data()
 param_256s.set('PARAM', '256S')
 param_256s.set('PARAM_L', '256s')
 param_256s.set('LAMBDA', 256)
-param_256s.set('Nwd', 8)
+param_256s.set('Nwd', 4)
 param_256s.set('Ske', 52)
 param_256s.set('R', 14)
 param_256s.set('Senc', 224)
@@ -335,7 +335,7 @@ param_256f = configuration_data()
 param_256f.set('PARAM', '256F')
 param_256f.set('PARAM_L', '256f')
 param_256f.set('LAMBDA', 256)
-param_256f.set('Nwd', 8)
+param_256f.set('Nwd', 4)
 param_256f.set('Ske', 52)
 param_256f.set('R', 14)
 param_256f.set('Senc', 224)