Add NEWHOPE KEM scheme

Provides conjectured 200-bit security against a quantum attacker.

Based on the public domain reference implementation at
https://github.com/tpoeppelmann/newhope and bit-for-bit
compatible with that version.

Test vectors generated by the reference testvector.c

2 files changed, 9 insertions, 6 deletions

diff --git a/src/lib/hash/keccak/keccak.cpp b/src/lib/hash/keccak/keccak.cpp
index 44297dcef..e8bda068d 100644
--- a/src/lib/hash/keccak/keccak.cpp
+++ b/src/lib/hash/keccak/keccak.cpp
@@ -11,9 +11,8 @@
 
 namespace Botan {
 
-namespace {
-
-void keccak_f_1600(u64bit A[25])
+//static
+void Keccak_1600::permute(u64bit A[25])
    {
    static const u64bit RC[24] = {
       0x0000000000000001, 0x0000000000008082, 0x800000000000808A,
@@ -96,8 +95,6 @@ void keccak_f_1600(u64bit A[25])
       }
    }
 
-}
-
 Keccak_1600::Keccak_1600(size_t output_bits) :
    m_output_bits(output_bits),
    m_bitrate(1600 - 2*output_bits),
@@ -167,7 +164,7 @@ void Keccak_1600::add_data(const byte input[], size_t length)
 
       if(m_S_pos == m_bitrate / 8)
          {
-         keccak_f_1600(m_S.data());
+         Keccak_1600::permute(m_S.data());
          m_S_pos = 0;
          }
       }
diff --git a/src/lib/hash/keccak/keccak.h b/src/lib/hash/keccak/keccak.h
index a73595d6a..a66142d8c 100644
--- a/src/lib/hash/keccak/keccak.h
+++ b/src/lib/hash/keccak/keccak.h
@@ -33,6 +33,12 @@ class BOTAN_DLL Keccak_1600 final : public HashFunction
       HashFunction* clone() const override;
       std::string name() const override;
       void clear() override;
+
+      /**
+      * The bare Keccak-1600 permutation
+      */
+      static void permute(u64bit A[25]);
+
    private:
       void add_data(const byte input[], size_t length) override;
       void final_result(byte out[]) override;