Authors : Cyrius NUGIER and Remi ADELIN Institute : LAAS-CNRS, INSA Toulouse, Univ Toulouse, FRANCE

This git contains a DH and a KEM implementation of 3 different versions of the Megrelishvili protocol.

1. "phsmat256b" One base version, a priori faster that is not constant-time coded.
2. "phsmat256t" Constant time version, with square-and-always-multiply and vector-matrix multiplication not based on the vector's density.
3. "phsmat256s" Sparse implementation, where the multiply step are done with a faster sparse matrix multiplication.

Everything should comply to be benchmarked with SUPERCOP-20200906

The Megrelishvili portocol is a Principal Homogeneous Space (Couveignes) The Group is generated by a maximal multiplicative order binary GL(256,2) matrix, and composition It acts simply transitively on the set of all length 256 binary vectors. Secutity is provably equivalent to Dlog.