Merge pull request #373 from jschanck/dilithium

Pull Dilithium changes from upstream

crypto_sign/dilithium2/META.yml

@@ -2,10 +2,10 @@ name: Dilithium2
 type: signature
 claimed-nist-level: 2
 length-public-key: 1312
-length-secret-key: 2544
+length-secret-key: 2528
 length-signature: 2420
-nistkat-sha256: 9c636528bf81c03df6ad8f9471cb1b4d9097d66af825d4f60b7ff0d941ca4d37
-testvectors-sha256: 166fc2481358d5a1b7a528b30af36ad069b049b5755cf63b843ce0f25f35aeb6
+nistkat-sha256: faa8998108fa541309c9df5044018c5d26cc23654594bef639dd64b838646cbd
+testvectors-sha256: 84f3da742881007e3d1d29c7390c7d707261ab8b20068a22b728e38e2fbac94b
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:
@@ -17,9 +17,9 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
     - name: clean
-      version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium
+      version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium
     - name: avx2
-      version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium
+      version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium
       supported_platforms:
         - architecture: x86_64
           operating_systems:

crypto_sign/dilithium2/avx2/api.h

@@ -5,7 +5,7 @@
 #include <stdint.h>
 
 #define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES 1312
-#define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_SECRETKEYBYTES 2544
+#define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_SECRETKEYBYTES 2528
 #define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_BYTES 2420
 #define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_ALGNAME "Dilithium2"
 

crypto_sign/dilithium2/avx2/fips202x4.c

@@ -91,17 +91,22 @@ static void keccakx4_squeezeblocks(uint8_t *out0,
                                    unsigned int r,
                                    __m256i s[25]) {
     unsigned int i;
+    double temp0, temp1;
     __m128d t;
 
     while (nblocks > 0) {
         PQCLEAN_DILITHIUM2_AVX2_f1600x4(s, KeccakF_RoundConstants);
         for (i = 0; i < r / 8; ++i) {
             t = _mm_castsi128_pd(_mm256_castsi256_si128(s[i]));
-            _mm_storel_pd((double *)&out0[8 * i], t);
-            _mm_storeh_pd((double *)&out1[8 * i], t);
+            _mm_storel_pd(&temp0, t);
+            _mm_storeh_pd(&temp1, t);
+            memmove(&out0[8 * i], &temp0, sizeof(double));
+            memmove(&out1[8 * i], &temp1, sizeof(double));
             t = _mm_castsi128_pd(_mm256_extracti128_si256(s[i], 1));
-            _mm_storel_pd((double *)&out2[8 * i], t);
-            _mm_storeh_pd((double *)&out3[8 * i], t);
+            _mm_storel_pd(&temp0, t);
+            _mm_storeh_pd(&temp1, t);
+            memmove(&out2[8 * i], &temp0, sizeof(double));
+            memmove(&out3[8 * i], &temp1, sizeof(double));
         }
 
         out0 += r;

crypto_sign/dilithium2/avx2/packing.c

@@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM2_AVX2_unpack_pk(uint8_t rho[SEEDBYTES],
 **************************************************/
 void PQCLEAN_DILITHIUM2_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_AVX2_CRYPTO_SECRETKEYBYTES],
                                      const uint8_t rho[SEEDBYTES],
-                                     const uint8_t tr[CRHBYTES],
+                                     const uint8_t tr[SEEDBYTES],
                                      const uint8_t key[SEEDBYTES],
                                      const polyveck *t0,
                                      const polyvecl *s1,
@@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM2_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_AVX2_CRYPTO_S
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         sk[i] = tr[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM2_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM2_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_AVX2_CRYPTO_S
 *              - uint8_t sk[]: byte array containing bit-packed sk
 **************************************************/
 void PQCLEAN_DILITHIUM2_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
-                                       uint8_t tr[CRHBYTES],
+                                       uint8_t tr[SEEDBYTES],
                                        uint8_t key[SEEDBYTES],
                                        polyveck *t0,
                                        polyvecl *s1,
@@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM2_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         tr[i] = sk[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM2_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);

