From 52750b86b1c59bdef4de57e9aa5ecc61df586b92 Mon Sep 17 00:00:00 2001 From: "John M. Schanck" Date: Tue, 9 Feb 2021 10:13:25 -0500 Subject: [PATCH 1/2] Pull Dilithium changes from upstream --- crypto_sign/dilithium2/META.yml | 10 +- crypto_sign/dilithium2/avx2/api.h | 2 +- crypto_sign/dilithium2/avx2/packing.c | 12 +- crypto_sign/dilithium2/avx2/packing.h | 4 +- crypto_sign/dilithium2/avx2/params.h | 4 +- crypto_sign/dilithium2/avx2/poly.c | 116 +++++++++--------- crypto_sign/dilithium2/avx2/poly.h | 6 +- crypto_sign/dilithium2/avx2/polyvec.c | 6 +- crypto_sign/dilithium2/avx2/polyvec.h | 6 +- crypto_sign/dilithium2/avx2/rejsample.h | 4 +- crypto_sign/dilithium2/avx2/sign.c | 32 ++--- crypto_sign/dilithium2/avx2/symmetric.h | 21 +--- crypto_sign/dilithium2/clean/api.h | 2 +- crypto_sign/dilithium2/clean/packing.c | 12 +- crypto_sign/dilithium2/clean/packing.h | 4 +- crypto_sign/dilithium2/clean/params.h | 4 +- crypto_sign/dilithium2/clean/poly.c | 22 ++-- crypto_sign/dilithium2/clean/poly.h | 2 +- crypto_sign/dilithium2/clean/polyvec.c | 4 +- crypto_sign/dilithium2/clean/polyvec.h | 4 +- crypto_sign/dilithium2/clean/sign.c | 28 ++--- crypto_sign/dilithium2/clean/symmetric.h | 1 - crypto_sign/dilithium2aes/META.yml | 10 +- crypto_sign/dilithium2aes/avx2/api.h | 2 +- crypto_sign/dilithium2aes/avx2/packing.c | 12 +- crypto_sign/dilithium2aes/avx2/packing.h | 4 +- crypto_sign/dilithium2aes/avx2/params.h | 4 +- crypto_sign/dilithium2aes/avx2/poly.c | 20 +-- crypto_sign/dilithium2aes/avx2/poly.h | 4 +- crypto_sign/dilithium2aes/avx2/polyvec.c | 6 +- crypto_sign/dilithium2aes/avx2/polyvec.h | 6 +- crypto_sign/dilithium2aes/avx2/rejsample.h | 4 +- crypto_sign/dilithium2aes/avx2/sign.c | 32 ++--- crypto_sign/dilithium2aes/avx2/symmetric.h | 1 - crypto_sign/dilithium2aes/clean/api.h | 2 +- crypto_sign/dilithium2aes/clean/packing.c | 12 +- crypto_sign/dilithium2aes/clean/packing.h | 4 +- crypto_sign/dilithium2aes/clean/params.h | 4 +- crypto_sign/dilithium2aes/clean/poly.c | 22 ++-- crypto_sign/dilithium2aes/clean/poly.h | 2 +- crypto_sign/dilithium2aes/clean/polyvec.c | 4 +- crypto_sign/dilithium2aes/clean/polyvec.h | 4 +- crypto_sign/dilithium2aes/clean/sign.c | 28 ++--- crypto_sign/dilithium2aes/clean/symmetric.h | 1 - crypto_sign/dilithium3/META.yml | 10 +- crypto_sign/dilithium3/avx2/api.h | 3 +- crypto_sign/dilithium3/avx2/packing.c | 12 +- crypto_sign/dilithium3/avx2/packing.h | 4 +- crypto_sign/dilithium3/avx2/params.h | 4 +- crypto_sign/dilithium3/avx2/poly.c | 116 +++++++++--------- crypto_sign/dilithium3/avx2/poly.h | 6 +- crypto_sign/dilithium3/avx2/polyvec.c | 6 +- crypto_sign/dilithium3/avx2/polyvec.h | 6 +- crypto_sign/dilithium3/avx2/rejsample.h | 4 +- crypto_sign/dilithium3/avx2/sign.c | 32 ++--- crypto_sign/dilithium3/avx2/symmetric.h | 21 +--- crypto_sign/dilithium3/clean/api.h | 3 +- crypto_sign/dilithium3/clean/packing.c | 12 +- crypto_sign/dilithium3/clean/packing.h | 4 +- crypto_sign/dilithium3/clean/params.h | 4 +- crypto_sign/dilithium3/clean/poly.c | 22 ++-- crypto_sign/dilithium3/clean/poly.h | 2 +- crypto_sign/dilithium3/clean/polyvec.c | 4 +- crypto_sign/dilithium3/clean/polyvec.h | 4 +- crypto_sign/dilithium3/clean/sign.c | 28 ++--- crypto_sign/dilithium3/clean/symmetric.h | 1 - crypto_sign/dilithium3aes/META.yml | 10 +- crypto_sign/dilithium3aes/avx2/api.h | 3 +- crypto_sign/dilithium3aes/avx2/packing.c | 12 +- crypto_sign/dilithium3aes/avx2/packing.h | 4 +- crypto_sign/dilithium3aes/avx2/params.h | 4 +- crypto_sign/dilithium3aes/avx2/poly.c | 20 +-- crypto_sign/dilithium3aes/avx2/poly.h | 4 +- crypto_sign/dilithium3aes/avx2/polyvec.c | 6 +- crypto_sign/dilithium3aes/avx2/polyvec.h | 6 +- crypto_sign/dilithium3aes/avx2/rejsample.h | 4 +- crypto_sign/dilithium3aes/avx2/sign.c | 32 ++--- crypto_sign/dilithium3aes/avx2/symmetric.h | 1 - crypto_sign/dilithium3aes/clean/api.h | 3 +- crypto_sign/dilithium3aes/clean/packing.c | 12 +- crypto_sign/dilithium3aes/clean/packing.h | 4 +- crypto_sign/dilithium3aes/clean/params.h | 4 +- crypto_sign/dilithium3aes/clean/poly.c | 22 ++-- crypto_sign/dilithium3aes/clean/poly.h | 2 +- crypto_sign/dilithium3aes/clean/polyvec.c | 4 +- crypto_sign/dilithium3aes/clean/polyvec.h | 4 +- crypto_sign/dilithium3aes/clean/sign.c | 28 ++--- crypto_sign/dilithium3aes/clean/symmetric.h | 1 - crypto_sign/dilithium5/META.yml | 10 +- crypto_sign/dilithium5/avx2/api.h | 2 +- crypto_sign/dilithium5/avx2/packing.c | 12 +- crypto_sign/dilithium5/avx2/packing.h | 4 +- crypto_sign/dilithium5/avx2/params.h | 4 +- crypto_sign/dilithium5/avx2/poly.c | 116 +++++++++--------- crypto_sign/dilithium5/avx2/poly.h | 6 +- crypto_sign/dilithium5/avx2/polyvec.c | 6 +- crypto_sign/dilithium5/avx2/polyvec.h | 6 +- crypto_sign/dilithium5/avx2/rejsample.h | 4 +- crypto_sign/dilithium5/avx2/sign.c | 32 ++--- crypto_sign/dilithium5/avx2/symmetric.h | 21 +--- crypto_sign/dilithium5/clean/api.h | 2 +- crypto_sign/dilithium5/clean/packing.c | 12 +- crypto_sign/dilithium5/clean/packing.h | 4 +- crypto_sign/dilithium5/clean/params.h | 4 +- crypto_sign/dilithium5/clean/poly.c | 22 ++-- crypto_sign/dilithium5/clean/poly.h | 2 +- crypto_sign/dilithium5/clean/polyvec.c | 4 +- crypto_sign/dilithium5/clean/polyvec.h | 4 +- crypto_sign/dilithium5/clean/sign.c | 28 ++--- crypto_sign/dilithium5/clean/symmetric.h | 1 - crypto_sign/dilithium5aes/META.yml | 10 +- crypto_sign/dilithium5aes/avx2/api.h | 2 +- crypto_sign/dilithium5aes/avx2/packing.c | 12 +- crypto_sign/dilithium5aes/avx2/packing.h | 4 +- crypto_sign/dilithium5aes/avx2/params.h | 4 +- crypto_sign/dilithium5aes/avx2/poly.c | 20 +-- crypto_sign/dilithium5aes/avx2/poly.h | 4 +- crypto_sign/dilithium5aes/avx2/polyvec.c | 6 +- crypto_sign/dilithium5aes/avx2/polyvec.h | 6 +- crypto_sign/dilithium5aes/avx2/rejsample.h | 4 +- crypto_sign/dilithium5aes/avx2/sign.c | 32 ++--- crypto_sign/dilithium5aes/avx2/symmetric.h | 1 - crypto_sign/dilithium5aes/clean/api.h | 2 +- crypto_sign/dilithium5aes/clean/packing.c | 12 +- crypto_sign/dilithium5aes/clean/packing.h | 4 +- crypto_sign/dilithium5aes/clean/params.h | 4 +- crypto_sign/dilithium5aes/clean/poly.c | 22 ++-- crypto_sign/dilithium5aes/clean/poly.h | 2 +- crypto_sign/dilithium5aes/clean/polyvec.c | 4 +- crypto_sign/dilithium5aes/clean/polyvec.h | 4 +- crypto_sign/dilithium5aes/clean/sign.c | 28 ++--- crypto_sign/dilithium5aes/clean/symmetric.h | 1 - .../duplicate_consistency/dilithium2_avx2.yml | 3 - .../dilithium2_clean.yml | 3 - .../duplicate_consistency/dilithium3_avx2.yml | 3 - .../dilithium3_clean.yml | 3 - .../duplicate_consistency/dilithium5_avx2.yml | 3 - .../dilithium5_clean.yml | 3 - 138 files changed, 729 insertions(+), 775 deletions(-) diff --git a/crypto_sign/dilithium2/META.yml b/crypto_sign/dilithium2/META.yml index 0249aac7..42113b8f 100644 --- a/crypto_sign/dilithium2/META.yml +++ b/crypto_sign/dilithium2/META.yml @@ -2,10 +2,10 @@ name: Dilithium2 type: signature claimed-nist-level: 2 length-public-key: 1312 -length-secret-key: 2544 +length-secret-key: 2528 length-signature: 2420 -nistkat-sha256: 9c636528bf81c03df6ad8f9471cb1b4d9097d66af825d4f60b7ff0d941ca4d37 -testvectors-sha256: 166fc2481358d5a1b7a528b30af36ad069b049b5755cf63b843ce0f25f35aeb6 +nistkat-sha256: faa8998108fa541309c9df5044018c5d26cc23654594bef639dd64b838646cbd +testvectors-sha256: 84f3da742881007e3d1d29c7390c7d707261ab8b20068a22b728e38e2fbac94b principal-submitters: - Vadim Lyubashevsky auxiliary-submitters: @@ -17,9 +17,9 @@ auxiliary-submitters: - Damien Stehlé implementations: - name: clean - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium + version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium - name: avx2 - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium + version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium supported_platforms: - architecture: x86_64 operating_systems: diff --git a/crypto_sign/dilithium2/avx2/api.h b/crypto_sign/dilithium2/avx2/api.h index 7eaf76b3..c4b4a731 100644 --- a/crypto_sign/dilithium2/avx2/api.h +++ b/crypto_sign/dilithium2/avx2/api.h @@ -5,7 +5,7 @@ #include #define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES 1312 -#define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_SECRETKEYBYTES 2544 +#define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_SECRETKEYBYTES 2528 #define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_BYTES 2420 #define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_ALGNAME "Dilithium2" diff --git a/crypto_sign/dilithium2/avx2/packing.c b/crypto_sign/dilithium2/avx2/packing.c index d6fafe43..5fd05dfe 100644 --- a/crypto_sign/dilithium2/avx2/packing.c +++ b/crypto_sign/dilithium2/avx2/packing.c @@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM2_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], **************************************************/ void PQCLEAN_DILITHIUM2_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_AVX2_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM2_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_AVX2_CRYPTO_S } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = tr[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM2_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); @@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM2_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_AVX2_CRYPTO_S * - uint8_t sk[]: byte array containing bit-packed sk **************************************************/ void PQCLEAN_DILITHIUM2_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, @@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM2_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { tr[i] = sk[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM2_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); diff --git a/crypto_sign/dilithium2/avx2/packing.h b/crypto_sign/dilithium2/avx2/packing.h index 12400f09..0a2e5ad9 100644 --- a/crypto_sign/dilithium2/avx2/packing.h +++ b/crypto_sign/dilithium2/avx2/packing.h @@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM2_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM2_AVX2_CRYPTO_P void PQCLEAN_DILITHIUM2_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_AVX2_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM2_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM2_AVX2_CRYPTO void PQCLEAN_DILITHIUM2_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES]); void PQCLEAN_DILITHIUM2_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, diff --git a/crypto_sign/dilithium2/avx2/params.h b/crypto_sign/dilithium2/avx2/params.h index 6556cc70..b874a4a5 100644 --- a/crypto_sign/dilithium2/avx2/params.h +++ b/crypto_sign/dilithium2/avx2/params.h @@ -4,7 +4,7 @@ #define SEEDBYTES 32 -#define CRHBYTES 48 +#define CRHBYTES 64 #define N 256 #define Q 8380417 #define D 13 @@ -32,7 +32,7 @@ #define POLYETA_PACKEDBYTES 96 #define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ +#define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \ + L*POLYETA_PACKEDBYTES \ + K*POLYETA_PACKEDBYTES \ + K*POLYT0_PACKEDBYTES) diff --git a/crypto_sign/dilithium2/avx2/poly.c b/crypto_sign/dilithium2/avx2/poly.c index 113e5fca..ae3e728a 100644 --- a/crypto_sign/dilithium2/avx2/poly.c +++ b/crypto_sign/dilithium2/avx2/poly.c @@ -507,34 +507,34 @@ static unsigned int rej_eta(int32_t *a, * or AES256CTR(seed,nonce). * * Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES +* - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) { +void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state) { unsigned int ctr; - ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf; + ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf; - stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); + stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); ctr = PQCLEAN_DILITHIUM2_AVX2_rej_eta_avx(a->coeffs, buf.coeffs); while (ctr < N) { - stream128_squeezeblocks(buf.coeffs, 1, state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES); + stream256_squeezeblocks(buf.coeffs, 1, state); + ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES); } } -void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - stream128_state state; - stream128_init(&state, seed, nonce); +void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) { + stream256_state state; + stream256_init(&state, seed, nonce); PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_preinit(a, &state); - stream128_release(&state); + stream256_release(&state); } void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_4x(poly *a0, poly *a1, poly *a2, poly *a3, - const uint8_t seed[32], + const uint8_t seed[64], uint16_t nonce0, uint16_t nonce1, uint16_t nonce2, @@ -545,23 +545,28 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_4x(poly *a0, __m256i f; keccakx4_state state; - f = _mm256_loadu_si256((__m256i *)seed); - _mm256_store_si256(buf[0].vec, f); - _mm256_store_si256(buf[1].vec, f); - _mm256_store_si256(buf[2].vec, f); - _mm256_store_si256(buf[3].vec, f); - - buf[0].coeffs[SEEDBYTES + 0] = nonce0; - buf[0].coeffs[SEEDBYTES + 1] = nonce0 >> 8; - buf[1].coeffs[SEEDBYTES + 0] = nonce1; - buf[1].coeffs[SEEDBYTES + 1] = nonce1 >> 8; - buf[2].coeffs[SEEDBYTES + 0] = nonce2; - buf[2].coeffs[SEEDBYTES + 1] = nonce2 >> 8; - buf[3].coeffs[SEEDBYTES + 0] = nonce3; - buf[3].coeffs[SEEDBYTES + 1] = nonce3 >> 8; - - PQCLEAN_DILITHIUM2_AVX2_shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2); - PQCLEAN_DILITHIUM2_AVX2_shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state); + f = _mm256_loadu_si256((__m256i *)&seed[0]); + _mm256_store_si256(&buf[0].vec[0], f); + _mm256_store_si256(&buf[1].vec[0], f); + _mm256_store_si256(&buf[2].vec[0], f); + _mm256_store_si256(&buf[3].vec[0], f); + f = _mm256_loadu_si256((__m256i *)&seed[32]); + _mm256_store_si256(&buf[0].vec[1], f); + _mm256_store_si256(&buf[1].vec[1], f); + _mm256_store_si256(&buf[2].vec[1], f); + _mm256_store_si256(&buf[3].vec[1], f); + + buf[0].coeffs[64] = nonce0; + buf[0].coeffs[65] = nonce0 >> 8; + buf[1].coeffs[64] = nonce1; + buf[1].coeffs[65] = nonce1 >> 8; + buf[2].coeffs[64] = nonce2; + buf[2].coeffs[65] = nonce2 >> 8; + buf[3].coeffs[64] = nonce3; + buf[3].coeffs[65] = nonce3 >> 8; + + PQCLEAN_DILITHIUM2_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66); + PQCLEAN_DILITHIUM2_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state); ctr0 = PQCLEAN_DILITHIUM2_AVX2_rej_eta_avx(a0->coeffs, buf[0].coeffs); ctr1 = PQCLEAN_DILITHIUM2_AVX2_rej_eta_avx(a1->coeffs, buf[1].coeffs); @@ -569,12 +574,12 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_4x(poly *a0, ctr3 = PQCLEAN_DILITHIUM2_AVX2_rej_eta_avx(a3->coeffs, buf[3].coeffs); while (ctr0 < N || ctr1 < N || ctr2 < N || ctr3 < N) { - PQCLEAN_DILITHIUM2_AVX2_shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state); + PQCLEAN_DILITHIUM2_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state); - ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE128_RATE); - ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE128_RATE); - ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE); - ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE); + ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE256_RATE); + ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE256_RATE); + ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE); + ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE); } } @@ -608,7 +613,7 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_gamma1_4x(poly *a0, poly *a1, poly *a2, poly *a3, - const uint8_t seed[48], + const uint8_t seed[64], uint16_t nonce0, uint16_t nonce1, uint16_t nonce2, @@ -616,29 +621,28 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_gamma1_4x(poly *a0, ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES + 14) buf[4]; keccakx4_state state; __m256i f; - __m128i g; - f = _mm256_loadu_si256((__m256i *)seed); - _mm256_store_si256(buf[0].vec, f); - _mm256_store_si256(buf[1].vec, f); - _mm256_store_si256(buf[2].vec, f); - _mm256_store_si256(buf[3].vec, f); - g = _mm_loadu_si128((__m128i *)&seed[32]); - _mm_store_si128((__m128i *)&buf[0].vec[1], g); - _mm_store_si128((__m128i *)&buf[1].vec[1], g); - _mm_store_si128((__m128i *)&buf[2].vec[1], g); - _mm_store_si128((__m128i *)&buf[3].vec[1], g); - - buf[0].coeffs[CRHBYTES + 0] = nonce0; - buf[0].coeffs[CRHBYTES + 1] = nonce0 >> 8; - buf[1].coeffs[CRHBYTES + 0] = nonce1; - buf[1].coeffs[CRHBYTES + 1] = nonce1 >> 8; - buf[2].coeffs[CRHBYTES + 0] = nonce2; - buf[2].coeffs[CRHBYTES + 1] = nonce2 >> 8; - buf[3].coeffs[CRHBYTES + 0] = nonce3; - buf[3].coeffs[CRHBYTES + 1] = nonce3 >> 8; - - PQCLEAN_DILITHIUM2_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, CRHBYTES + 2); + f = _mm256_loadu_si256((__m256i *)&seed[0]); + _mm256_store_si256(&buf[0].vec[0], f); + _mm256_store_si256(&buf[1].vec[0], f); + _mm256_store_si256(&buf[2].vec[0], f); + _mm256_store_si256(&buf[3].vec[0], f); + f = _mm256_loadu_si256((__m256i *)&seed[32]); + _mm256_store_si256(&buf[0].vec[1], f); + _mm256_store_si256(&buf[1].vec[1], f); + _mm256_store_si256(&buf[2].vec[1], f); + _mm256_store_si256(&buf[3].vec[1], f); + + buf[0].coeffs[64] = nonce0; + buf[0].coeffs[65] = nonce0 >> 8; + buf[1].coeffs[64] = nonce1; + buf[1].coeffs[65] = nonce1 >> 8; + buf[2].coeffs[64] = nonce2; + buf[2].coeffs[65] = nonce2 >> 8; + buf[3].coeffs[64] = nonce3; + buf[3].coeffs[65] = nonce3 >> 8; + + PQCLEAN_DILITHIUM2_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66); PQCLEAN_DILITHIUM2_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state); PQCLEAN_DILITHIUM2_AVX2_polyz_unpack(a0, buf[0].coeffs); diff --git a/crypto_sign/dilithium2/avx2/poly.h b/crypto_sign/dilithium2/avx2/poly.h index 8310e4a1..e55bcbc9 100644 --- a/crypto_sign/dilithium2/avx2/poly.h +++ b/crypto_sign/dilithium2/avx2/poly.h @@ -28,8 +28,8 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_use_hint(poly *b, const poly *a, const poly *h int PQCLEAN_DILITHIUM2_AVX2_poly_chknorm(const poly *a, int32_t B); void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_preinit(poly *a, stream128_state *state); void PQCLEAN_DILITHIUM2_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state); -void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state); +void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state); void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]); @@ -47,7 +47,7 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_4x(poly *a0, poly *a1, poly *a2, poly *a3, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce0, uint16_t nonce1, uint16_t nonce2, diff --git a/crypto_sign/dilithium2/avx2/polyvec.c b/crypto_sign/dilithium2/avx2/polyvec.c index 9b989246..21674e42 100644 --- a/crypto_sign/dilithium2/avx2/polyvec.c +++ b/crypto_sign/dilithium2/avx2/polyvec.c @@ -74,7 +74,7 @@ void PQCLEAN_DILITHIUM2_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, co /************ Vectors of polynomials of length L **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -82,7 +82,7 @@ void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t see } } -void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -207,7 +207,7 @@ int PQCLEAN_DILITHIUM2_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound) /************ Vectors of polynomials of length K **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM2_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM2_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < K; ++i) { diff --git a/crypto_sign/dilithium2/avx2/polyvec.h b/crypto_sign/dilithium2/avx2/polyvec.h index ee8b05ff..d8d82c14 100644 --- a/crypto_sign/dilithium2/avx2/polyvec.h +++ b/crypto_sign/dilithium2/avx2/polyvec.h @@ -9,9 +9,9 @@ typedef struct { poly vec[L]; } polyvecl; -void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2_AVX2_polyvecl_reduce(polyvecl *v); @@ -33,7 +33,7 @@ typedef struct { poly vec[K]; } polyveck; -void PQCLEAN_DILITHIUM2_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM2_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2_AVX2_polyveck_reduce(polyveck *v); void PQCLEAN_DILITHIUM2_AVX2_polyveck_caddq(polyveck *v); diff --git a/crypto_sign/dilithium2/avx2/rejsample.h b/crypto_sign/dilithium2/avx2/rejsample.h index f7f3cbb3..6f2145c6 100644 --- a/crypto_sign/dilithium2/avx2/rejsample.h +++ b/crypto_sign/dilithium2/avx2/rejsample.h @@ -7,8 +7,8 @@ #define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) #define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_NBLOCKS ((137+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES) +#define REJ_UNIFORM_ETA_NBLOCKS ((136+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES) +#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES) extern const uint8_t PQCLEAN_DILITHIUM2_AVX2_idxlut[256][8]; diff --git a/crypto_sign/dilithium2/avx2/sign.c b/crypto_sign/dilithium2/avx2/sign.c index 5dcf7261..76a3cf06 100644 --- a/crypto_sign/dilithium2/avx2/sign.c +++ b/crypto_sign/dilithium2/avx2/sign.c @@ -45,7 +45,7 @@ static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], co **************************************************/ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { unsigned int i; - uint8_t seedbuf[3 * SEEDBYTES]; + uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES]; const uint8_t *rho, *rhoprime, *key; polyvecl rowbuf[2]; polyvecl s1, *row = rowbuf; @@ -54,10 +54,10 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Get randomness for rho, rhoprime and key */ randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); + shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES); rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; + rhoprime = rho + SEEDBYTES; + key = rhoprime + CRHBYTES; /* Store rho, key */ memcpy(pk, rho, SEEDBYTES); @@ -70,10 +70,10 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Pack secret vectors */ for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM2_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); + PQCLEAN_DILITHIUM2_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); } for (i = 0; i < K; i++) { - PQCLEAN_DILITHIUM2_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); + PQCLEAN_DILITHIUM2_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); } /* Transform s1 */ @@ -95,11 +95,11 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { PQCLEAN_DILITHIUM2_AVX2_poly_caddq(&t1); PQCLEAN_DILITHIUM2_AVX2_poly_power2round(&t1, &t0, &t1); PQCLEAN_DILITHIUM2_AVX2_polyt1_pack(pk + SEEDBYTES + i * POLYT1_PACKEDBYTES, &t1); - PQCLEAN_DILITHIUM2_AVX2_polyt0_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); + PQCLEAN_DILITHIUM2_AVX2_polyt0_pack(sk + 3 * SEEDBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); } - /* Compute CRH(rho, t1) and store in secret key */ - crh(sk + 2 * SEEDBYTES, pk, PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES); + /* Compute H(rho, t1) and store in secret key */ + shake256(sk + 2 * SEEDBYTES, SEEDBYTES, pk, PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES); return 0; } @@ -119,7 +119,7 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { **************************************************/ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { unsigned int i, n, pos; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; + uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint8_t hintbuf[N]; uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES; @@ -135,20 +135,20 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, rho = seedbuf; tr = rho + SEEDBYTES; - key = tr + CRHBYTES; + key = tr + SEEDBYTES; mu = key + SEEDBYTES; rhoprime = mu + CRHBYTES; PQCLEAN_DILITHIUM2_AVX2_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute CRH(tr, msg) */ shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); + shake256_inc_absorb(&state, tr, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); shake256_inc_ctx_release(&state); - crh(rhoprime, key, SEEDBYTES + CRHBYTES); + shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES); /* Expand matrix and transform vectors */ PQCLEAN_DILITHIUM2_AVX2_polyvec_matrix_expand(mat, rho); @@ -293,10 +293,10 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_verify(const uint8_t *sig, size_t siglen return -1; } - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES); + /* Compute CRH(H(rho, t1), msg) */ + shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES); shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, mu, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); diff --git a/crypto_sign/dilithium2/avx2/symmetric.h b/crypto_sign/dilithium2/avx2/symmetric.h index deb8cf6c..f203efab 100644 --- a/crypto_sign/dilithium2/avx2/symmetric.h +++ b/crypto_sign/dilithium2/avx2/symmetric.h @@ -9,27 +9,18 @@ typedef shake128incctx stream128_state; typedef shake256incctx stream256_state; -void PQCLEAN_DILITHIUM2_AVX2_dilithium_shake128_stream_init(shake128incctx *state, - const uint8_t seed[SEEDBYTES], - uint16_t nonce); +void PQCLEAN_DILITHIUM2_AVX2_dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM2_AVX2_dilithium_shake256_stream_init(shake256incctx *state, - const uint8_t seed[CRHBYTES], - uint16_t nonce); +void PQCLEAN_DILITHIUM2_AVX2_dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce); #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) -#define stream128_init(STATE, SEED, NONCE) \ - PQCLEAN_DILITHIUM2_AVX2_dilithium_shake128_stream_init(STATE, SEED, NONCE) -#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \ - shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE) +#define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2_AVX2_dilithium_shake128_stream_init(STATE, SEED, NONCE) +#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE) #define stream128_release(STATE) shake128_inc_ctx_release(STATE) -#define stream256_init(STATE, SEED, NONCE) \ - PQCLEAN_DILITHIUM2_AVX2_dilithium_shake256_stream_init(STATE, SEED, NONCE) -#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \ - shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE) +#define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2_AVX2_dilithium_shake256_stream_init(STATE, SEED, NONCE) +#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE) #define stream256_release(STATE) shake256_inc_ctx_release(STATE) diff --git a/crypto_sign/dilithium2/clean/api.h b/crypto_sign/dilithium2/clean/api.h index dabeeae8..2afe88ff 100644 --- a/crypto_sign/dilithium2/clean/api.h +++ b/crypto_sign/dilithium2/clean/api.h @@ -5,7 +5,7 @@ #include #define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES 1312 -#define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_SECRETKEYBYTES 2544 +#define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_SECRETKEYBYTES 2528 #define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_BYTES 2420 #define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_ALGNAME "Dilithium2" diff --git a/crypto_sign/dilithium2/clean/packing.c b/crypto_sign/dilithium2/clean/packing.c index b54c9646..15ca8e8d 100644 --- a/crypto_sign/dilithium2/clean/packing.c +++ b/crypto_sign/dilithium2/clean/packing.c @@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], **************************************************/ void PQCLEAN_DILITHIUM2_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM2_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_CLEAN_CRYPTO } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = tr[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM2_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); @@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_CLEAN_CRYPTO * - uint8_t sk[]: byte array containing bit-packed sk **************************************************/ void PQCLEAN_DILITHIUM2_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, @@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM2_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { tr[i] = sk[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM2_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); diff --git a/crypto_sign/dilithium2/clean/packing.h b/crypto_sign/dilithium2/clean/packing.h index 44a088fd..d071ad05 100644 --- a/crypto_sign/dilithium2/clean/packing.h +++ b/crypto_sign/dilithium2/clean/packing.h @@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM2_CLEAN_CRYPTO void PQCLEAN_DILITHIUM2_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM2_CLEAN_CRYP void PQCLEAN_DILITHIUM2_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES]); void PQCLEAN_DILITHIUM2_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, diff --git a/crypto_sign/dilithium2/clean/params.h b/crypto_sign/dilithium2/clean/params.h index 93aa7897..49caf780 100644 --- a/crypto_sign/dilithium2/clean/params.h +++ b/crypto_sign/dilithium2/clean/params.h @@ -4,7 +4,7 @@ #define SEEDBYTES 32 -#define CRHBYTES 48 +#define CRHBYTES 64 #define N 256 #define Q 8380417 #define D 13 @@ -32,7 +32,7 @@ #define POLYETA_PACKEDBYTES 96 #define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ +#define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \ + L*POLYETA_PACKEDBYTES \ + K*POLYETA_PACKEDBYTES \ + K*POLYT0_PACKEDBYTES) diff --git a/crypto_sign/dilithium2/clean/poly.c b/crypto_sign/dilithium2/clean/poly.c index f46027a5..060a317e 100644 --- a/crypto_sign/dilithium2/clean/poly.c +++ b/crypto_sign/dilithium2/clean/poly.c @@ -438,28 +438,28 @@ static unsigned int rej_eta(int32_t *a, * output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce). * * Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES +* - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES) +#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES) void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int ctr; - unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES; - uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES]; - stream128_state state; + unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES; + uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES]; + stream256_state state; - stream128_init(&state, seed, nonce); - stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); + stream256_init(&state, seed, nonce); + stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); ctr = rej_eta(a->coeffs, N, buf, buflen); while (ctr < N) { - stream128_squeezeblocks(buf, 1, &state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); + stream256_squeezeblocks(buf, 1, &state); + ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES); } - stream128_release(&state); + stream256_release(&state); } /************************************************* diff --git a/crypto_sign/dilithium2/clean/poly.h b/crypto_sign/dilithium2/clean/poly.h index cd5660c1..4e3c9ad4 100644 --- a/crypto_sign/dilithium2/clean/poly.h +++ b/crypto_sign/dilithium2/clean/poly.h @@ -29,7 +29,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], diff --git a/crypto_sign/dilithium2/clean/polyvec.c b/crypto_sign/dilithium2/clean/polyvec.c index d2bec78d..e0f80630 100644 --- a/crypto_sign/dilithium2/clean/polyvec.c +++ b/crypto_sign/dilithium2/clean/polyvec.c @@ -36,7 +36,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t, c /************ Vectors of polynomials of length L **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM2_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM2_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -178,7 +178,7 @@ int PQCLEAN_DILITHIUM2_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t bound) /************ Vectors of polynomials of length K **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM2_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM2_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < K; ++i) { diff --git a/crypto_sign/dilithium2/clean/polyvec.h b/crypto_sign/dilithium2/clean/polyvec.h index 6d0eb473..8d1e8588 100644 --- a/crypto_sign/dilithium2/clean/polyvec.h +++ b/crypto_sign/dilithium2/clean/polyvec.h @@ -9,7 +9,7 @@ typedef struct { poly vec[L]; } polyvecl; -void PQCLEAN_DILITHIUM2_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM2_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); @@ -36,7 +36,7 @@ typedef struct { poly vec[K]; } polyveck; -void PQCLEAN_DILITHIUM2_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM2_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2_CLEAN_polyveck_reduce(polyveck *v); void PQCLEAN_DILITHIUM2_CLEAN_polyveck_caddq(polyveck *v); diff --git a/crypto_sign/dilithium2/clean/sign.c b/crypto_sign/dilithium2/clean/sign.c index 0ea6d242..44df8b37 100644 --- a/crypto_sign/dilithium2/clean/sign.c +++ b/crypto_sign/dilithium2/clean/sign.c @@ -21,8 +21,8 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seedbuf[3 * SEEDBYTES]; - uint8_t tr[CRHBYTES]; + uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES]; + uint8_t tr[SEEDBYTES]; const uint8_t *rho, *rhoprime, *key; polyvecl mat[K]; polyvecl s1, s1hat; @@ -30,10 +30,10 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Get randomness for rho, rhoprime and key */ randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); + shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES); rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; + rhoprime = rho + SEEDBYTES; + key = rhoprime + CRHBYTES; /* Expand matrix */ PQCLEAN_DILITHIUM2_CLEAN_polyvec_matrix_expand(mat, rho); @@ -57,8 +57,8 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { PQCLEAN_DILITHIUM2_CLEAN_polyveck_power2round(&t1, &t0, &t1); PQCLEAN_DILITHIUM2_CLEAN_pack_pk(pk, rho, &t1); - /* Compute CRH(rho, t1) and write secret key */ - crh(tr, pk, PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES); + /* Compute H(rho, t1) and write secret key */ + shake256(tr, SEEDBYTES, pk, PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES); PQCLEAN_DILITHIUM2_CLEAN_pack_sk(sk, rho, tr, key, &t0, &s1, &s2); return 0; @@ -83,7 +83,7 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_signature(uint8_t *sig, size_t mlen, const uint8_t *sk) { unsigned int n; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; + uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint16_t nonce = 0; polyvecl mat[K], s1, y, z; @@ -93,20 +93,20 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_signature(uint8_t *sig, rho = seedbuf; tr = rho + SEEDBYTES; - key = tr + CRHBYTES; + key = tr + SEEDBYTES; mu = key + SEEDBYTES; rhoprime = mu + CRHBYTES; PQCLEAN_DILITHIUM2_CLEAN_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute CRH(tr, msg) */ shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); + shake256_inc_absorb(&state, tr, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); shake256_inc_ctx_release(&state); - crh(rhoprime, key, SEEDBYTES + CRHBYTES); + shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES); /* Expand matrix and transform vectors */ PQCLEAN_DILITHIUM2_CLEAN_polyvec_matrix_expand(mat, rho); @@ -250,10 +250,10 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_verify(const uint8_t *sig, return -1; } - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES); + /* Compute CRH(H(rho, t1), msg) */ + shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES); shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, mu, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); diff --git a/crypto_sign/dilithium2/clean/symmetric.h b/crypto_sign/dilithium2/clean/symmetric.h index cbbb11d4..928f8412 100644 --- a/crypto_sign/dilithium2/clean/symmetric.h +++ b/crypto_sign/dilithium2/clean/symmetric.h @@ -20,7 +20,6 @@ void PQCLEAN_DILITHIUM2_CLEAN_dilithium_shake256_stream_init(shake256incctx *sta #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) \ PQCLEAN_DILITHIUM2_CLEAN_dilithium_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \ diff --git a/crypto_sign/dilithium2aes/META.yml b/crypto_sign/dilithium2aes/META.yml index 6a4fe381..dcb7426c 100644 --- a/crypto_sign/dilithium2aes/META.yml +++ b/crypto_sign/dilithium2aes/META.yml @@ -2,10 +2,10 @@ name: Dilithium2-AES type: signature claimed-nist-level: 2 length-public-key: 1312 -length-secret-key: 2544 +length-secret-key: 2528 length-signature: 2420 -nistkat-sha256: 23972a0a5f1f32781aa11fa57d9994ddd53c1bbcc732967f61d9d9aaef01c492 -testvectors-sha256: 22e68fe8bf781dee949a4297f9ba44d1c350a1d88bae03117cfb2ca494c6e604 +nistkat-sha256: 62569a8c8cf8781a60c88753dfa8806afac09e39f01df1bb6598ca29bac7f425 +testvectors-sha256: faea339481e765cefba110bfcf1abb81c98546bee2b9b63f2fbe63feed9886da principal-submitters: - Vadim Lyubashevsky auxiliary-submitters: @@ -17,9 +17,9 @@ auxiliary-submitters: - Damien Stehlé implementations: - name: clean - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium + version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium - name: avx2 - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium + version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium supported_platforms: - architecture: x86_64 operating_systems: diff --git a/crypto_sign/dilithium2aes/avx2/api.h b/crypto_sign/dilithium2aes/avx2/api.h index 84f0634b..68516bda 100644 --- a/crypto_sign/dilithium2aes/avx2/api.h +++ b/crypto_sign/dilithium2aes/avx2/api.h @@ -5,7 +5,7 @@ #include #define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES 1312 -#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES 2544 +#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES 2528 #define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES 2420 #define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_ALGNAME "Dilithium2-AES" diff --git a/crypto_sign/dilithium2aes/avx2/packing.c b/crypto_sign/dilithium2aes/avx2/packing.c index 5ef0a359..21dec845 100644 --- a/crypto_sign/dilithium2aes/avx2/packing.c +++ b/crypto_sign/dilithium2aes/avx2/packing.c @@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM2AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], **************************************************/ void PQCLEAN_DILITHIUM2AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM2AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_AVX2_CR } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = tr[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); @@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM2AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_AVX2_CR * - uint8_t sk[]: byte array containing bit-packed sk **************************************************/ void PQCLEAN_DILITHIUM2AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, @@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM2AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { tr[i] = sk[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM2AES_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); diff --git a/crypto_sign/dilithium2aes/avx2/packing.h b/crypto_sign/dilithium2aes/avx2/packing.h index d5c0a4c3..1f08c291 100644 --- a/crypto_sign/dilithium2aes/avx2/packing.h +++ b/crypto_sign/dilithium2aes/avx2/packing.h @@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM2AES_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM2AES_AVX2_CR void PQCLEAN_DILITHIUM2AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM2AES_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM2AES_AVX2_ void PQCLEAN_DILITHIUM2AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES]); void PQCLEAN_DILITHIUM2AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, diff --git a/crypto_sign/dilithium2aes/avx2/params.h b/crypto_sign/dilithium2aes/avx2/params.h index b6b4a6c2..b182889d 100644 --- a/crypto_sign/dilithium2aes/avx2/params.h +++ b/crypto_sign/dilithium2aes/avx2/params.h @@ -4,7 +4,7 @@ #define SEEDBYTES 32 -#define CRHBYTES 48 +#define CRHBYTES 64 #define N 256 #define Q 8380417 #define D 13 @@ -32,7 +32,7 @@ #define POLYETA_PACKEDBYTES 96 #define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ +#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \ + L*POLYETA_PACKEDBYTES \ + K*POLYETA_PACKEDBYTES \ + K*POLYT0_PACKEDBYTES) diff --git a/crypto_sign/dilithium2aes/avx2/poly.c b/crypto_sign/dilithium2aes/avx2/poly.c index 896252de..6f8fa0e6 100644 --- a/crypto_sign/dilithium2aes/avx2/poly.c +++ b/crypto_sign/dilithium2aes/avx2/poly.c @@ -460,27 +460,27 @@ static unsigned int rej_eta(int32_t *a, * or AES256CTR(seed,nonce). * * Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES +* - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) { +void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state) { unsigned int ctr; - ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf; + ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf; - stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); + stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); ctr = PQCLEAN_DILITHIUM2AES_AVX2_rej_eta_avx(a->coeffs, buf.coeffs); while (ctr < N) { - stream128_squeezeblocks(buf.coeffs, 1, state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES); + stream256_squeezeblocks(buf.coeffs, 1, state); + ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES); } } -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - stream128_state state; - stream128_init(&state, seed, nonce); +void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) { + stream256_state state; + stream256_init(&state, seed, nonce); PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(a, &state); - stream128_release(&state); + stream256_release(&state); } diff --git a/crypto_sign/dilithium2aes/avx2/poly.h b/crypto_sign/dilithium2aes/avx2/poly.h index 7f066099..f0962fbf 100644 --- a/crypto_sign/dilithium2aes/avx2/poly.h +++ b/crypto_sign/dilithium2aes/avx2/poly.h @@ -28,8 +28,8 @@ void PQCLEAN_DILITHIUM2AES_AVX2_poly_use_hint(poly *b, const poly *a, const poly int PQCLEAN_DILITHIUM2AES_AVX2_poly_chknorm(const poly *a, int32_t B); void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_preinit(poly *a, stream128_state *state); void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state); +void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state); void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2AES_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]); diff --git a/crypto_sign/dilithium2aes/avx2/polyvec.c b/crypto_sign/dilithium2aes/avx2/polyvec.c index 323fb1c5..8f01c0bc 100644 --- a/crypto_sign/dilithium2aes/avx2/polyvec.c +++ b/crypto_sign/dilithium2aes/avx2/polyvec.c @@ -49,7 +49,7 @@ void PQCLEAN_DILITHIUM2AES_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, /************ Vectors of polynomials of length L **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -57,7 +57,7 @@ void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t } } -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -182,7 +182,7 @@ int PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound /************ Vectors of polynomials of length K **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < K; ++i) { diff --git a/crypto_sign/dilithium2aes/avx2/polyvec.h b/crypto_sign/dilithium2aes/avx2/polyvec.h index 67652026..d16f9d5e 100644 --- a/crypto_sign/dilithium2aes/avx2/polyvec.h +++ b/crypto_sign/dilithium2aes/avx2/polyvec.h @@ -9,9 +9,9 @@ typedef struct { poly vec[L]; } polyvecl; -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_reduce(polyvecl *v); @@ -33,7 +33,7 @@ typedef struct { poly vec[K]; } polyveck; -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_reduce(polyveck *v); void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_caddq(polyveck *v); diff --git a/crypto_sign/dilithium2aes/avx2/rejsample.h b/crypto_sign/dilithium2aes/avx2/rejsample.h index 154ae530..803451a7 100644 --- a/crypto_sign/dilithium2aes/avx2/rejsample.h +++ b/crypto_sign/dilithium2aes/avx2/rejsample.h @@ -7,8 +7,8 @@ #define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) #define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_NBLOCKS ((137+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES) +#define REJ_UNIFORM_ETA_NBLOCKS ((136+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES) +#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES) extern const uint8_t PQCLEAN_DILITHIUM2AES_AVX2_idxlut[256][8]; diff --git a/crypto_sign/dilithium2aes/avx2/sign.c b/crypto_sign/dilithium2aes/avx2/sign.c index a6b111a6..5d56c5aa 100644 --- a/crypto_sign/dilithium2aes/avx2/sign.c +++ b/crypto_sign/dilithium2aes/avx2/sign.c @@ -26,7 +26,7 @@ **************************************************/ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { unsigned int i; - uint8_t seedbuf[3 * SEEDBYTES]; + uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES]; const uint8_t *rho, *rhoprime, *key; uint64_t nonce; aes256ctr_ctx aesctx; @@ -37,10 +37,10 @@ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Get randomness for rho, rhoprime and key */ randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); + shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES); rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; + rhoprime = rho + SEEDBYTES; + key = rhoprime + CRHBYTES; /* Store rho, key */ memcpy(pk, rho, SEEDBYTES); @@ -62,10 +62,10 @@ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Pack secret vectors */ for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); + PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); } for (i = 0; i < K; i++) { - PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); + PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); } /* Transform s1 */ @@ -93,11 +93,11 @@ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { PQCLEAN_DILITHIUM2AES_AVX2_poly_caddq(&t1); PQCLEAN_DILITHIUM2AES_AVX2_poly_power2round(&t1, &t0, &t1); PQCLEAN_DILITHIUM2AES_AVX2_polyt1_pack(pk + SEEDBYTES + i * POLYT1_PACKEDBYTES, &t1); - PQCLEAN_DILITHIUM2AES_AVX2_polyt0_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); + PQCLEAN_DILITHIUM2AES_AVX2_polyt0_pack(sk + 3 * SEEDBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); } - /* Compute CRH(rho, t1) and store in secret key */ - crh(sk + 2 * SEEDBYTES, pk, PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES); + /* Compute H(rho, t1) and store in secret key */ + shake256(sk + 2 * SEEDBYTES, SEEDBYTES, pk, PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES); return 0; } @@ -117,7 +117,7 @@ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { **************************************************/ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { unsigned int i, n, pos; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; + uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint8_t hintbuf[N]; uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES; @@ -133,20 +133,20 @@ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *sigle rho = seedbuf; tr = rho + SEEDBYTES; - key = tr + CRHBYTES; + key = tr + SEEDBYTES; mu = key + SEEDBYTES; rhoprime = mu + CRHBYTES; PQCLEAN_DILITHIUM2AES_AVX2_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute CRH(tr, msg) */ shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); + shake256_inc_absorb(&state, tr, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); shake256_inc_ctx_release(&state); - crh(rhoprime, key, SEEDBYTES + CRHBYTES); + shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES); /* Expand matrix and transform vectors */ PQCLEAN_DILITHIUM2AES_AVX2_polyvec_matrix_expand(mat, rho); @@ -297,10 +297,10 @@ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_verify(const uint8_t *sig, size_t sig return -1; } - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES); + /* Compute CRH(H(rho, t1), msg) */ + shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES); shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, mu, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); diff --git a/crypto_sign/dilithium2aes/avx2/symmetric.h b/crypto_sign/dilithium2aes/avx2/symmetric.h index 681d9ad9..ea7bb187 100644 --- a/crypto_sign/dilithium2aes/avx2/symmetric.h +++ b/crypto_sign/dilithium2aes/avx2/symmetric.h @@ -13,7 +13,6 @@ typedef aes256ctr_ctx stream256_state; #define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES #define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) #define stream128_release(STATE) diff --git a/crypto_sign/dilithium2aes/clean/api.h b/crypto_sign/dilithium2aes/clean/api.h index 6f19a259..20e59ecb 100644 --- a/crypto_sign/dilithium2aes/clean/api.h +++ b/crypto_sign/dilithium2aes/clean/api.h @@ -5,7 +5,7 @@ #include #define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES 1312 -#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES 2544 +#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES 2528 #define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES 2420 #define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_ALGNAME "Dilithium2-AES" diff --git a/crypto_sign/dilithium2aes/clean/packing.c b/crypto_sign/dilithium2aes/clean/packing.c index bbaaf21f..ff2d6a9c 100644 --- a/crypto_sign/dilithium2aes/clean/packing.c +++ b/crypto_sign/dilithium2aes/clean/packing.c @@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], **************************************************/ void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_CLEAN_ } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = tr[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); @@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_CLEAN_ * - uint8_t sk[]: byte array containing bit-packed sk **************************************************/ void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, @@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { tr[i] = sk[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); diff --git a/crypto_sign/dilithium2aes/clean/packing.h b/crypto_sign/dilithium2aes/clean/packing.h index a6dbd114..b27a23df 100644 --- a/crypto_sign/dilithium2aes/clean/packing.h +++ b/crypto_sign/dilithium2aes/clean/packing.h @@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM2AES_CLEAN_ void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM2AES_CLEA void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES]); void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, diff --git a/crypto_sign/dilithium2aes/clean/params.h b/crypto_sign/dilithium2aes/clean/params.h index b8625aa3..8ced0aef 100644 --- a/crypto_sign/dilithium2aes/clean/params.h +++ b/crypto_sign/dilithium2aes/clean/params.h @@ -4,7 +4,7 @@ #define SEEDBYTES 32 -#define CRHBYTES 48 +#define CRHBYTES 64 #define N 256 #define Q 8380417 #define D 13 @@ -32,7 +32,7 @@ #define POLYETA_PACKEDBYTES 96 #define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ +#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \ + L*POLYETA_PACKEDBYTES \ + K*POLYETA_PACKEDBYTES \ + K*POLYT0_PACKEDBYTES) diff --git a/crypto_sign/dilithium2aes/clean/poly.c b/crypto_sign/dilithium2aes/clean/poly.c index 7edd1629..558dfd97 100644 --- a/crypto_sign/dilithium2aes/clean/poly.c +++ b/crypto_sign/dilithium2aes/clean/poly.c @@ -438,28 +438,28 @@ static unsigned int rej_eta(int32_t *a, * output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce). * * Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES +* - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES) +#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES) void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int ctr; - unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES; - uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES]; - stream128_state state; + unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES; + uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES]; + stream256_state state; - stream128_init(&state, seed, nonce); - stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); + stream256_init(&state, seed, nonce); + stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); ctr = rej_eta(a->coeffs, N, buf, buflen); while (ctr < N) { - stream128_squeezeblocks(buf, 1, &state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); + stream256_squeezeblocks(buf, 1, &state); + ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES); } - stream128_release(&state); + stream256_release(&state); } /************************************************* diff --git a/crypto_sign/dilithium2aes/clean/poly.h b/crypto_sign/dilithium2aes/clean/poly.h index 6ad8405e..0b0656cc 100644 --- a/crypto_sign/dilithium2aes/clean/poly.h +++ b/crypto_sign/dilithium2aes/clean/poly.h @@ -29,7 +29,7 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], diff --git a/crypto_sign/dilithium2aes/clean/polyvec.c b/crypto_sign/dilithium2aes/clean/polyvec.c index a7a77fb3..6f29e946 100644 --- a/crypto_sign/dilithium2aes/clean/polyvec.c +++ b/crypto_sign/dilithium2aes/clean/polyvec.c @@ -36,7 +36,7 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t /************ Vectors of polynomials of length L **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -178,7 +178,7 @@ int PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t boun /************ Vectors of polynomials of length K **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < K; ++i) { diff --git a/crypto_sign/dilithium2aes/clean/polyvec.h b/crypto_sign/dilithium2aes/clean/polyvec.h index ea0ade36..e3da159b 100644 --- a/crypto_sign/dilithium2aes/clean/polyvec.h +++ b/crypto_sign/dilithium2aes/clean/polyvec.h @@ -9,7 +9,7 @@ typedef struct { poly vec[L]; } polyvecl; -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); @@ -36,7 +36,7 @@ typedef struct { poly vec[K]; } polyveck; -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_reduce(polyveck *v); void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_caddq(polyveck *v); diff --git a/crypto_sign/dilithium2aes/clean/sign.c b/crypto_sign/dilithium2aes/clean/sign.c index a30df581..4d4b51f9 100644 --- a/crypto_sign/dilithium2aes/clean/sign.c +++ b/crypto_sign/dilithium2aes/clean/sign.c @@ -21,8 +21,8 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seedbuf[3 * SEEDBYTES]; - uint8_t tr[CRHBYTES]; + uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES]; + uint8_t tr[SEEDBYTES]; const uint8_t *rho, *rhoprime, *key; polyvecl mat[K]; polyvecl s1, s1hat; @@ -30,10 +30,10 @@ int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Get randomness for rho, rhoprime and key */ randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); + shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES); rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; + rhoprime = rho + SEEDBYTES; + key = rhoprime + CRHBYTES; /* Expand matrix */ PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_expand(mat, rho); @@ -57,8 +57,8 @@ int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_power2round(&t1, &t0, &t1); PQCLEAN_DILITHIUM2AES_CLEAN_pack_pk(pk, rho, &t1); - /* Compute CRH(rho, t1) and write secret key */ - crh(tr, pk, PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES); + /* Compute H(rho, t1) and write secret key */ + shake256(tr, SEEDBYTES, pk, PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES); PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk(sk, rho, tr, key, &t0, &s1, &s2); return 0; @@ -83,7 +83,7 @@ int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_signature(uint8_t *sig, size_t mlen, const uint8_t *sk) { unsigned int n; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; + uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint16_t nonce = 0; polyvecl mat[K], s1, y, z; @@ -93,20 +93,20 @@ int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_signature(uint8_t *sig, rho = seedbuf; tr = rho + SEEDBYTES; - key = tr + CRHBYTES; + key = tr + SEEDBYTES; mu = key + SEEDBYTES; rhoprime = mu + CRHBYTES; PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute CRH(tr, msg) */ shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); + shake256_inc_absorb(&state, tr, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); shake256_inc_ctx_release(&state); - crh(rhoprime, key, SEEDBYTES + CRHBYTES); + shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES); /* Expand matrix and transform vectors */ PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_expand(mat, rho); @@ -250,10 +250,10 @@ int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_verify(const uint8_t *sig, return -1; } - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES); + /* Compute CRH(H(rho, t1), msg) */ + shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES); shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, mu, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); diff --git a/crypto_sign/dilithium2aes/clean/symmetric.h b/crypto_sign/dilithium2aes/clean/symmetric.h index 6ef04c5c..723a0795 100644 --- a/crypto_sign/dilithium2aes/clean/symmetric.h +++ b/crypto_sign/dilithium2aes/clean/symmetric.h @@ -17,7 +17,6 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_dilithium_aes256ctr_init(aes256ctr_ctx *state, #define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES #define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) \ PQCLEAN_DILITHIUM2AES_CLEAN_dilithium_aes256ctr_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \ diff --git a/crypto_sign/dilithium3/META.yml b/crypto_sign/dilithium3/META.yml index 3b84f249..e3d6b8e7 100644 --- a/crypto_sign/dilithium3/META.yml +++ b/crypto_sign/dilithium3/META.yml @@ -2,10 +2,10 @@ name: Dilithium3 type: signature claimed-nist-level: 3 length-public-key: 1952 -length-secret-key: 4016 +length-secret-key: 4000 length-signature: 3293 -nistkat-sha256: d0d4bb6945e14206d17b52f8a395d5a750ec8a73f2ea06b9f1cd226d225a9bfb -testvectors-sha256: 531b85dbecaeaf135ad9004c8e2d5ce163b8e72d9c3a537e15bd383cf5f38aa4 +nistkat-sha256: 8439f580566c46b99449b2cbbd597ce59bcd5d184b90c1108b79a08f6bdbbcb1 +testvectors-sha256: 7d6c0db177a143415db7e609e3ecf603f73e7ceff35685f3ad65ac31b5e1aeeb principal-submitters: - Vadim Lyubashevsky auxiliary-submitters: @@ -17,9 +17,9 @@ auxiliary-submitters: - Damien Stehlé implementations: - name: clean - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium + version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium - name: avx2 - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium + version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium supported_platforms: - architecture: x86_64 operating_systems: diff --git a/crypto_sign/dilithium3/avx2/api.h b/crypto_sign/dilithium3/avx2/api.h index f6cbffa8..44373ce4 100644 --- a/crypto_sign/dilithium3/avx2/api.h +++ b/crypto_sign/dilithium3/avx2/api.h @@ -5,12 +5,11 @@ #include #define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES 1952 -#define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_SECRETKEYBYTES 4016 +#define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_SECRETKEYBYTES 4000 #define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_BYTES 3293 #define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_ALGNAME "Dilithium3" - int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_signature( diff --git a/crypto_sign/dilithium3/avx2/packing.c b/crypto_sign/dilithium3/avx2/packing.c index dde16b0f..f36f6480 100644 --- a/crypto_sign/dilithium3/avx2/packing.c +++ b/crypto_sign/dilithium3/avx2/packing.c @@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM3_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], **************************************************/ void PQCLEAN_DILITHIUM3_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_AVX2_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM3_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_AVX2_CRYPTO_S } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = tr[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM3_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); @@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM3_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_AVX2_CRYPTO_S * - uint8_t sk[]: byte array containing bit-packed sk **************************************************/ void PQCLEAN_DILITHIUM3_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, @@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM3_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { tr[i] = sk[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM3_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); diff --git a/crypto_sign/dilithium3/avx2/packing.h b/crypto_sign/dilithium3/avx2/packing.h index 9404c00f..f6fe1ba8 100644 --- a/crypto_sign/dilithium3/avx2/packing.h +++ b/crypto_sign/dilithium3/avx2/packing.h @@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM3_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM3_AVX2_CRYPTO_P void PQCLEAN_DILITHIUM3_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_AVX2_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM3_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM3_AVX2_CRYPTO void PQCLEAN_DILITHIUM3_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES]); void PQCLEAN_DILITHIUM3_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, diff --git a/crypto_sign/dilithium3/avx2/params.h b/crypto_sign/dilithium3/avx2/params.h index d824116f..b1a9fd0d 100644 --- a/crypto_sign/dilithium3/avx2/params.h +++ b/crypto_sign/dilithium3/avx2/params.h @@ -4,7 +4,7 @@ #define SEEDBYTES 32 -#define CRHBYTES 48 +#define CRHBYTES 64 #define N 256 #define Q 8380417 #define D 13 @@ -32,7 +32,7 @@ #define POLYETA_PACKEDBYTES 128 #define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ +#define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \ + L*POLYETA_PACKEDBYTES \ + K*POLYETA_PACKEDBYTES \ + K*POLYT0_PACKEDBYTES) diff --git a/crypto_sign/dilithium3/avx2/poly.c b/crypto_sign/dilithium3/avx2/poly.c index 550ed556..8321a894 100644 --- a/crypto_sign/dilithium3/avx2/poly.c +++ b/crypto_sign/dilithium3/avx2/poly.c @@ -505,34 +505,34 @@ static unsigned int rej_eta(int32_t *a, * or AES256CTR(seed,nonce). * * Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES +* - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) { +void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state) { unsigned int ctr; - ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf; + ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf; - stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); + stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); ctr = PQCLEAN_DILITHIUM3_AVX2_rej_eta_avx(a->coeffs, buf.coeffs); while (ctr < N) { - stream128_squeezeblocks(buf.coeffs, 1, state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES); + stream256_squeezeblocks(buf.coeffs, 1, state); + ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES); } } -void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - stream128_state state; - stream128_init(&state, seed, nonce); +void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) { + stream256_state state; + stream256_init(&state, seed, nonce); PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_preinit(a, &state); - stream128_release(&state); + stream256_release(&state); } void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_4x(poly *a0, poly *a1, poly *a2, poly *a3, - const uint8_t seed[32], + const uint8_t seed[64], uint16_t nonce0, uint16_t nonce1, uint16_t nonce2, @@ -543,23 +543,28 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_4x(poly *a0, __m256i f; keccakx4_state state; - f = _mm256_loadu_si256((__m256i *)seed); - _mm256_store_si256(buf[0].vec, f); - _mm256_store_si256(buf[1].vec, f); - _mm256_store_si256(buf[2].vec, f); - _mm256_store_si256(buf[3].vec, f); - - buf[0].coeffs[SEEDBYTES + 0] = nonce0; - buf[0].coeffs[SEEDBYTES + 1] = nonce0 >> 8; - buf[1].coeffs[SEEDBYTES + 0] = nonce1; - buf[1].coeffs[SEEDBYTES + 1] = nonce1 >> 8; - buf[2].coeffs[SEEDBYTES + 0] = nonce2; - buf[2].coeffs[SEEDBYTES + 1] = nonce2 >> 8; - buf[3].coeffs[SEEDBYTES + 0] = nonce3; - buf[3].coeffs[SEEDBYTES + 1] = nonce3 >> 8; - - PQCLEAN_DILITHIUM3_AVX2_shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2); - PQCLEAN_DILITHIUM3_AVX2_shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state); + f = _mm256_loadu_si256((__m256i *)&seed[0]); + _mm256_store_si256(&buf[0].vec[0], f); + _mm256_store_si256(&buf[1].vec[0], f); + _mm256_store_si256(&buf[2].vec[0], f); + _mm256_store_si256(&buf[3].vec[0], f); + f = _mm256_loadu_si256((__m256i *)&seed[32]); + _mm256_store_si256(&buf[0].vec[1], f); + _mm256_store_si256(&buf[1].vec[1], f); + _mm256_store_si256(&buf[2].vec[1], f); + _mm256_store_si256(&buf[3].vec[1], f); + + buf[0].coeffs[64] = nonce0; + buf[0].coeffs[65] = nonce0 >> 8; + buf[1].coeffs[64] = nonce1; + buf[1].coeffs[65] = nonce1 >> 8; + buf[2].coeffs[64] = nonce2; + buf[2].coeffs[65] = nonce2 >> 8; + buf[3].coeffs[64] = nonce3; + buf[3].coeffs[65] = nonce3 >> 8; + + PQCLEAN_DILITHIUM3_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66); + PQCLEAN_DILITHIUM3_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state); ctr0 = PQCLEAN_DILITHIUM3_AVX2_rej_eta_avx(a0->coeffs, buf[0].coeffs); ctr1 = PQCLEAN_DILITHIUM3_AVX2_rej_eta_avx(a1->coeffs, buf[1].coeffs); @@ -567,12 +572,12 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_4x(poly *a0, ctr3 = PQCLEAN_DILITHIUM3_AVX2_rej_eta_avx(a3->coeffs, buf[3].coeffs); while (ctr0 < N || ctr1 < N || ctr2 < N || ctr3 < N) { - PQCLEAN_DILITHIUM3_AVX2_shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state); + PQCLEAN_DILITHIUM3_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state); - ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE128_RATE); - ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE128_RATE); - ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE); - ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE); + ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE256_RATE); + ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE256_RATE); + ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE); + ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE); } } @@ -606,7 +611,7 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_gamma1_4x(poly *a0, poly *a1, poly *a2, poly *a3, - const uint8_t seed[48], + const uint8_t seed[64], uint16_t nonce0, uint16_t nonce1, uint16_t nonce2, @@ -614,29 +619,28 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_gamma1_4x(poly *a0, ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES + 14) buf[4]; keccakx4_state state; __m256i f; - __m128i g; - f = _mm256_loadu_si256((__m256i *)seed); - _mm256_store_si256(buf[0].vec, f); - _mm256_store_si256(buf[1].vec, f); - _mm256_store_si256(buf[2].vec, f); - _mm256_store_si256(buf[3].vec, f); - g = _mm_loadu_si128((__m128i *)&seed[32]); - _mm_store_si128((__m128i *)&buf[0].vec[1], g); - _mm_store_si128((__m128i *)&buf[1].vec[1], g); - _mm_store_si128((__m128i *)&buf[2].vec[1], g); - _mm_store_si128((__m128i *)&buf[3].vec[1], g); - - buf[0].coeffs[CRHBYTES + 0] = nonce0; - buf[0].coeffs[CRHBYTES + 1] = nonce0 >> 8; - buf[1].coeffs[CRHBYTES + 0] = nonce1; - buf[1].coeffs[CRHBYTES + 1] = nonce1 >> 8; - buf[2].coeffs[CRHBYTES + 0] = nonce2; - buf[2].coeffs[CRHBYTES + 1] = nonce2 >> 8; - buf[3].coeffs[CRHBYTES + 0] = nonce3; - buf[3].coeffs[CRHBYTES + 1] = nonce3 >> 8; - - PQCLEAN_DILITHIUM3_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, CRHBYTES + 2); + f = _mm256_loadu_si256((__m256i *)&seed[0]); + _mm256_store_si256(&buf[0].vec[0], f); + _mm256_store_si256(&buf[1].vec[0], f); + _mm256_store_si256(&buf[2].vec[0], f); + _mm256_store_si256(&buf[3].vec[0], f); + f = _mm256_loadu_si256((__m256i *)&seed[32]); + _mm256_store_si256(&buf[0].vec[1], f); + _mm256_store_si256(&buf[1].vec[1], f); + _mm256_store_si256(&buf[2].vec[1], f); + _mm256_store_si256(&buf[3].vec[1], f); + + buf[0].coeffs[64] = nonce0; + buf[0].coeffs[65] = nonce0 >> 8; + buf[1].coeffs[64] = nonce1; + buf[1].coeffs[65] = nonce1 >> 8; + buf[2].coeffs[64] = nonce2; + buf[2].coeffs[65] = nonce2 >> 8; + buf[3].coeffs[64] = nonce3; + buf[3].coeffs[65] = nonce3 >> 8; + + PQCLEAN_DILITHIUM3_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66); PQCLEAN_DILITHIUM3_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state); PQCLEAN_DILITHIUM3_AVX2_polyz_unpack(a0, buf[0].coeffs); diff --git a/crypto_sign/dilithium3/avx2/poly.h b/crypto_sign/dilithium3/avx2/poly.h index b424c625..a9c17b26 100644 --- a/crypto_sign/dilithium3/avx2/poly.h +++ b/crypto_sign/dilithium3/avx2/poly.h @@ -28,8 +28,8 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_use_hint(poly *b, const poly *a, const poly *h int PQCLEAN_DILITHIUM3_AVX2_poly_chknorm(const poly *a, int32_t B); void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_preinit(poly *a, stream128_state *state); void PQCLEAN_DILITHIUM3_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state); -void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state); +void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state); void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]); @@ -47,7 +47,7 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_4x(poly *a0, poly *a1, poly *a2, poly *a3, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce0, uint16_t nonce1, uint16_t nonce2, diff --git a/crypto_sign/dilithium3/avx2/polyvec.c b/crypto_sign/dilithium3/avx2/polyvec.c index 10ccd9f8..cb14eb31 100644 --- a/crypto_sign/dilithium3/avx2/polyvec.c +++ b/crypto_sign/dilithium3/avx2/polyvec.c @@ -98,7 +98,7 @@ void PQCLEAN_DILITHIUM3_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, co /************ Vectors of polynomials of length L **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -106,7 +106,7 @@ void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t see } } -void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -231,7 +231,7 @@ int PQCLEAN_DILITHIUM3_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound) /************ Vectors of polynomials of length K **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM3_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM3_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < K; ++i) { diff --git a/crypto_sign/dilithium3/avx2/polyvec.h b/crypto_sign/dilithium3/avx2/polyvec.h index 983e13f0..2d0a3e85 100644 --- a/crypto_sign/dilithium3/avx2/polyvec.h +++ b/crypto_sign/dilithium3/avx2/polyvec.h @@ -9,9 +9,9 @@ typedef struct { poly vec[L]; } polyvecl; -void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3_AVX2_polyvecl_reduce(polyvecl *v); @@ -33,7 +33,7 @@ typedef struct { poly vec[K]; } polyveck; -void PQCLEAN_DILITHIUM3_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM3_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3_AVX2_polyveck_reduce(polyveck *v); void PQCLEAN_DILITHIUM3_AVX2_polyveck_caddq(polyveck *v); diff --git a/crypto_sign/dilithium3/avx2/rejsample.h b/crypto_sign/dilithium3/avx2/rejsample.h index 9012ae97..f94b55da 100644 --- a/crypto_sign/dilithium3/avx2/rejsample.h +++ b/crypto_sign/dilithium3/avx2/rejsample.h @@ -7,8 +7,8 @@ #define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) #define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_NBLOCKS ((228+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES) +#define REJ_UNIFORM_ETA_NBLOCKS ((227+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES) +#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES) extern const uint8_t PQCLEAN_DILITHIUM3_AVX2_idxlut[256][8]; diff --git a/crypto_sign/dilithium3/avx2/sign.c b/crypto_sign/dilithium3/avx2/sign.c index f746e8f8..1bb1aa93 100644 --- a/crypto_sign/dilithium3/avx2/sign.c +++ b/crypto_sign/dilithium3/avx2/sign.c @@ -53,7 +53,7 @@ static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], co **************************************************/ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { unsigned int i; - uint8_t seedbuf[3 * SEEDBYTES]; + uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES]; const uint8_t *rho, *rhoprime, *key; polyvecl rowbuf[2]; polyvecl s1, *row = rowbuf; @@ -62,10 +62,10 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Get randomness for rho, rhoprime and key */ randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); + shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES); rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; + rhoprime = rho + SEEDBYTES; + key = rhoprime + CRHBYTES; /* Store rho, key */ memcpy(pk, rho, SEEDBYTES); @@ -79,10 +79,10 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Pack secret vectors */ for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM3_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); + PQCLEAN_DILITHIUM3_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); } for (i = 0; i < K; i++) { - PQCLEAN_DILITHIUM3_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); + PQCLEAN_DILITHIUM3_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); } /* Transform s1 */ @@ -104,11 +104,11 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { PQCLEAN_DILITHIUM3_AVX2_poly_caddq(&t1); PQCLEAN_DILITHIUM3_AVX2_poly_power2round(&t1, &t0, &t1); PQCLEAN_DILITHIUM3_AVX2_polyt1_pack(pk + SEEDBYTES + i * POLYT1_PACKEDBYTES, &t1); - PQCLEAN_DILITHIUM3_AVX2_polyt0_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); + PQCLEAN_DILITHIUM3_AVX2_polyt0_pack(sk + 3 * SEEDBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); } - /* Compute CRH(rho, t1) and store in secret key */ - crh(sk + 2 * SEEDBYTES, pk, PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES); + /* Compute H(rho, t1) and store in secret key */ + shake256(sk + 2 * SEEDBYTES, SEEDBYTES, pk, PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES); return 0; } @@ -128,7 +128,7 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { **************************************************/ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { unsigned int i, n, pos; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; + uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint8_t hintbuf[N]; uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES; @@ -144,20 +144,20 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, rho = seedbuf; tr = rho + SEEDBYTES; - key = tr + CRHBYTES; + key = tr + SEEDBYTES; mu = key + SEEDBYTES; rhoprime = mu + CRHBYTES; PQCLEAN_DILITHIUM3_AVX2_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute CRH(tr, msg) */ shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); + shake256_inc_absorb(&state, tr, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); shake256_inc_ctx_release(&state); - crh(rhoprime, key, SEEDBYTES + CRHBYTES); + shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES); /* Expand matrix and transform vectors */ PQCLEAN_DILITHIUM3_AVX2_polyvec_matrix_expand(mat, rho); @@ -303,10 +303,10 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_verify(const uint8_t *sig, size_t siglen return -1; } - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES); + /* Compute CRH(H(rho, t1), msg) */ + shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES); shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, mu, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); diff --git a/crypto_sign/dilithium3/avx2/symmetric.h b/crypto_sign/dilithium3/avx2/symmetric.h index 3d97a2b3..6372ae5e 100644 --- a/crypto_sign/dilithium3/avx2/symmetric.h +++ b/crypto_sign/dilithium3/avx2/symmetric.h @@ -9,27 +9,18 @@ typedef shake128incctx stream128_state; typedef shake256incctx stream256_state; -void PQCLEAN_DILITHIUM3_AVX2_dilithium_shake128_stream_init(shake128incctx *state, - const uint8_t seed[SEEDBYTES], - uint16_t nonce); +void PQCLEAN_DILITHIUM3_AVX2_dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM3_AVX2_dilithium_shake256_stream_init(shake256incctx *state, - const uint8_t seed[CRHBYTES], - uint16_t nonce); +void PQCLEAN_DILITHIUM3_AVX2_dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce); #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) -#define stream128_init(STATE, SEED, NONCE) \ - PQCLEAN_DILITHIUM3_AVX2_dilithium_shake128_stream_init(STATE, SEED, NONCE) -#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \ - shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE) +#define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3_AVX2_dilithium_shake128_stream_init(STATE, SEED, NONCE) +#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE) #define stream128_release(STATE) shake128_inc_ctx_release(STATE) -#define stream256_init(STATE, SEED, NONCE) \ - PQCLEAN_DILITHIUM3_AVX2_dilithium_shake256_stream_init(STATE, SEED, NONCE) -#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \ - shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE) +#define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3_AVX2_dilithium_shake256_stream_init(STATE, SEED, NONCE) +#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE) #define stream256_release(STATE) shake256_inc_ctx_release(STATE) diff --git a/crypto_sign/dilithium3/clean/api.h b/crypto_sign/dilithium3/clean/api.h index 1799052b..86737f1f 100644 --- a/crypto_sign/dilithium3/clean/api.h +++ b/crypto_sign/dilithium3/clean/api.h @@ -5,12 +5,11 @@ #include #define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES 1952 -#define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_SECRETKEYBYTES 4016 +#define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_SECRETKEYBYTES 4000 #define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_BYTES 3293 #define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_ALGNAME "Dilithium3" - int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_signature( diff --git a/crypto_sign/dilithium3/clean/packing.c b/crypto_sign/dilithium3/clean/packing.c index ed75c70d..42cacad6 100644 --- a/crypto_sign/dilithium3/clean/packing.c +++ b/crypto_sign/dilithium3/clean/packing.c @@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], **************************************************/ void PQCLEAN_DILITHIUM3_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM3_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_CLEAN_CRYPTO } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = tr[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM3_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); @@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_CLEAN_CRYPTO * - uint8_t sk[]: byte array containing bit-packed sk **************************************************/ void PQCLEAN_DILITHIUM3_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, @@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM3_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { tr[i] = sk[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM3_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); diff --git a/crypto_sign/dilithium3/clean/packing.h b/crypto_sign/dilithium3/clean/packing.h index 734c6f10..ddd9e413 100644 --- a/crypto_sign/dilithium3/clean/packing.h +++ b/crypto_sign/dilithium3/clean/packing.h @@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM3_CLEAN_CRYPTO void PQCLEAN_DILITHIUM3_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM3_CLEAN_CRYP void PQCLEAN_DILITHIUM3_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES]); void PQCLEAN_DILITHIUM3_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, diff --git a/crypto_sign/dilithium3/clean/params.h b/crypto_sign/dilithium3/clean/params.h index 76bca543..72220537 100644 --- a/crypto_sign/dilithium3/clean/params.h +++ b/crypto_sign/dilithium3/clean/params.h @@ -4,7 +4,7 @@ #define SEEDBYTES 32 -#define CRHBYTES 48 +#define CRHBYTES 64 #define N 256 #define Q 8380417 #define D 13 @@ -32,7 +32,7 @@ #define POLYETA_PACKEDBYTES 128 #define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ +#define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \ + L*POLYETA_PACKEDBYTES \ + K*POLYETA_PACKEDBYTES \ + K*POLYT0_PACKEDBYTES) diff --git a/crypto_sign/dilithium3/clean/poly.c b/crypto_sign/dilithium3/clean/poly.c index 7a956575..df07d6c5 100644 --- a/crypto_sign/dilithium3/clean/poly.c +++ b/crypto_sign/dilithium3/clean/poly.c @@ -436,28 +436,28 @@ static unsigned int rej_eta(int32_t *a, * output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce). * * Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES +* - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES) +#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES) void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int ctr; - unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES; - uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES]; - stream128_state state; + unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES; + uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES]; + stream256_state state; - stream128_init(&state, seed, nonce); - stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); + stream256_init(&state, seed, nonce); + stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); ctr = rej_eta(a->coeffs, N, buf, buflen); while (ctr < N) { - stream128_squeezeblocks(buf, 1, &state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); + stream256_squeezeblocks(buf, 1, &state); + ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES); } - stream128_release(&state); + stream256_release(&state); } /************************************************* diff --git a/crypto_sign/dilithium3/clean/poly.h b/crypto_sign/dilithium3/clean/poly.h index d5531e26..53d8e032 100644 --- a/crypto_sign/dilithium3/clean/poly.h +++ b/crypto_sign/dilithium3/clean/poly.h @@ -29,7 +29,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], diff --git a/crypto_sign/dilithium3/clean/polyvec.c b/crypto_sign/dilithium3/clean/polyvec.c index 67212779..1625a51c 100644 --- a/crypto_sign/dilithium3/clean/polyvec.c +++ b/crypto_sign/dilithium3/clean/polyvec.c @@ -36,7 +36,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t, c /************ Vectors of polynomials of length L **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM3_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM3_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -178,7 +178,7 @@ int PQCLEAN_DILITHIUM3_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t bound) /************ Vectors of polynomials of length K **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM3_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM3_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < K; ++i) { diff --git a/crypto_sign/dilithium3/clean/polyvec.h b/crypto_sign/dilithium3/clean/polyvec.h index be184a7b..0ff49b2e 100644 --- a/crypto_sign/dilithium3/clean/polyvec.h +++ b/crypto_sign/dilithium3/clean/polyvec.h @@ -9,7 +9,7 @@ typedef struct { poly vec[L]; } polyvecl; -void PQCLEAN_DILITHIUM3_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM3_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); @@ -36,7 +36,7 @@ typedef struct { poly vec[K]; } polyveck; -void PQCLEAN_DILITHIUM3_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM3_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3_CLEAN_polyveck_reduce(polyveck *v); void PQCLEAN_DILITHIUM3_CLEAN_polyveck_caddq(polyveck *v); diff --git a/crypto_sign/dilithium3/clean/sign.c b/crypto_sign/dilithium3/clean/sign.c index a585a509..334d04ad 100644 --- a/crypto_sign/dilithium3/clean/sign.c +++ b/crypto_sign/dilithium3/clean/sign.c @@ -21,8 +21,8 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seedbuf[3 * SEEDBYTES]; - uint8_t tr[CRHBYTES]; + uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES]; + uint8_t tr[SEEDBYTES]; const uint8_t *rho, *rhoprime, *key; polyvecl mat[K]; polyvecl s1, s1hat; @@ -30,10 +30,10 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Get randomness for rho, rhoprime and key */ randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); + shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES); rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; + rhoprime = rho + SEEDBYTES; + key = rhoprime + CRHBYTES; /* Expand matrix */ PQCLEAN_DILITHIUM3_CLEAN_polyvec_matrix_expand(mat, rho); @@ -57,8 +57,8 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { PQCLEAN_DILITHIUM3_CLEAN_polyveck_power2round(&t1, &t0, &t1); PQCLEAN_DILITHIUM3_CLEAN_pack_pk(pk, rho, &t1); - /* Compute CRH(rho, t1) and write secret key */ - crh(tr, pk, PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES); + /* Compute H(rho, t1) and write secret key */ + shake256(tr, SEEDBYTES, pk, PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES); PQCLEAN_DILITHIUM3_CLEAN_pack_sk(sk, rho, tr, key, &t0, &s1, &s2); return 0; @@ -83,7 +83,7 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_signature(uint8_t *sig, size_t mlen, const uint8_t *sk) { unsigned int n; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; + uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint16_t nonce = 0; polyvecl mat[K], s1, y, z; @@ -93,20 +93,20 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_signature(uint8_t *sig, rho = seedbuf; tr = rho + SEEDBYTES; - key = tr + CRHBYTES; + key = tr + SEEDBYTES; mu = key + SEEDBYTES; rhoprime = mu + CRHBYTES; PQCLEAN_DILITHIUM3_CLEAN_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute CRH(tr, msg) */ shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); + shake256_inc_absorb(&state, tr, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); shake256_inc_ctx_release(&state); - crh(rhoprime, key, SEEDBYTES + CRHBYTES); + shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES); /* Expand matrix and transform vectors */ PQCLEAN_DILITHIUM3_CLEAN_polyvec_matrix_expand(mat, rho); @@ -250,10 +250,10 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_verify(const uint8_t *sig, return -1; } - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES); + /* Compute CRH(H(rho, t1), msg) */ + shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES); shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, mu, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); diff --git a/crypto_sign/dilithium3/clean/symmetric.h b/crypto_sign/dilithium3/clean/symmetric.h index dd88beef..bcdd5461 100644 --- a/crypto_sign/dilithium3/clean/symmetric.h +++ b/crypto_sign/dilithium3/clean/symmetric.h @@ -20,7 +20,6 @@ void PQCLEAN_DILITHIUM3_CLEAN_dilithium_shake256_stream_init(shake256incctx *sta #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) \ PQCLEAN_DILITHIUM3_CLEAN_dilithium_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \ diff --git a/crypto_sign/dilithium3aes/META.yml b/crypto_sign/dilithium3aes/META.yml index 7b42c902..b16e67ce 100644 --- a/crypto_sign/dilithium3aes/META.yml +++ b/crypto_sign/dilithium3aes/META.yml @@ -2,10 +2,10 @@ name: Dilithium3-AES type: signature claimed-nist-level: 3 length-public-key: 1952 -length-secret-key: 4016 +length-secret-key: 4000 length-signature: 3293 -nistkat-sha256: c1519093239804f90d1c9386e2a95b42b45dc65cbdc7c1dd777fe27de3840517 -testvectors-sha256: 9637ff196abfad19f3479e6a6ec3e91fc6de3bae89adf8617d91154063a3262a +nistkat-sha256: 199db029b177b368d71bac8689e16394621b84ddc5517e8476312165288e63d3 +testvectors-sha256: a69ed1454332b6967c1b8da3ac4dce61ce163edec400e2f4631b6a8ab3409436 principal-submitters: - Vadim Lyubashevsky auxiliary-submitters: @@ -17,9 +17,9 @@ auxiliary-submitters: - Damien Stehlé implementations: - name: clean - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium + version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium - name: avx2 - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium + version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium supported_platforms: - architecture: x86_64 operating_systems: diff --git a/crypto_sign/dilithium3aes/avx2/api.h b/crypto_sign/dilithium3aes/avx2/api.h index 39a2fbad..a3f6c9c0 100644 --- a/crypto_sign/dilithium3aes/avx2/api.h +++ b/crypto_sign/dilithium3aes/avx2/api.h @@ -5,12 +5,11 @@ #include #define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES 1952 -#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES 4016 +#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES 4000 #define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES 3293 #define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_ALGNAME "Dilithium3-AES" - int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_signature( diff --git a/crypto_sign/dilithium3aes/avx2/packing.c b/crypto_sign/dilithium3aes/avx2/packing.c index 8a849f1f..da28d777 100644 --- a/crypto_sign/dilithium3aes/avx2/packing.c +++ b/crypto_sign/dilithium3aes/avx2/packing.c @@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM3AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], **************************************************/ void PQCLEAN_DILITHIUM3AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM3AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_AVX2_CR } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = tr[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); @@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM3AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_AVX2_CR * - uint8_t sk[]: byte array containing bit-packed sk **************************************************/ void PQCLEAN_DILITHIUM3AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, @@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM3AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { tr[i] = sk[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM3AES_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); diff --git a/crypto_sign/dilithium3aes/avx2/packing.h b/crypto_sign/dilithium3aes/avx2/packing.h index b8053269..1033099a 100644 --- a/crypto_sign/dilithium3aes/avx2/packing.h +++ b/crypto_sign/dilithium3aes/avx2/packing.h @@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM3AES_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM3AES_AVX2_CR void PQCLEAN_DILITHIUM3AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM3AES_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM3AES_AVX2_ void PQCLEAN_DILITHIUM3AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES]); void PQCLEAN_DILITHIUM3AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, diff --git a/crypto_sign/dilithium3aes/avx2/params.h b/crypto_sign/dilithium3aes/avx2/params.h index af88be1e..5ce078ae 100644 --- a/crypto_sign/dilithium3aes/avx2/params.h +++ b/crypto_sign/dilithium3aes/avx2/params.h @@ -4,7 +4,7 @@ #define SEEDBYTES 32 -#define CRHBYTES 48 +#define CRHBYTES 64 #define N 256 #define Q 8380417 #define D 13 @@ -32,7 +32,7 @@ #define POLYETA_PACKEDBYTES 128 #define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ +#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \ + L*POLYETA_PACKEDBYTES \ + K*POLYETA_PACKEDBYTES \ + K*POLYT0_PACKEDBYTES) diff --git a/crypto_sign/dilithium3aes/avx2/poly.c b/crypto_sign/dilithium3aes/avx2/poly.c index 1bdfde28..f44c0e64 100644 --- a/crypto_sign/dilithium3aes/avx2/poly.c +++ b/crypto_sign/dilithium3aes/avx2/poly.c @@ -458,27 +458,27 @@ static unsigned int rej_eta(int32_t *a, * or AES256CTR(seed,nonce). * * Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES +* - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) { +void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state) { unsigned int ctr; - ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf; + ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf; - stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); + stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); ctr = PQCLEAN_DILITHIUM3AES_AVX2_rej_eta_avx(a->coeffs, buf.coeffs); while (ctr < N) { - stream128_squeezeblocks(buf.coeffs, 1, state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES); + stream256_squeezeblocks(buf.coeffs, 1, state); + ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES); } } -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - stream128_state state; - stream128_init(&state, seed, nonce); +void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) { + stream256_state state; + stream256_init(&state, seed, nonce); PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(a, &state); - stream128_release(&state); + stream256_release(&state); } diff --git a/crypto_sign/dilithium3aes/avx2/poly.h b/crypto_sign/dilithium3aes/avx2/poly.h index 6b6cf193..84a08d9b 100644 --- a/crypto_sign/dilithium3aes/avx2/poly.h +++ b/crypto_sign/dilithium3aes/avx2/poly.h @@ -28,8 +28,8 @@ void PQCLEAN_DILITHIUM3AES_AVX2_poly_use_hint(poly *b, const poly *a, const poly int PQCLEAN_DILITHIUM3AES_AVX2_poly_chknorm(const poly *a, int32_t B); void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_preinit(poly *a, stream128_state *state); void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state); +void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state); void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3AES_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]); diff --git a/crypto_sign/dilithium3aes/avx2/polyvec.c b/crypto_sign/dilithium3aes/avx2/polyvec.c index 1047740e..7fd4cd0e 100644 --- a/crypto_sign/dilithium3aes/avx2/polyvec.c +++ b/crypto_sign/dilithium3aes/avx2/polyvec.c @@ -49,7 +49,7 @@ void PQCLEAN_DILITHIUM3AES_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, /************ Vectors of polynomials of length L **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -57,7 +57,7 @@ void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t } } -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -182,7 +182,7 @@ int PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound /************ Vectors of polynomials of length K **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < K; ++i) { diff --git a/crypto_sign/dilithium3aes/avx2/polyvec.h b/crypto_sign/dilithium3aes/avx2/polyvec.h index 0a76db3d..73af5196 100644 --- a/crypto_sign/dilithium3aes/avx2/polyvec.h +++ b/crypto_sign/dilithium3aes/avx2/polyvec.h @@ -9,9 +9,9 @@ typedef struct { poly vec[L]; } polyvecl; -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_reduce(polyvecl *v); @@ -33,7 +33,7 @@ typedef struct { poly vec[K]; } polyveck; -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_reduce(polyveck *v); void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_caddq(polyveck *v); diff --git a/crypto_sign/dilithium3aes/avx2/rejsample.h b/crypto_sign/dilithium3aes/avx2/rejsample.h index 2f52d684..2bb56408 100644 --- a/crypto_sign/dilithium3aes/avx2/rejsample.h +++ b/crypto_sign/dilithium3aes/avx2/rejsample.h @@ -7,8 +7,8 @@ #define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) #define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_NBLOCKS ((228+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES) +#define REJ_UNIFORM_ETA_NBLOCKS ((227+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES) +#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES) extern const uint8_t PQCLEAN_DILITHIUM3AES_AVX2_idxlut[256][8]; diff --git a/crypto_sign/dilithium3aes/avx2/sign.c b/crypto_sign/dilithium3aes/avx2/sign.c index 7c2c2a08..e4a2c5cf 100644 --- a/crypto_sign/dilithium3aes/avx2/sign.c +++ b/crypto_sign/dilithium3aes/avx2/sign.c @@ -26,7 +26,7 @@ **************************************************/ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { unsigned int i; - uint8_t seedbuf[3 * SEEDBYTES]; + uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES]; const uint8_t *rho, *rhoprime, *key; uint64_t nonce; aes256ctr_ctx aesctx; @@ -37,10 +37,10 @@ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Get randomness for rho, rhoprime and key */ randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); + shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES); rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; + rhoprime = rho + SEEDBYTES; + key = rhoprime + CRHBYTES; /* Store rho, key */ memcpy(pk, rho, SEEDBYTES); @@ -62,10 +62,10 @@ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Pack secret vectors */ for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); + PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); } for (i = 0; i < K; i++) { - PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); + PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); } /* Transform s1 */ @@ -93,11 +93,11 @@ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { PQCLEAN_DILITHIUM3AES_AVX2_poly_caddq(&t1); PQCLEAN_DILITHIUM3AES_AVX2_poly_power2round(&t1, &t0, &t1); PQCLEAN_DILITHIUM3AES_AVX2_polyt1_pack(pk + SEEDBYTES + i * POLYT1_PACKEDBYTES, &t1); - PQCLEAN_DILITHIUM3AES_AVX2_polyt0_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); + PQCLEAN_DILITHIUM3AES_AVX2_polyt0_pack(sk + 3 * SEEDBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); } - /* Compute CRH(rho, t1) and store in secret key */ - crh(sk + 2 * SEEDBYTES, pk, PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES); + /* Compute H(rho, t1) and store in secret key */ + shake256(sk + 2 * SEEDBYTES, SEEDBYTES, pk, PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES); return 0; } @@ -117,7 +117,7 @@ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { **************************************************/ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { unsigned int i, n, pos; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; + uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint8_t hintbuf[N]; uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES; @@ -133,20 +133,20 @@ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *sigle rho = seedbuf; tr = rho + SEEDBYTES; - key = tr + CRHBYTES; + key = tr + SEEDBYTES; mu = key + SEEDBYTES; rhoprime = mu + CRHBYTES; PQCLEAN_DILITHIUM3AES_AVX2_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute CRH(tr, msg) */ shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); + shake256_inc_absorb(&state, tr, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); shake256_inc_ctx_release(&state); - crh(rhoprime, key, SEEDBYTES + CRHBYTES); + shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES); /* Expand matrix and transform vectors */ PQCLEAN_DILITHIUM3AES_AVX2_polyvec_matrix_expand(mat, rho); @@ -297,10 +297,10 @@ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_verify(const uint8_t *sig, size_t sig return -1; } - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES); + /* Compute CRH(H(rho, t1), msg) */ + shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES); shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, mu, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); diff --git a/crypto_sign/dilithium3aes/avx2/symmetric.h b/crypto_sign/dilithium3aes/avx2/symmetric.h index 6cfad5ba..9911be72 100644 --- a/crypto_sign/dilithium3aes/avx2/symmetric.h +++ b/crypto_sign/dilithium3aes/avx2/symmetric.h @@ -13,7 +13,6 @@ typedef aes256ctr_ctx stream256_state; #define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES #define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) #define stream128_release(STATE) diff --git a/crypto_sign/dilithium3aes/clean/api.h b/crypto_sign/dilithium3aes/clean/api.h index 495dd5db..9391b5b2 100644 --- a/crypto_sign/dilithium3aes/clean/api.h +++ b/crypto_sign/dilithium3aes/clean/api.h @@ -5,12 +5,11 @@ #include #define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES 1952 -#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES 4016 +#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES 4000 #define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES 3293 #define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_ALGNAME "Dilithium3-AES" - int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_signature( diff --git a/crypto_sign/dilithium3aes/clean/packing.c b/crypto_sign/dilithium3aes/clean/packing.c index 9a32261d..f5251381 100644 --- a/crypto_sign/dilithium3aes/clean/packing.c +++ b/crypto_sign/dilithium3aes/clean/packing.c @@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], **************************************************/ void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_CLEAN_ } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = tr[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); @@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_CLEAN_ * - uint8_t sk[]: byte array containing bit-packed sk **************************************************/ void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, @@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { tr[i] = sk[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); diff --git a/crypto_sign/dilithium3aes/clean/packing.h b/crypto_sign/dilithium3aes/clean/packing.h index f5e608cf..44373124 100644 --- a/crypto_sign/dilithium3aes/clean/packing.h +++ b/crypto_sign/dilithium3aes/clean/packing.h @@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM3AES_CLEAN_ void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM3AES_CLEA void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES]); void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, diff --git a/crypto_sign/dilithium3aes/clean/params.h b/crypto_sign/dilithium3aes/clean/params.h index 4f315e50..1a7019b8 100644 --- a/crypto_sign/dilithium3aes/clean/params.h +++ b/crypto_sign/dilithium3aes/clean/params.h @@ -4,7 +4,7 @@ #define SEEDBYTES 32 -#define CRHBYTES 48 +#define CRHBYTES 64 #define N 256 #define Q 8380417 #define D 13 @@ -32,7 +32,7 @@ #define POLYETA_PACKEDBYTES 128 #define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ +#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \ + L*POLYETA_PACKEDBYTES \ + K*POLYETA_PACKEDBYTES \ + K*POLYT0_PACKEDBYTES) diff --git a/crypto_sign/dilithium3aes/clean/poly.c b/crypto_sign/dilithium3aes/clean/poly.c index ea7e8ad4..950e711e 100644 --- a/crypto_sign/dilithium3aes/clean/poly.c +++ b/crypto_sign/dilithium3aes/clean/poly.c @@ -436,28 +436,28 @@ static unsigned int rej_eta(int32_t *a, * output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce). * * Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES +* - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES) +#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES) void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int ctr; - unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES; - uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES]; - stream128_state state; + unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES; + uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES]; + stream256_state state; - stream128_init(&state, seed, nonce); - stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); + stream256_init(&state, seed, nonce); + stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); ctr = rej_eta(a->coeffs, N, buf, buflen); while (ctr < N) { - stream128_squeezeblocks(buf, 1, &state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); + stream256_squeezeblocks(buf, 1, &state); + ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES); } - stream128_release(&state); + stream256_release(&state); } /************************************************* diff --git a/crypto_sign/dilithium3aes/clean/poly.h b/crypto_sign/dilithium3aes/clean/poly.h index 092576ca..6fa5d831 100644 --- a/crypto_sign/dilithium3aes/clean/poly.h +++ b/crypto_sign/dilithium3aes/clean/poly.h @@ -29,7 +29,7 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], diff --git a/crypto_sign/dilithium3aes/clean/polyvec.c b/crypto_sign/dilithium3aes/clean/polyvec.c index a30d322d..ce60cc58 100644 --- a/crypto_sign/dilithium3aes/clean/polyvec.c +++ b/crypto_sign/dilithium3aes/clean/polyvec.c @@ -36,7 +36,7 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t /************ Vectors of polynomials of length L **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -178,7 +178,7 @@ int PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t boun /************ Vectors of polynomials of length K **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < K; ++i) { diff --git a/crypto_sign/dilithium3aes/clean/polyvec.h b/crypto_sign/dilithium3aes/clean/polyvec.h index 668b284a..9cddd5e5 100644 --- a/crypto_sign/dilithium3aes/clean/polyvec.h +++ b/crypto_sign/dilithium3aes/clean/polyvec.h @@ -9,7 +9,7 @@ typedef struct { poly vec[L]; } polyvecl; -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); @@ -36,7 +36,7 @@ typedef struct { poly vec[K]; } polyveck; -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_reduce(polyveck *v); void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_caddq(polyveck *v); diff --git a/crypto_sign/dilithium3aes/clean/sign.c b/crypto_sign/dilithium3aes/clean/sign.c index 3d96ee26..478a8b76 100644 --- a/crypto_sign/dilithium3aes/clean/sign.c +++ b/crypto_sign/dilithium3aes/clean/sign.c @@ -21,8 +21,8 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seedbuf[3 * SEEDBYTES]; - uint8_t tr[CRHBYTES]; + uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES]; + uint8_t tr[SEEDBYTES]; const uint8_t *rho, *rhoprime, *key; polyvecl mat[K]; polyvecl s1, s1hat; @@ -30,10 +30,10 @@ int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Get randomness for rho, rhoprime and key */ randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); + shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES); rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; + rhoprime = rho + SEEDBYTES; + key = rhoprime + CRHBYTES; /* Expand matrix */ PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_expand(mat, rho); @@ -57,8 +57,8 @@ int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_power2round(&t1, &t0, &t1); PQCLEAN_DILITHIUM3AES_CLEAN_pack_pk(pk, rho, &t1); - /* Compute CRH(rho, t1) and write secret key */ - crh(tr, pk, PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES); + /* Compute H(rho, t1) and write secret key */ + shake256(tr, SEEDBYTES, pk, PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES); PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk(sk, rho, tr, key, &t0, &s1, &s2); return 0; @@ -83,7 +83,7 @@ int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_signature(uint8_t *sig, size_t mlen, const uint8_t *sk) { unsigned int n; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; + uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint16_t nonce = 0; polyvecl mat[K], s1, y, z; @@ -93,20 +93,20 @@ int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_signature(uint8_t *sig, rho = seedbuf; tr = rho + SEEDBYTES; - key = tr + CRHBYTES; + key = tr + SEEDBYTES; mu = key + SEEDBYTES; rhoprime = mu + CRHBYTES; PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute CRH(tr, msg) */ shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); + shake256_inc_absorb(&state, tr, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); shake256_inc_ctx_release(&state); - crh(rhoprime, key, SEEDBYTES + CRHBYTES); + shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES); /* Expand matrix and transform vectors */ PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_expand(mat, rho); @@ -250,10 +250,10 @@ int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_verify(const uint8_t *sig, return -1; } - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES); + /* Compute CRH(H(rho, t1), msg) */ + shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES); shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, mu, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); diff --git a/crypto_sign/dilithium3aes/clean/symmetric.h b/crypto_sign/dilithium3aes/clean/symmetric.h index 380b510e..64321f8b 100644 --- a/crypto_sign/dilithium3aes/clean/symmetric.h +++ b/crypto_sign/dilithium3aes/clean/symmetric.h @@ -17,7 +17,6 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_dilithium_aes256ctr_init(aes256ctr_ctx *state, #define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES #define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) \ PQCLEAN_DILITHIUM3AES_CLEAN_dilithium_aes256ctr_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \ diff --git a/crypto_sign/dilithium5/META.yml b/crypto_sign/dilithium5/META.yml index e498d4bc..97a0b2f8 100644 --- a/crypto_sign/dilithium5/META.yml +++ b/crypto_sign/dilithium5/META.yml @@ -2,10 +2,10 @@ name: Dilithium5 type: signature claimed-nist-level: 5 length-public-key: 2592 -length-secret-key: 4880 +length-secret-key: 4864 length-signature: 4595 -nistkat-sha256: 1d1ee6fb14b864bcc564ad9c416593b2ee1bf93cd65dfe70d9e400bc66be3229 -testvectors-sha256: 9bc663cbfc1b43cff759cfeddd365b665762bc36e1f1d0777ae1196f59617a70 +nistkat-sha256: 984ea5f06b13778292f60ecc07301af76e375f1bb9f4a39d676513439e1e83a2 +testvectors-sha256: 47f16494eb4109934d44a52bc85a12155e8814c8925d7ae6d19840fd9556a73c principal-submitters: - Vadim Lyubashevsky auxiliary-submitters: @@ -17,9 +17,9 @@ auxiliary-submitters: - Damien Stehlé implementations: - name: clean - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium + version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium - name: avx2 - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium + version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium supported_platforms: - architecture: x86_64 operating_systems: diff --git a/crypto_sign/dilithium5/avx2/api.h b/crypto_sign/dilithium5/avx2/api.h index 7586ee9c..53b9ec94 100644 --- a/crypto_sign/dilithium5/avx2/api.h +++ b/crypto_sign/dilithium5/avx2/api.h @@ -5,7 +5,7 @@ #include #define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_PUBLICKEYBYTES 2592 -#define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_SECRETKEYBYTES 4880 +#define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_SECRETKEYBYTES 4864 #define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_BYTES 4595 #define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_ALGNAME "Dilithium5" diff --git a/crypto_sign/dilithium5/avx2/packing.c b/crypto_sign/dilithium5/avx2/packing.c index 2aeec579..2f782a9d 100644 --- a/crypto_sign/dilithium5/avx2/packing.c +++ b/crypto_sign/dilithium5/avx2/packing.c @@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM5_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], **************************************************/ void PQCLEAN_DILITHIUM5_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5_AVX2_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM5_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5_AVX2_CRYPTO_S } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = tr[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM5_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); @@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM5_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5_AVX2_CRYPTO_S * - uint8_t sk[]: byte array containing bit-packed sk **************************************************/ void PQCLEAN_DILITHIUM5_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, @@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM5_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { tr[i] = sk[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM5_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); diff --git a/crypto_sign/dilithium5/avx2/packing.h b/crypto_sign/dilithium5/avx2/packing.h index d69bac5a..c722b4b0 100644 --- a/crypto_sign/dilithium5/avx2/packing.h +++ b/crypto_sign/dilithium5/avx2/packing.h @@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM5_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM5_AVX2_CRYPTO_P void PQCLEAN_DILITHIUM5_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5_AVX2_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM5_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM5_AVX2_CRYPTO void PQCLEAN_DILITHIUM5_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM5_AVX2_CRYPTO_PUBLICKEYBYTES]); void PQCLEAN_DILITHIUM5_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, diff --git a/crypto_sign/dilithium5/avx2/params.h b/crypto_sign/dilithium5/avx2/params.h index 70ddfabd..f9b6e6dd 100644 --- a/crypto_sign/dilithium5/avx2/params.h +++ b/crypto_sign/dilithium5/avx2/params.h @@ -4,7 +4,7 @@ #define SEEDBYTES 32 -#define CRHBYTES 48 +#define CRHBYTES 64 #define N 256 #define Q 8380417 #define D 13 @@ -32,7 +32,7 @@ #define POLYETA_PACKEDBYTES 96 #define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ +#define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \ + L*POLYETA_PACKEDBYTES \ + K*POLYETA_PACKEDBYTES \ + K*POLYT0_PACKEDBYTES) diff --git a/crypto_sign/dilithium5/avx2/poly.c b/crypto_sign/dilithium5/avx2/poly.c index e6bfd3c8..dfefdefd 100644 --- a/crypto_sign/dilithium5/avx2/poly.c +++ b/crypto_sign/dilithium5/avx2/poly.c @@ -507,34 +507,34 @@ static unsigned int rej_eta(int32_t *a, * or AES256CTR(seed,nonce). * * Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES +* - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) { +void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state) { unsigned int ctr; - ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf; + ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf; - stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); + stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); ctr = PQCLEAN_DILITHIUM5_AVX2_rej_eta_avx(a->coeffs, buf.coeffs); while (ctr < N) { - stream128_squeezeblocks(buf.coeffs, 1, state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES); + stream256_squeezeblocks(buf.coeffs, 1, state); + ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES); } } -void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - stream128_state state; - stream128_init(&state, seed, nonce); +void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) { + stream256_state state; + stream256_init(&state, seed, nonce); PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_preinit(a, &state); - stream128_release(&state); + stream256_release(&state); } void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_4x(poly *a0, poly *a1, poly *a2, poly *a3, - const uint8_t seed[32], + const uint8_t seed[64], uint16_t nonce0, uint16_t nonce1, uint16_t nonce2, @@ -545,23 +545,28 @@ void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_4x(poly *a0, __m256i f; keccakx4_state state; - f = _mm256_loadu_si256((__m256i *)seed); - _mm256_store_si256(buf[0].vec, f); - _mm256_store_si256(buf[1].vec, f); - _mm256_store_si256(buf[2].vec, f); - _mm256_store_si256(buf[3].vec, f); - - buf[0].coeffs[SEEDBYTES + 0] = nonce0; - buf[0].coeffs[SEEDBYTES + 1] = nonce0 >> 8; - buf[1].coeffs[SEEDBYTES + 0] = nonce1; - buf[1].coeffs[SEEDBYTES + 1] = nonce1 >> 8; - buf[2].coeffs[SEEDBYTES + 0] = nonce2; - buf[2].coeffs[SEEDBYTES + 1] = nonce2 >> 8; - buf[3].coeffs[SEEDBYTES + 0] = nonce3; - buf[3].coeffs[SEEDBYTES + 1] = nonce3 >> 8; - - PQCLEAN_DILITHIUM5_AVX2_shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2); - PQCLEAN_DILITHIUM5_AVX2_shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state); + f = _mm256_loadu_si256((__m256i *)&seed[0]); + _mm256_store_si256(&buf[0].vec[0], f); + _mm256_store_si256(&buf[1].vec[0], f); + _mm256_store_si256(&buf[2].vec[0], f); + _mm256_store_si256(&buf[3].vec[0], f); + f = _mm256_loadu_si256((__m256i *)&seed[32]); + _mm256_store_si256(&buf[0].vec[1], f); + _mm256_store_si256(&buf[1].vec[1], f); + _mm256_store_si256(&buf[2].vec[1], f); + _mm256_store_si256(&buf[3].vec[1], f); + + buf[0].coeffs[64] = nonce0; + buf[0].coeffs[65] = nonce0 >> 8; + buf[1].coeffs[64] = nonce1; + buf[1].coeffs[65] = nonce1 >> 8; + buf[2].coeffs[64] = nonce2; + buf[2].coeffs[65] = nonce2 >> 8; + buf[3].coeffs[64] = nonce3; + buf[3].coeffs[65] = nonce3 >> 8; + + PQCLEAN_DILITHIUM5_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66); + PQCLEAN_DILITHIUM5_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state); ctr0 = PQCLEAN_DILITHIUM5_AVX2_rej_eta_avx(a0->coeffs, buf[0].coeffs); ctr1 = PQCLEAN_DILITHIUM5_AVX2_rej_eta_avx(a1->coeffs, buf[1].coeffs); @@ -569,12 +574,12 @@ void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_4x(poly *a0, ctr3 = PQCLEAN_DILITHIUM5_AVX2_rej_eta_avx(a3->coeffs, buf[3].coeffs); while (ctr0 < N || ctr1 < N || ctr2 < N || ctr3 < N) { - PQCLEAN_DILITHIUM5_AVX2_shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state); + PQCLEAN_DILITHIUM5_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state); - ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE128_RATE); - ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE128_RATE); - ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE); - ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE); + ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE256_RATE); + ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE256_RATE); + ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE); + ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE); } } @@ -608,7 +613,7 @@ void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_gamma1_4x(poly *a0, poly *a1, poly *a2, poly *a3, - const uint8_t seed[48], + const uint8_t seed[64], uint16_t nonce0, uint16_t nonce1, uint16_t nonce2, @@ -616,29 +621,28 @@ void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_gamma1_4x(poly *a0, ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES + 14) buf[4]; keccakx4_state state; __m256i f; - __m128i g; - f = _mm256_loadu_si256((__m256i *)seed); - _mm256_store_si256(buf[0].vec, f); - _mm256_store_si256(buf[1].vec, f); - _mm256_store_si256(buf[2].vec, f); - _mm256_store_si256(buf[3].vec, f); - g = _mm_loadu_si128((__m128i *)&seed[32]); - _mm_store_si128((__m128i *)&buf[0].vec[1], g); - _mm_store_si128((__m128i *)&buf[1].vec[1], g); - _mm_store_si128((__m128i *)&buf[2].vec[1], g); - _mm_store_si128((__m128i *)&buf[3].vec[1], g); - - buf[0].coeffs[CRHBYTES + 0] = nonce0; - buf[0].coeffs[CRHBYTES + 1] = nonce0 >> 8; - buf[1].coeffs[CRHBYTES + 0] = nonce1; - buf[1].coeffs[CRHBYTES + 1] = nonce1 >> 8; - buf[2].coeffs[CRHBYTES + 0] = nonce2; - buf[2].coeffs[CRHBYTES + 1] = nonce2 >> 8; - buf[3].coeffs[CRHBYTES + 0] = nonce3; - buf[3].coeffs[CRHBYTES + 1] = nonce3 >> 8; - - PQCLEAN_DILITHIUM5_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, CRHBYTES + 2); + f = _mm256_loadu_si256((__m256i *)&seed[0]); + _mm256_store_si256(&buf[0].vec[0], f); + _mm256_store_si256(&buf[1].vec[0], f); + _mm256_store_si256(&buf[2].vec[0], f); + _mm256_store_si256(&buf[3].vec[0], f); + f = _mm256_loadu_si256((__m256i *)&seed[32]); + _mm256_store_si256(&buf[0].vec[1], f); + _mm256_store_si256(&buf[1].vec[1], f); + _mm256_store_si256(&buf[2].vec[1], f); + _mm256_store_si256(&buf[3].vec[1], f); + + buf[0].coeffs[64] = nonce0; + buf[0].coeffs[65] = nonce0 >> 8; + buf[1].coeffs[64] = nonce1; + buf[1].coeffs[65] = nonce1 >> 8; + buf[2].coeffs[64] = nonce2; + buf[2].coeffs[65] = nonce2 >> 8; + buf[3].coeffs[64] = nonce3; + buf[3].coeffs[65] = nonce3 >> 8; + + PQCLEAN_DILITHIUM5_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66); PQCLEAN_DILITHIUM5_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state); PQCLEAN_DILITHIUM5_AVX2_polyz_unpack(a0, buf[0].coeffs); diff --git a/crypto_sign/dilithium5/avx2/poly.h b/crypto_sign/dilithium5/avx2/poly.h index 0dc8c4ac..02f3efb5 100644 --- a/crypto_sign/dilithium5/avx2/poly.h +++ b/crypto_sign/dilithium5/avx2/poly.h @@ -28,8 +28,8 @@ void PQCLEAN_DILITHIUM5_AVX2_poly_use_hint(poly *b, const poly *a, const poly *h int PQCLEAN_DILITHIUM5_AVX2_poly_chknorm(const poly *a, int32_t B); void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_preinit(poly *a, stream128_state *state); void PQCLEAN_DILITHIUM5_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state); -void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state); +void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state); void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]); @@ -47,7 +47,7 @@ void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_4x(poly *a0, poly *a1, poly *a2, poly *a3, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce0, uint16_t nonce1, uint16_t nonce2, diff --git a/crypto_sign/dilithium5/avx2/polyvec.c b/crypto_sign/dilithium5/avx2/polyvec.c index de295523..9db3274e 100644 --- a/crypto_sign/dilithium5/avx2/polyvec.c +++ b/crypto_sign/dilithium5/avx2/polyvec.c @@ -138,7 +138,7 @@ void PQCLEAN_DILITHIUM5_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, co /************ Vectors of polynomials of length L **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -146,7 +146,7 @@ void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t see } } -void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -271,7 +271,7 @@ int PQCLEAN_DILITHIUM5_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound) /************ Vectors of polynomials of length K **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM5_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM5_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < K; ++i) { diff --git a/crypto_sign/dilithium5/avx2/polyvec.h b/crypto_sign/dilithium5/avx2/polyvec.h index 6213436b..4c2ad439 100644 --- a/crypto_sign/dilithium5/avx2/polyvec.h +++ b/crypto_sign/dilithium5/avx2/polyvec.h @@ -9,9 +9,9 @@ typedef struct { poly vec[L]; } polyvecl; -void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5_AVX2_polyvecl_reduce(polyvecl *v); @@ -33,7 +33,7 @@ typedef struct { poly vec[K]; } polyveck; -void PQCLEAN_DILITHIUM5_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM5_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5_AVX2_polyveck_reduce(polyveck *v); void PQCLEAN_DILITHIUM5_AVX2_polyveck_caddq(polyveck *v); diff --git a/crypto_sign/dilithium5/avx2/rejsample.h b/crypto_sign/dilithium5/avx2/rejsample.h index 78786bf8..03d61c6f 100644 --- a/crypto_sign/dilithium5/avx2/rejsample.h +++ b/crypto_sign/dilithium5/avx2/rejsample.h @@ -7,8 +7,8 @@ #define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) #define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_NBLOCKS ((137+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES) +#define REJ_UNIFORM_ETA_NBLOCKS ((136+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES) +#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES) extern const uint8_t PQCLEAN_DILITHIUM5_AVX2_idxlut[256][8]; diff --git a/crypto_sign/dilithium5/avx2/sign.c b/crypto_sign/dilithium5/avx2/sign.c index 050a5371..8dd03f24 100644 --- a/crypto_sign/dilithium5/avx2/sign.c +++ b/crypto_sign/dilithium5/avx2/sign.c @@ -61,7 +61,7 @@ static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], co **************************************************/ int PQCLEAN_DILITHIUM5_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { unsigned int i; - uint8_t seedbuf[3 * SEEDBYTES]; + uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES]; const uint8_t *rho, *rhoprime, *key; polyvecl rowbuf[2]; polyvecl s1, *row = rowbuf; @@ -70,10 +70,10 @@ int PQCLEAN_DILITHIUM5_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Get randomness for rho, rhoprime and key */ randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); + shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES); rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; + rhoprime = rho + SEEDBYTES; + key = rhoprime + CRHBYTES; /* Store rho, key */ memcpy(pk, rho, SEEDBYTES); @@ -88,10 +88,10 @@ int PQCLEAN_DILITHIUM5_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Pack secret vectors */ for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM5_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); + PQCLEAN_DILITHIUM5_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); } for (i = 0; i < K; i++) { - PQCLEAN_DILITHIUM5_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); + PQCLEAN_DILITHIUM5_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); } /* Transform s1 */ @@ -113,11 +113,11 @@ int PQCLEAN_DILITHIUM5_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { PQCLEAN_DILITHIUM5_AVX2_poly_caddq(&t1); PQCLEAN_DILITHIUM5_AVX2_poly_power2round(&t1, &t0, &t1); PQCLEAN_DILITHIUM5_AVX2_polyt1_pack(pk + SEEDBYTES + i * POLYT1_PACKEDBYTES, &t1); - PQCLEAN_DILITHIUM5_AVX2_polyt0_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); + PQCLEAN_DILITHIUM5_AVX2_polyt0_pack(sk + 3 * SEEDBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); } - /* Compute CRH(rho, t1) and store in secret key */ - crh(sk + 2 * SEEDBYTES, pk, PQCLEAN_DILITHIUM5_AVX2_CRYPTO_PUBLICKEYBYTES); + /* Compute H(rho, t1) and store in secret key */ + shake256(sk + 2 * SEEDBYTES, SEEDBYTES, pk, PQCLEAN_DILITHIUM5_AVX2_CRYPTO_PUBLICKEYBYTES); return 0; } @@ -137,7 +137,7 @@ int PQCLEAN_DILITHIUM5_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { **************************************************/ int PQCLEAN_DILITHIUM5_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { unsigned int i, n, pos; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; + uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint8_t hintbuf[N]; uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES; @@ -153,20 +153,20 @@ int PQCLEAN_DILITHIUM5_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, rho = seedbuf; tr = rho + SEEDBYTES; - key = tr + CRHBYTES; + key = tr + SEEDBYTES; mu = key + SEEDBYTES; rhoprime = mu + CRHBYTES; PQCLEAN_DILITHIUM5_AVX2_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute CRH(tr, msg) */ shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); + shake256_inc_absorb(&state, tr, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); shake256_inc_ctx_release(&state); - crh(rhoprime, key, SEEDBYTES + CRHBYTES); + shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES); /* Expand matrix and transform vectors */ PQCLEAN_DILITHIUM5_AVX2_polyvec_matrix_expand(mat, rho); @@ -313,10 +313,10 @@ int PQCLEAN_DILITHIUM5_AVX2_crypto_sign_verify(const uint8_t *sig, size_t siglen return -1; } - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM5_AVX2_CRYPTO_PUBLICKEYBYTES); + /* Compute CRH(H(rho, t1), msg) */ + shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM5_AVX2_CRYPTO_PUBLICKEYBYTES); shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, mu, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); diff --git a/crypto_sign/dilithium5/avx2/symmetric.h b/crypto_sign/dilithium5/avx2/symmetric.h index 3d5e8a50..95b5f385 