crypto_sign/dilithium2/avx2/packing.h

@@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM2_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM2_AVX2_CRYPTO_P
 
 void PQCLEAN_DILITHIUM2_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_AVX2_CRYPTO_SECRETKEYBYTES],
                                      const uint8_t rho[SEEDBYTES],
-                                     const uint8_t tr[CRHBYTES],
+                                     const uint8_t tr[SEEDBYTES],
                                      const uint8_t key[SEEDBYTES],
                                      const polyveck *t0,
                                      const polyvecl *s1,
@@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM2_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM2_AVX2_CRYPTO
 void PQCLEAN_DILITHIUM2_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES]);
 
 void PQCLEAN_DILITHIUM2_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
-                                       uint8_t tr[CRHBYTES],
+                                       uint8_t tr[SEEDBYTES],
                                        uint8_t key[SEEDBYTES],
                                        polyveck *t0,
                                        polyvecl *s1,

crypto_sign/dilithium2/avx2/params.h

@@ -4,7 +4,7 @@
 
 
 #define SEEDBYTES 32
-#define CRHBYTES 48
+#define CRHBYTES 64
 #define N 256
 #define Q 8380417
 #define D 13
@@ -32,7 +32,7 @@
 #define POLYETA_PACKEDBYTES  96
 
 #define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \
+#define PQCLEAN_DILITHIUM2_AVX2_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
         + L*POLYETA_PACKEDBYTES \
         + K*POLYETA_PACKEDBYTES \
         + K*POLYT0_PACKEDBYTES)

crypto_sign/dilithium2/avx2/poly.c

@@ -507,34 +507,34 @@ static unsigned int rej_eta(int32_t *a,
 *              or AES256CTR(seed,nonce).
 *
 * Arguments:   - poly *a: pointer to output polynomial
-*              - const uint8_t seed[]: byte array with seed of length  SEEDBYTES
+*              - const uint8_t seed[]: byte array with seed of length CRHBYTES
 *              - uint16_t nonce: 2-byte nonce
 **************************************************/
-void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) {
+void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state) {
     unsigned int ctr;
-    ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf;
+    ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf;
 
-    stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
+    stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
     ctr = PQCLEAN_DILITHIUM2_AVX2_rej_eta_avx(a->coeffs, buf.coeffs);
 
     while (ctr < N) {
-        stream128_squeezeblocks(buf.coeffs, 1, state);
-        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES);
+        stream256_squeezeblocks(buf.coeffs, 1, state);
+        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES);
     }
 }
 
-void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
-    stream128_state state;
-    stream128_init(&state, seed, nonce);
+void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) {
+    stream256_state state;
+    stream256_init(&state, seed, nonce);
     PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_preinit(a, &state);
-    stream128_release(&state);
+    stream256_release(&state);
 }
 
 void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_4x(poly *a0,
         poly *a1,
         poly *a2,
         poly *a3,
-        const uint8_t seed[32],
+        const uint8_t seed[64],
         uint16_t nonce0,
         uint16_t nonce1,
         uint16_t nonce2,
@@ -545,23 +545,28 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_4x(poly *a0,
     __m256i f;
     keccakx4_state state;
 