100644 --- a/crypto_sign/dilithium5/avx2/symmetric.h +++ b/crypto_sign/dilithium5/avx2/symmetric.h @@ -9,27 +9,18 @@ typedef shake128incctx stream128_state; typedef shake256incctx stream256_state; -void PQCLEAN_DILITHIUM5_AVX2_dilithium_shake128_stream_init(shake128incctx *state, - const uint8_t seed[SEEDBYTES], - uint16_t nonce); +void PQCLEAN_DILITHIUM5_AVX2_dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM5_AVX2_dilithium_shake256_stream_init(shake256incctx *state, - const uint8_t seed[CRHBYTES], - uint16_t nonce); +void PQCLEAN_DILITHIUM5_AVX2_dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce); #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) -#define stream128_init(STATE, SEED, NONCE) \ - PQCLEAN_DILITHIUM5_AVX2_dilithium_shake128_stream_init(STATE, SEED, NONCE) -#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \ - shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE) +#define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM5_AVX2_dilithium_shake128_stream_init(STATE, SEED, NONCE) +#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE) #define stream128_release(STATE) shake128_inc_ctx_release(STATE) -#define stream256_init(STATE, SEED, NONCE) \ - PQCLEAN_DILITHIUM5_AVX2_dilithium_shake256_stream_init(STATE, SEED, NONCE) -#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \ - shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE) +#define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM5_AVX2_dilithium_shake256_stream_init(STATE, SEED, NONCE) +#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE) #define stream256_release(STATE) shake256_inc_ctx_release(STATE) diff --git a/crypto_sign/dilithium5/clean/api.h b/crypto_sign/dilithium5/clean/api.h index 8a8d7901..36d0a783 100644 --- a/crypto_sign/dilithium5/clean/api.h +++ b/crypto_sign/dilithium5/clean/api.h @@ -5,7 +5,7 @@ #include #define PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_PUBLICKEYBYTES 2592 -#define PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_SECRETKEYBYTES 4880 +#define PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_SECRETKEYBYTES 4864 #define PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_BYTES 4595 #define PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_ALGNAME "Dilithium5" diff --git a/crypto_sign/dilithium5/clean/packing.c b/crypto_sign/dilithium5/clean/packing.c index 34542a2b..41881bd7 100644 --- a/crypto_sign/dilithium5/clean/packing.c +++ b/crypto_sign/dilithium5/clean/packing.c @@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM5_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], **************************************************/ void PQCLEAN_DILITHIUM5_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM5_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5_CLEAN_CRYPTO } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = tr[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM5_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); @@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM5_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5_CLEAN_CRYPTO * - uint8_t sk[]: byte array containing bit-packed sk **************************************************/ void PQCLEAN_DILITHIUM5_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, @@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM5_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { tr[i] = sk[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM5_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); diff --git a/crypto_sign/dilithium5/clean/packing.h b/crypto_sign/dilithium5/clean/packing.h index f1fa637a..b27b5d53 100644 --- a/crypto_sign/dilithium5/clean/packing.h +++ b/crypto_sign/dilithium5/clean/packing.h @@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM5_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM5_CLEAN_CRYPTO void PQCLEAN_DILITHIUM5_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM5_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM5_CLEAN_CRYP void PQCLEAN_DILITHIUM5_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_PUBLICKEYBYTES]); void PQCLEAN_DILITHIUM5_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, diff --git a/crypto_sign/dilithium5/clean/params.h b/crypto_sign/dilithium5/clean/params.h index f7604a1d..4de30e3a 100644 --- a/crypto_sign/dilithium5/clean/params.h +++ b/crypto_sign/dilithium5/clean/params.h @@ -4,7 +4,7 @@ #define SEEDBYTES 32 -#define CRHBYTES 48 +#define CRHBYTES 64 #define N 256 #define Q 8380417 #define D 13 @@ -32,7 +32,7 @@ #define POLYETA_PACKEDBYTES 96 #define PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ +#define PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \ + L*POLYETA_PACKEDBYTES \ + K*POLYETA_PACKEDBYTES \ + K*POLYT0_PACKEDBYTES) diff --git a/crypto_sign/dilithium5/clean/poly.c b/crypto_sign/dilithium5/clean/poly.c index ff12495b..6378a74d 100644 --- a/crypto_sign/dilithium5/clean/poly.c +++ b/crypto_sign/dilithium5/clean/poly.c @@ -438,28 +438,28 @@ static unsigned int rej_eta(int32_t *a, * output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce). * * Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES +* - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES) +#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES) void PQCLEAN_DILITHIUM5_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int ctr; - unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES; - uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES]; - stream128_state state; + unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES; + uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES]; + stream256_state state; - stream128_init(&state, seed, nonce); - stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); + stream256_init(&state, seed, nonce); + stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); ctr = rej_eta(a->coeffs, N, buf, buflen); while (ctr < N) { - stream128_squeezeblocks(buf, 1, &state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); + stream256_squeezeblocks(buf, 1, &state); + ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES); } - stream128_release(&state); + stream256_release(&state); } /************************************************* diff --git a/crypto_sign/dilithium5/clean/poly.h b/crypto_sign/dilithium5/clean/poly.h index f768f63e..6b446867 100644 --- a/crypto_sign/dilithium5/clean/poly.h +++ b/crypto_sign/dilithium5/clean/poly.h @@ -29,7 +29,7 @@ void PQCLEAN_DILITHIUM5_CLEAN_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5_CLEAN_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], diff --git a/crypto_sign/dilithium5/clean/polyvec.c b/crypto_sign/dilithium5/clean/polyvec.c index e996d1af..9fa02325 100644 --- a/crypto_sign/dilithium5/clean/polyvec.c +++ b/crypto_sign/dilithium5/clean/polyvec.c @@ -36,7 +36,7 @@ void PQCLEAN_DILITHIUM5_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t, c /************ Vectors of polynomials of length L **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM5_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM5_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -178,7 +178,7 @@ int PQCLEAN_DILITHIUM5_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t bound) /************ Vectors of polynomials of length K **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM5_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM5_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < K; ++i) { diff --git a/crypto_sign/dilithium5/clean/polyvec.h b/crypto_sign/dilithium5/clean/polyvec.h index 9d564f67..9496d982 100644 --- a/crypto_sign/dilithium5/clean/polyvec.h +++ b/crypto_sign/dilithium5/clean/polyvec.h @@ -9,7 +9,7 @@ typedef struct { poly vec[L]; } polyvecl; -void PQCLEAN_DILITHIUM5_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM5_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); @@ -36,7 +36,7 @@ typedef struct { poly vec[K]; } polyveck; -void PQCLEAN_DILITHIUM5_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM5_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5_CLEAN_polyveck_reduce(polyveck *v); void PQCLEAN_DILITHIUM5_CLEAN_polyveck_caddq(polyveck *v); diff --git a/crypto_sign/dilithium5/clean/sign.c b/crypto_sign/dilithium5/clean/sign.c index 791821b4..937270c4 100644 --- a/crypto_sign/dilithium5/clean/sign.c +++ b/crypto_sign/dilithium5/clean/sign.c @@ -21,8 +21,8 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_DILITHIUM5_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seedbuf[3 * SEEDBYTES]; - uint8_t tr[CRHBYTES]; + uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES]; + uint8_t tr[SEEDBYTES]; const uint8_t *rho, *rhoprime, *key; polyvecl mat[K]; polyvecl s1, s1hat; @@ -30,10 +30,10 @@ int PQCLEAN_DILITHIUM5_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Get randomness for rho, rhoprime and key */ randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); + shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES); rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; + rhoprime = rho + SEEDBYTES; + key = rhoprime + CRHBYTES; /* Expand matrix */ PQCLEAN_DILITHIUM5_CLEAN_polyvec_matrix_expand(mat, rho); @@ -57,8 +57,8 @@ int PQCLEAN_DILITHIUM5_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { PQCLEAN_DILITHIUM5_CLEAN_polyveck_power2round(&t1, &t0, &t1); PQCLEAN_DILITHIUM5_CLEAN_pack_pk(pk, rho, &t1); - /* Compute CRH(rho, t1) and write secret key */ - crh(tr, pk, PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_PUBLICKEYBYTES); + /* Compute H(rho, t1) and write secret key */ + shake256(tr, SEEDBYTES, pk, PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_PUBLICKEYBYTES); PQCLEAN_DILITHIUM5_CLEAN_pack_sk(sk, rho, tr, key, &t0, &s1, &s2); return 0; @@ -83,7 +83,7 @@ int PQCLEAN_DILITHIUM5_CLEAN_crypto_sign_signature(uint8_t *sig, size_t mlen, const uint8_t *sk) { unsigned int n; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; + uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint16_t nonce = 0; polyvecl mat[K], s1, y, z; @@ -93,20 +93,20 @@ int PQCLEAN_DILITHIUM5_CLEAN_crypto_sign_signature(uint8_t *sig, rho = seedbuf; tr = rho + SEEDBYTES; - key = tr + CRHBYTES; + key = tr + SEEDBYTES; mu = key + SEEDBYTES; rhoprime = mu + CRHBYTES; PQCLEAN_DILITHIUM5_CLEAN_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute CRH(tr, msg) */ shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); + shake256_inc_absorb(&state, tr, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); shake256_inc_ctx_release(&state); - crh(rhoprime, key, SEEDBYTES + CRHBYTES); + shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES); /* Expand matrix and transform vectors */ PQCLEAN_DILITHIUM5_CLEAN_polyvec_matrix_expand(mat, rho); @@ -250,10 +250,10 @@ int PQCLEAN_DILITHIUM5_CLEAN_crypto_sign_verify(const uint8_t *sig, return -1; } - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_PUBLICKEYBYTES); + /* Compute CRH(H(rho, t1), msg) */ + shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM5_CLEAN_CRYPTO_PUBLICKEYBYTES); shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, mu, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); diff --git a/crypto_sign/dilithium5/clean/symmetric.h b/crypto_sign/dilithium5/clean/symmetric.h index 92ed263b..f2a2430a 100644 --- a/crypto_sign/dilithium5/clean/symmetric.h +++ b/crypto_sign/dilithium5/clean/symmetric.h @@ -20,7 +20,6 @@ void PQCLEAN_DILITHIUM5_CLEAN_dilithium_shake256_stream_init(shake256incctx *sta #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) \ PQCLEAN_DILITHIUM5_CLEAN_dilithium_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \ diff --git a/crypto_sign/dilithium5aes/META.yml b/crypto_sign/dilithium5aes/META.yml index e14b2cf7..40b72e4f 100644 --- a/crypto_sign/dilithium5aes/META.yml +++ b/crypto_sign/dilithium5aes/META.yml @@ -2,10 +2,10 @@ name: Dilithium5-AES type: signature claimed-nist-level: 5 length-public-key: 2592 -length-secret-key: 4880 +length-secret-key: 4864 length-signature: 4595 -nistkat-sha256: 882d5050d6289875cbaa3bd920ec60ff3e2895257cbe8f76ed9d3735daa188c6 -testvectors-sha256: 8289af5b8aeb78bd6a642d1899364ce3ab9f3b2bd4c66da9a9031a9832e71545 +nistkat-sha256: 5734f0f32acf7190130448bbc121994a29fa4355deeee167ef65dbed014f6ee0 +testvectors-sha256: e790f11f4951965d38283f9a4440837c3158bd60c89bbe43807bad41095f1c39 principal-submitters: - Vadim Lyubashevsky auxiliary-submitters: @@ -17,9 +17,9 @@ auxiliary-submitters: - Damien Stehlé implementations: - name: clean - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium + version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium - name: avx2 - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium + version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium supported_platforms: - architecture: x86_64 operating_systems: diff --git a/crypto_sign/dilithium5aes/avx2/api.h b/crypto_sign/dilithium5aes/avx2/api.h index a6399853..0bce3686 100644 --- a/crypto_sign/dilithium5aes/avx2/api.h +++ b/crypto_sign/dilithium5aes/avx2/api.h @@ -5,7 +5,7 @@ #include #define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES 2592 -#define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_SECRETKEYBYTES 4880 +#define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_SECRETKEYBYTES 4864 #define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES 4595 #define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_ALGNAME "Dilithium5-AES" diff --git a/crypto_sign/dilithium5aes/avx2/packing.c b/crypto_sign/dilithium5aes/avx2/packing.c index b40af6d4..ab9135f0 100644 --- a/crypto_sign/dilithium5aes/avx2/packing.c +++ b/crypto_sign/dilithium5aes/avx2/packing.c @@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM5AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], **************************************************/ void PQCLEAN_DILITHIUM5AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM5AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5AES_AVX2_CR } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = tr[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM5AES_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); @@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM5AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5AES_AVX2_CR * - uint8_t sk[]: byte array containing bit-packed sk **************************************************/ void PQCLEAN_DILITHIUM5AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, @@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM5AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { tr[i] = sk[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM5AES_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); diff --git a/crypto_sign/dilithium5aes/avx2/packing.h b/crypto_sign/dilithium5aes/avx2/packing.h index 6c707af7..31e6e2a8 100644 --- a/crypto_sign/dilithium5aes/avx2/packing.h +++ b/crypto_sign/dilithium5aes/avx2/packing.h @@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM5AES_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM5AES_AVX2_CR void PQCLEAN_DILITHIUM5AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM5AES_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM5AES_AVX2_ void PQCLEAN_DILITHIUM5AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES]); void PQCLEAN_DILITHIUM5AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, diff --git a/crypto_sign/dilithium5aes/avx2/params.h b/crypto_sign/dilithium5aes/avx2/params.h index 52a5dd43..681eeab7 100644 --- a/crypto_sign/dilithium5aes/avx2/params.h +++ b/crypto_sign/dilithium5aes/avx2/params.h @@ -4,7 +4,7 @@ #define SEEDBYTES 32 -#define CRHBYTES 48 +#define CRHBYTES 64 #define N 256 #define Q 8380417 #define D 13 @@ -32,7 +32,7 @@ #define POLYETA_PACKEDBYTES 96 #define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ +#define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \ + L*POLYETA_PACKEDBYTES \ + K*POLYETA_PACKEDBYTES \ + K*POLYT0_PACKEDBYTES) diff --git a/crypto_sign/dilithium5aes/avx2/poly.c b/crypto_sign/dilithium5aes/avx2/poly.c index 34884f7b..500330ad 100644 --- a/crypto_sign/dilithium5aes/avx2/poly.c +++ b/crypto_sign/dilithium5aes/avx2/poly.c @@ -460,27 +460,27 @@ static unsigned int rej_eta(int32_t *a, * or AES256CTR(seed,nonce). * * Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES +* - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) { +void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state) { unsigned int ctr; - ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf; + ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf; - stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); + stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); ctr = PQCLEAN_DILITHIUM5AES_AVX2_rej_eta_avx(a->coeffs, buf.coeffs); while (ctr < N) { - stream128_squeezeblocks(buf.coeffs, 1, state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES); + stream256_squeezeblocks(buf.coeffs, 1, state); + ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES); } } -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - stream128_state state; - stream128_init(&state, seed, nonce); +void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) { + stream256_state state; + stream256_init(&state, seed, nonce); PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta_preinit(a, &state); - stream128_release(&state); + stream256_release(&state); } diff --git a/crypto_sign/dilithium5aes/avx2/poly.h b/crypto_sign/dilithium5aes/avx2/poly.h index ca298325..866b3947 100644 --- a/crypto_sign/dilithium5aes/avx2/poly.h +++ b/crypto_sign/dilithium5aes/avx2/poly.h @@ -28,8 +28,8 @@ void PQCLEAN_DILITHIUM5AES_AVX2_poly_use_hint(poly *b, const poly *a, const poly int PQCLEAN_DILITHIUM5AES_AVX2_poly_chknorm(const poly *a, int32_t B); void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_preinit(poly *a, stream128_state *state); void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state); +void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state); void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5AES_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]); diff --git a/crypto_sign/dilithium5aes/avx2/polyvec.c b/crypto_sign/dilithium5aes/avx2/polyvec.c index bfae22cb..7c63c272 100644 --- a/crypto_sign/dilithium5aes/avx2/polyvec.c +++ b/crypto_sign/dilithium5aes/avx2/polyvec.c @@ -49,7 +49,7 @@ void PQCLEAN_DILITHIUM5AES_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, /************ Vectors of polynomials of length L **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -57,7 +57,7 @@ void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t } } -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -182,7 +182,7 @@ int PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound /************ Vectors of polynomials of length K **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < K; ++i) { diff --git a/crypto_sign/dilithium5aes/avx2/polyvec.h b/crypto_sign/dilithium5aes/avx2/polyvec.h index abd2277e..913afd3b 100644 --- a/crypto_sign/dilithium5aes/avx2/polyvec.h +++ b/crypto_sign/dilithium5aes/avx2/polyvec.h @@ -9,9 +9,9 @@ typedef struct { poly vec[L]; } polyvecl; -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_reduce(polyvecl *v); @@ -33,7 +33,7 @@ typedef struct { poly vec[K]; } polyveck; -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_reduce(polyveck *v); void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_caddq(polyveck *v); diff --git a/crypto_sign/dilithium5aes/avx2/rejsample.h b/crypto_sign/dilithium5aes/avx2/rejsample.h index c493eaf1..ba9c49d4 100644 --- a/crypto_sign/dilithium5aes/avx2/rejsample.h +++ b/crypto_sign/dilithium5aes/avx2/rejsample.h @@ -7,8 +7,8 @@ #define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) #define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_NBLOCKS ((137+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES) +#define REJ_UNIFORM_ETA_NBLOCKS ((136+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES) +#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES) extern const uint8_t PQCLEAN_DILITHIUM5AES_AVX2_idxlut[256][8]; diff --git a/crypto_sign/dilithium5aes/avx2/sign.c b/crypto_sign/dilithium5aes/avx2/sign.c index 0977b975..a453dffa 100644 --- a/crypto_sign/dilithium5aes/avx2/sign.c +++ b/crypto_sign/dilithium5aes/avx2/sign.c @@ -26,7 +26,7 @@ **************************************************/ int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { unsigned int i; - uint8_t seedbuf[3 * SEEDBYTES]; + uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES]; const uint8_t *rho, *rhoprime, *key; uint64_t nonce; aes256ctr_ctx aesctx; @@ -37,10 +37,10 @@ int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Get randomness for rho, rhoprime and key */ randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); + shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES); rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; + rhoprime = rho + SEEDBYTES; + key = rhoprime + CRHBYTES; /* Store rho, key */ memcpy(pk, rho, SEEDBYTES); @@ -62,10 +62,10 @@ int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Pack secret vectors */ for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM5AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); + PQCLEAN_DILITHIUM5AES_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); } for (i = 0; i < K; i++) { - PQCLEAN_DILITHIUM5AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); + PQCLEAN_DILITHIUM5AES_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); } /* Transform s1 */ @@ -93,11 +93,11 @@ int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { PQCLEAN_DILITHIUM5AES_AVX2_poly_caddq(&t1); PQCLEAN_DILITHIUM5AES_AVX2_poly_power2round(&t1, &t0, &t1); PQCLEAN_DILITHIUM5AES_AVX2_polyt1_pack(pk + SEEDBYTES + i * POLYT1_PACKEDBYTES, &t1); - PQCLEAN_DILITHIUM5AES_AVX2_polyt0_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); + PQCLEAN_DILITHIUM5AES_AVX2_polyt0_pack(sk + 3 * SEEDBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); } - /* Compute CRH(rho, t1) and store in secret key */ - crh(sk + 2 * SEEDBYTES, pk, PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES); + /* Compute H(rho, t1) and store in secret key */ + shake256(sk + 2 * SEEDBYTES, SEEDBYTES, pk, PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES); return 0; } @@ -117,7 +117,7 @@ int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { **************************************************/ int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { unsigned int i, n, pos; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; + uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint8_t hintbuf[N]; uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES; @@ -133,20 +133,20 @@ int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *sigle rho = seedbuf; tr = rho + SEEDBYTES; - key = tr + CRHBYTES; + key = tr + SEEDBYTES; mu = key + SEEDBYTES; rhoprime = mu + CRHBYTES; PQCLEAN_DILITHIUM5AES_AVX2_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute CRH(tr, msg) */ shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); + shake256_inc_absorb(&state, tr, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); shake256_inc_ctx_release(&state); - crh(rhoprime, key, SEEDBYTES + CRHBYTES); + shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES); /* Expand matrix and transform vectors */ PQCLEAN_DILITHIUM5AES_AVX2_polyvec_matrix_expand(mat, rho); @@ -297,10 +297,10 @@ int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_verify(const uint8_t *sig, size_t sig return -1; } - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES); + /* Compute CRH(H(rho, t1), msg) */ + shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES); shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, mu, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); diff --git a/crypto_sign/dilithium5aes/avx2/symmetric.h b/crypto_sign/dilithium5aes/avx2/symmetric.h index 4de47619..c2b9cf4f 100644 --- a/crypto_sign/dilithium5aes/avx2/symmetric.h +++ b/crypto_sign/dilithium5aes/avx2/symmetric.h @@ -13,7 +13,6 @@ typedef aes256ctr_ctx stream256_state; #define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES #define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) #define stream128_release(STATE) diff --git a/crypto_sign/dilithium5aes/clean/api.h b/crypto_sign/dilithium5aes/clean/api.h index fe7baff2..a4bf0ce6 100644 --- a/crypto_sign/dilithium5aes/clean/api.h +++ b/crypto_sign/dilithium5aes/clean/api.h @@ -5,7 +5,7 @@ #include #define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES 2592 -#define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_SECRETKEYBYTES 4880 +#define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_SECRETKEYBYTES 4864 #define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES 4595 #define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_ALGNAME "Dilithium5-AES" diff --git a/crypto_sign/dilithium5aes/clean/packing.c b/crypto_sign/dilithium5aes/clean/packing.c index a3b2ffa3..ab6f31d8 100644 --- a/crypto_sign/dilithium5aes/clean/packing.c +++ b/crypto_sign/dilithium5aes/clean/packing.c @@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM5AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], **************************************************/ void PQCLEAN_DILITHIUM5AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM5AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5AES_CLEAN_ } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { sk[i] = tr[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM5AES_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); @@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM5AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5AES_CLEAN_ * - uint8_t sk[]: byte array containing bit-packed sk **************************************************/ void PQCLEAN_DILITHIUM5AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, @@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM5AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], } sk += SEEDBYTES; - for (i = 0; i < CRHBYTES; ++i) { + for (i = 0; i < SEEDBYTES; ++i) { tr[i] = sk[i]; } - sk += CRHBYTES; + sk += SEEDBYTES; for (i = 0; i < L; ++i) { PQCLEAN_DILITHIUM5AES_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); diff --git a/crypto_sign/dilithium5aes/clean/packing.h b/crypto_sign/dilithium5aes/clean/packing.h index 4bca683f..e410fdf1 100644 --- a/crypto_sign/dilithium5aes/clean/packing.h +++ b/crypto_sign/dilithium5aes/clean/packing.h @@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM5AES_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM5AES_CLEAN_ void PQCLEAN_DILITHIUM5AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_SECRETKEYBYTES], const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], + const uint8_t tr[SEEDBYTES], const uint8_t key[SEEDBYTES], const polyveck *t0, const polyvecl *s1, @@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM5AES_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM5AES_CLEA void PQCLEAN_DILITHIUM5AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES]); void PQCLEAN_DILITHIUM5AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], + uint8_t tr[SEEDBYTES], uint8_t key[SEEDBYTES], polyveck *t0, polyvecl *s1, diff --git a/crypto_sign/dilithium5aes/clean/params.h b/crypto_sign/dilithium5aes/clean/params.h index b8f9630e..aa01c2bc 100644 --- a/crypto_sign/dilithium5aes/clean/params.h +++ b/crypto_sign/dilithium5aes/clean/params.h @@ -4,7 +4,7 @@ #define SEEDBYTES 32 -#define CRHBYTES 48 +#define CRHBYTES 64 #define N 256 #define Q 8380417 #define D 13 @@ -32,7 +32,7 @@ #define POLYETA_PACKEDBYTES 96 #define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ +#define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \ + L*POLYETA_PACKEDBYTES \ + K*POLYETA_PACKEDBYTES \ + K*POLYT0_PACKEDBYTES) diff --git a/crypto_sign/dilithium5aes/clean/poly.c b/crypto_sign/dilithium5aes/clean/poly.c index ce01b21c..5b1199f0 100644 --- a/crypto_sign/dilithium5aes/clean/poly.c +++ b/crypto_sign/dilithium5aes/clean/poly.c @@ -438,28 +438,28 @@ static unsigned int rej_eta(int32_t *a, * output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce). * * Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES +* - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES) +#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES) void PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int ctr; - unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES; - uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES]; - stream128_state state; + unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES; + uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES]; + stream256_state state; - stream128_init(&state, seed, nonce); - stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); + stream256_init(&state, seed, nonce); + stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); ctr = rej_eta(a->coeffs, N, buf, buflen); while (ctr < N) { - stream128_squeezeblocks(buf, 1, &state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); + stream256_squeezeblocks(buf, 1, &state); + ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES); } - stream128_release(&state); + stream256_release(&state); } /************************************************* diff --git a/crypto_sign/dilithium5aes/clean/poly.h b/crypto_sign/dilithium5aes/clean/poly.h index e3055748..5233405f 100644 --- a/crypto_sign/dilithium5aes/clean/poly.h +++ b/crypto_sign/dilithium5aes/clean/poly.h @@ -29,7 +29,7 @@ void PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], + const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], diff --git a/crypto_sign/dilithium5aes/clean/polyvec.c b/crypto_sign/dilithium5aes/clean/polyvec.c index 06609473..6a572834 100644 --- a/crypto_sign/dilithium5aes/clean/polyvec.c +++ b/crypto_sign/dilithium5aes/clean/polyvec.c @@ -36,7 +36,7 @@ void PQCLEAN_DILITHIUM5AES_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t /************ Vectors of polynomials of length L **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < L; ++i) { @@ -178,7 +178,7 @@ int PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t boun /************ Vectors of polynomials of length K **************/ /**************************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { +void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { unsigned int i; for (i = 0; i < K; ++i) { diff --git a/crypto_sign/dilithium5aes/clean/polyvec.h b/crypto_sign/dilithium5aes/clean/polyvec.h index 139a99ca..385bef23 100644 --- a/crypto_sign/dilithium5aes/clean/polyvec.h +++ b/crypto_sign/dilithium5aes/clean/polyvec.h @@ -9,7 +9,7 @@ typedef struct { poly vec[L]; } polyvecl; -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); @@ -36,7 +36,7 @@ typedef struct { poly vec[K]; } polyveck; -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce); void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_reduce(polyveck *v); void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_caddq(polyveck *v); diff --git a/crypto_sign/dilithium5aes/clean/sign.c b/crypto_sign/dilithium5aes/clean/sign.c index 3ce07c18..ab52441b 100644 --- a/crypto_sign/dilithium5aes/clean/sign.c +++ b/crypto_sign/dilithium5aes/clean/sign.c @@ -21,8 +21,8 @@ * Returns 0 (success) **************************************************/ int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seedbuf[3 * SEEDBYTES]; - uint8_t tr[CRHBYTES]; + uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES]; + uint8_t tr[SEEDBYTES]; const uint8_t *rho, *rhoprime, *key; polyvecl mat[K]; polyvecl s1, s1hat; @@ -30,10 +30,10 @@ int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { /* Get randomness for rho, rhoprime and key */ randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); + shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES); rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; + rhoprime = rho + SEEDBYTES; + key = rhoprime + CRHBYTES; /* Expand matrix */ PQCLEAN_DILITHIUM5AES_CLEAN_polyvec_matrix_expand(mat, rho); @@ -57,8 +57,8 @@ int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_power2round(&t1, &t0, &t1); PQCLEAN_DILITHIUM5AES_CLEAN_pack_pk(pk, rho, &t1); - /* Compute CRH(rho, t1) and write secret key */ - crh(tr, pk, PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES); + /* Compute H(rho, t1) and write secret key */ + shake256(tr, SEEDBYTES, pk, PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES); PQCLEAN_DILITHIUM5AES_CLEAN_pack_sk(sk, rho, tr, key, &t0, &s1, &s2); return 0; @@ -83,7 +83,7 @@ int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_signature(uint8_t *sig, size_t mlen, const uint8_t *sk) { unsigned int n; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; + uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint16_t nonce = 0; polyvecl mat[K], s1, y, z; @@ -93,20 +93,20 @@ int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_signature(uint8_t *sig, rho = seedbuf; tr = rho + SEEDBYTES; - key = tr + CRHBYTES; + key = tr + SEEDBYTES; mu = key + SEEDBYTES; rhoprime = mu + CRHBYTES; PQCLEAN_DILITHIUM5AES_CLEAN_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute CRH(tr, msg) */ shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); + shake256_inc_absorb(&state, tr, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); shake256_inc_ctx_release(&state); - crh(rhoprime, key, SEEDBYTES + CRHBYTES); + shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES); /* Expand matrix and transform vectors */ PQCLEAN_DILITHIUM5AES_CLEAN_polyvec_matrix_expand(mat, rho); @@ -250,10 +250,10 @@ int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_verify(const uint8_t *sig, return -1; } - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES); + /* Compute CRH(H(rho, t1), msg) */ + shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES); shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, mu, SEEDBYTES); shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(mu, CRHBYTES, &state); diff --git a/crypto_sign/dilithium5aes/clean/symmetric.h b/crypto_sign/dilithium5aes/clean/symmetric.h index 8799e987..a5dffa77 100644 --- a/crypto_sign/dilithium5aes/clean/symmetric.h +++ b/crypto_sign/dilithium5aes/clean/symmetric.h @@ -17,7 +17,6 @@ void PQCLEAN_DILITHIUM5AES_CLEAN_dilithium_aes256ctr_init(aes256ctr_ctx *state, #define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES #define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) \ PQCLEAN_DILITHIUM5AES_CLEAN_dilithium_aes256ctr_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \ diff --git a/test/duplicate_consistency/dilithium2_avx2.yml b/test/duplicate_consistency/dilithium2_avx2.yml index 8b459d35..deb9d15c 100644 --- a/test/duplicate_consistency/dilithium2_avx2.yml +++ b/test/duplicate_consistency/dilithium2_avx2.yml @@ -7,7 +7,6 @@ consistency_checks: - packing.h - params.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: @@ -38,7 +37,6 @@ consistency_checks: files: - packing.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: @@ -86,7 +84,6 @@ consistency_checks: files: - packing.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: diff --git a/test/duplicate_consistency/dilithium2_clean.yml b/test/duplicate_consistency/dilithium2_clean.yml index dc8c6f1e..4002c66d 100644 --- a/test/duplicate_consistency/dilithium2_clean.yml +++ b/test/duplicate_consistency/dilithium2_clean.yml @@ -7,7 +7,6 @@ consistency_checks: - packing.h - params.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: @@ -59,7 +58,6 @@ consistency_checks: files: - packing.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: @@ -109,7 +107,6 @@ consistency_checks: files: - packing.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: diff --git a/test/duplicate_consistency/dilithium3_avx2.yml b/test/duplicate_consistency/dilithium3_avx2.yml index 6d7de84d..6f97fad9 100644 --- a/test/duplicate_consistency/dilithium3_avx2.yml +++ b/test/duplicate_consistency/dilithium3_avx2.yml @@ -5,7 +5,6 @@ consistency_checks: files: - packing.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: @@ -55,7 +54,6 @@ consistency_checks: - packing.h - params.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: @@ -86,7 +84,6 @@ consistency_checks: files: - packing.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: diff --git a/test/duplicate_consistency/dilithium3_clean.yml b/test/duplicate_consistency/dilithium3_clean.yml index 9c3f97a3..ee8161f7 100644 --- a/test/duplicate_consistency/dilithium3_clean.yml +++ b/test/duplicate_consistency/dilithium3_clean.yml @@ -23,7 +23,6 @@ consistency_checks: files: - packing.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: @@ -57,7 +56,6 @@ consistency_checks: - packing.h - params.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: @@ -110,7 +108,6 @@ consistency_checks: files: - packing.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: diff --git a/test/duplicate_consistency/dilithium5_avx2.yml b/test/duplicate_consistency/dilithium5_avx2.yml index f050e1b1..1e1b97a0 100644 --- a/test/duplicate_consistency/dilithium5_avx2.yml +++ b/test/duplicate_consistency/dilithium5_avx2.yml @@ -5,7 +5,6 @@ consistency_checks: files: - packing.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: @@ -56,7 +55,6 @@ consistency_checks: files: - packing.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: @@ -108,7 +106,6 @@ consistency_checks: - packing.h - params.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: diff --git a/test/duplicate_consistency/dilithium5_clean.yml b/test/duplicate_consistency/dilithium5_clean.yml index a9a5366e..5b6ec8c6 100644 --- a/test/duplicate_consistency/dilithium5_clean.yml +++ b/test/duplicate_consistency/dilithium5_clean.yml @@ -23,7 +23,6 @@ consistency_checks: files: - packing.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: @@ -74,7 +73,6 @@ consistency_checks: files: - packing.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: @@ -109,7 +107,6 @@ consistency_checks: - packing.h - params.h - sign.h - - symmetric.h - packing.c - symmetric-shake.c - source: From 52851284abfec5275602ca6a84bd2cbbf5de1651 Mon Sep 17 00:00:00 2001 From: "John M. Schanck" Date: Tue, 9 Feb 2021 11:07:00 -0500 Subject: [PATCH 2/2] dilithium/fips202x4: align _mm_storel_pd result using double on stack --- crypto_sign/dilithium2/avx2/fips202x4.c | 13 +++++++++---- crypto_sign/dilithium3/avx2/fips202x4.c | 13 +++++++++---- crypto_sign/dilithium5/avx2/fips202x4.c | 13 +++++++++---- 3 files changed, 27 insertions(+), 12 deletions(-) diff --git a/crypto_sign/dilithium2/avx2/fips202x4.c b/crypto_sign/dilithium2/avx2/fips202x4.c index 53e72945..f923a043 100644 --- a/crypto_sign/dilithium2/avx2/fips202x4.c +++ b/crypto_sign/dilithium2/avx2/fips202x4.c @@ -91,17 +91,22 @@ static void keccakx4_squeezeblocks(uint8_t *out0, unsigned int r, __m256i s[25]) { unsigned int i; + double temp0, temp1; __m128d t; while (nblocks > 0) { PQCLEAN_DILITHIUM2_AVX2_f1600x4(s, KeccakF_RoundConstants); for (i = 0; i < r / 8; ++i) { t = _mm_castsi128_pd(_mm256_castsi256_si128(s[i])); - _mm_storel_pd((double *)&out0[8 * i], t); - _mm_storeh_pd((double *)&out1[8 * i], t); + _mm_storel_pd(&temp0, t); + _mm_storeh_pd(&temp1, t); + memmove(&out0[8 * i], &temp0, sizeof(double)); + memmove(&out1[8 * i], &temp1, sizeof(double)); t = _mm_castsi128_pd(_mm256_extracti128_si256(s[i], 1)); - _mm_storel_pd((double *)&out2[8 * i], t); - _mm_storeh_pd((double *)&out3[8 * i], t); + _mm_storel_pd(&temp0, t); + _mm_storeh_pd(&temp1, t); + memmove(&out2[8 * i], &temp0, sizeof(double)); + memmove(&out3[8 * i], &temp1, sizeof(double)); } out0 += r; diff --git a/crypto_sign/dilithium3/avx2/fips202x4.c b/crypto_sign/dilithium3/avx2/fips202x4.c index bb4a3767..1f9eda81 100644 --- a/crypto_sign/dilithium3/avx2/fips202x4.c +++ b/crypto_sign/dilithium3/avx2/fips202x4.c @@ -91,17 +91,22 @@ static void keccakx4_squeezeblocks(uint8_t *out0, unsigned int r, __m256i s[25]) { unsigned int i; + double temp0, temp1; __m128d t; while (nblocks > 0) { PQCLEAN_DILITHIUM3_AVX2_f1600x4(s, KeccakF_RoundConstants); for (i = 0; i < r / 8; ++i) { t = _mm_castsi128_pd(_mm256_castsi256_si128(s[i])); - _mm_storel_pd((double *)&out0[8 * i], t); - _mm_storeh_pd((double *)&out1[8 * i], t); + _mm_storel_pd(&temp0, t); + _mm_storeh_pd(&temp1, t); + memmove(&out0[8 * i], &temp0, sizeof(double)); + memmove(&out1[8 * i], &temp1, sizeof(double)); t = _mm_castsi128_pd(_mm256_extracti128_si256(s[i], 1)); - _mm_storel_pd((double *)&out2[8 * i], t); - _mm_storeh_pd((double *)&out3[8 * i], t); + _mm_storel_pd(&temp0, t); + _mm_storeh_pd(&temp1, t); + memmove(&out2[8 * i], &temp0, sizeof(double)); + memmove(&out3[8 * i], &temp1, sizeof(double)); } out0 += r; diff --git a/crypto_sign/dilithium5/avx2/fips202x4.c b/crypto_sign/dilithium5/avx2/fips202x4.c index 6636b507..89abef7b 100644 --- a/crypto_sign/dilithium5/avx2/fips202x4.c +++ b/crypto_sign/dilithium5/avx2/fips202x4.c @@ -91,17 +91,22 @@ static void keccakx4_squeezeblocks(uint8_t *out0, unsigned int r, __m256i s[25]) { unsigned int i; + double temp0, temp1; __m128d t; while (nblocks > 0) { PQCLEAN_DILITHIUM5_AVX2_f1600x4(s, KeccakF_RoundConstants); for (i = 0; i < r / 8; ++i) { t = _mm_castsi128_pd(_mm256_castsi256_si128(s[i])); - _mm_storel_pd((double *)&out0[8 * i], t); - _mm_storeh_pd((double *)&out1[8 * i], t); + _mm_storel_pd(&temp0, t); + _mm_storeh_pd(&temp1, t); + memmove(&out0[8 * i], &temp0, sizeof(double)); + memmove(&out1[8 * i], &temp1, sizeof(double)); t = _mm_castsi128_pd(_mm256_extracti128_si256(s[i], 1)); - _mm_storel_pd((double *)&out2[8 * i], t); - _mm_storeh_pd((double *)&out3[8 * i], t); + _mm_storel_pd(&temp0, t); + _mm_storeh_pd(&temp1, t); + memmove(&out2[8 * i], &temp0, sizeof(double)); + memmove(&out3[8 * i], &temp1, sizeof(double)); } out0 += r;