-    f = _mm256_loadu_si256((__m256i *)seed);
-    _mm256_store_si256(buf[0].vec, f);
-    _mm256_store_si256(buf[1].vec, f);
-    _mm256_store_si256(buf[2].vec, f);
-    _mm256_store_si256(buf[3].vec, f);
-
-    buf[0].coeffs[SEEDBYTES + 0] = nonce0;
-    buf[0].coeffs[SEEDBYTES + 1] = nonce0 >> 8;
-    buf[1].coeffs[SEEDBYTES + 0] = nonce1;
-    buf[1].coeffs[SEEDBYTES + 1] = nonce1 >> 8;
-    buf[2].coeffs[SEEDBYTES + 0] = nonce2;
-    buf[2].coeffs[SEEDBYTES + 1] = nonce2 >> 8;
-    buf[3].coeffs[SEEDBYTES + 0] = nonce3;
-    buf[3].coeffs[SEEDBYTES + 1] = nonce3 >> 8;
-
-    PQCLEAN_DILITHIUM2_AVX2_shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2);
-    PQCLEAN_DILITHIUM2_AVX2_shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
+    f = _mm256_loadu_si256((__m256i *)&seed[0]);
+    _mm256_store_si256(&buf[0].vec[0], f);
+    _mm256_store_si256(&buf[1].vec[0], f);
+    _mm256_store_si256(&buf[2].vec[0], f);
+    _mm256_store_si256(&buf[3].vec[0], f);
+    f = _mm256_loadu_si256((__m256i *)&seed[32]);
+    _mm256_store_si256(&buf[0].vec[1], f);
+    _mm256_store_si256(&buf[1].vec[1], f);
+    _mm256_store_si256(&buf[2].vec[1], f);
+    _mm256_store_si256(&buf[3].vec[1], f);
+
+    buf[0].coeffs[64] = nonce0;
+    buf[0].coeffs[65] = nonce0 >> 8;
+    buf[1].coeffs[64] = nonce1;
+    buf[1].coeffs[65] = nonce1 >> 8;
+    buf[2].coeffs[64] = nonce2;
+    buf[2].coeffs[65] = nonce2 >> 8;
+    buf[3].coeffs[64] = nonce3;
+    buf[3].coeffs[65] = nonce3 >> 8;
+
+    PQCLEAN_DILITHIUM2_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
+    PQCLEAN_DILITHIUM2_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
 
     ctr0 = PQCLEAN_DILITHIUM2_AVX2_rej_eta_avx(a0->coeffs, buf[0].coeffs);
     ctr1 = PQCLEAN_DILITHIUM2_AVX2_rej_eta_avx(a1->coeffs, buf[1].coeffs);
@@ -569,12 +574,12 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_4x(poly *a0,
     ctr3 = PQCLEAN_DILITHIUM2_AVX2_rej_eta_avx(a3->coeffs, buf[3].coeffs);
 
     while (ctr0 < N || ctr1 < N || ctr2 < N || ctr3 < N) {
-        PQCLEAN_DILITHIUM2_AVX2_shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
+        PQCLEAN_DILITHIUM2_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
 
-        ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE128_RATE);
-        ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE128_RATE);
-        ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE);
-        ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE);
+        ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE256_RATE);
+        ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE256_RATE);
+        ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE);
+        ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE);
     }
 }
 
@@ -608,7 +613,7 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_gamma1_4x(poly *a0,
         poly *a1,
         poly *a2,
         poly *a3,
-        const uint8_t seed[48],
+        const uint8_t seed[64],
         uint16_t nonce0,
         uint16_t nonce1,
         uint16_t nonce2,
@@ -616,29 +621,28 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_gamma1_4x(poly *a0,
     ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES + 14) buf[4];
     keccakx4_state state;
     __m256i f;
-    __m128i g;
 
-    f = _mm256_loadu_si256((__m256i *)seed);
-    _mm256_store_si256(buf[0].vec, f);
-    _mm256_store_si256(buf[1].vec, f);
-    _mm256_store_si256(buf[2].vec, f);
-    _mm256_store_si256(buf[3].vec, f);
-    g = _mm_loadu_si128((__m128i *)&seed[32]);
-    _mm_store_si128((__m128i *)&buf[0].vec[1], g);
-    _mm_store_si128((__m128i *)&buf[1].vec[1], g);
-    _mm_store_si128((__m128i *)&buf[2].vec[1], g);
-    _mm_store_si128((__m128i *)&buf[3].vec[1], g);
-
-    buf[0].coeffs[CRHBYTES + 0] = nonce0;
-    buf[0].coeffs[CRHBYTES + 1] = nonce0 >> 8;
-    buf[1].coeffs[CRHBYTES + 0] = nonce1;
-    buf[1].coeffs[CRHBYTES + 1] = nonce1 >> 8;
-    buf[2].coeffs[CRHBYTES + 0] = nonce2;
-    buf[2].coeffs[CRHBYTES + 1] = nonce2 >> 8;
-    buf[3].coeffs[CRHBYTES + 0] = nonce3;
-    buf[3].coeffs[CRHBYTES + 1] = nonce3 >> 8;
-
-    PQCLEAN_DILITHIUM2_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, CRHBYTES + 2);
+    f = _mm256_loadu_si256((__m256i *)&seed[0]);
+    _mm256_store_si256(&buf[0].vec[0], f);
+    _mm256_store_si256(&buf[1].vec[0], f);
+    _mm256_store_si256(&buf[2].vec[0], f);
+    _mm256_store_si256(&buf[3].vec[0], f);
+    f = _mm256_loadu_si256((__m256i *)&seed[32]);
+    _mm256_store_si256(&buf[0].vec[1], f);
+    _mm256_store_si256(&buf[1].vec[1], f);
+    _mm256_store_si256(&buf[2].vec[1], f);
+    _mm256_store_si256(&buf[3].vec[1], f);
+
+    buf[0].coeffs[64] = nonce0;
+    buf[0].coeffs[65] = nonce0 >> 8;
+    buf[1].coeffs[64] = nonce1;
+    buf[1].coeffs[65] = nonce1 >> 8;
+    buf[2].coeffs[64] = nonce2;
+    buf[2].coeffs[65] = nonce2 >> 8;
+    buf[3].coeffs[64] = nonce3;
+    buf[3].coeffs[65] = nonce3 >> 8;
+
+    PQCLEAN_DILITHIUM2_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
     PQCLEAN_DILITHIUM2_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
 
     PQCLEAN_DILITHIUM2_AVX2_polyz_unpack(a0, buf[0].coeffs);

crypto_sign/dilithium2/avx2/poly.h

@@ -28,8 +28,8 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_use_hint(poly *b, const poly *a, const poly *h
 int PQCLEAN_DILITHIUM2_AVX2_poly_chknorm(const poly *a, int32_t B);
 void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_preinit(poly *a, stream128_state *state);
 void PQCLEAN_DILITHIUM2_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state);
-void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state);
+void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
 void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state);
 void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
 void PQCLEAN_DILITHIUM2_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
@@ -47,7 +47,7 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_4x(poly *a0,
         poly *a1,
         poly *a2,
         poly *a3,
-        const uint8_t seed[SEEDBYTES],
+        const uint8_t seed[CRHBYTES],
         uint16_t nonce0,
         uint16_t nonce1,
         uint16_t nonce2,

crypto_sign/dilithium2/avx2/polyvec.c

@@ -74,7 +74,7 @@ void PQCLEAN_DILITHIUM2_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, co
 /************ Vectors of polynomials of length L **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -82,7 +82,7 @@ void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t see
     }
 }
 
-void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -207,7 +207,7 @@ int PQCLEAN_DILITHIUM2_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound)
 /************ Vectors of polynomials of length K **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM2_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM2_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < K; ++i) {

crypto_sign/dilithium2/avx2/polyvec.h

@@ -9,9 +9,9 @@ typedef struct {
     poly vec[L];
 } polyvecl;
 
-void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
-void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM2_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM2_AVX2_polyvecl_reduce(polyvecl *v);
 
@@ -33,7 +33,7 @@ typedef struct {
     poly vec[K];
 } polyveck;
 
-void PQCLEAN_DILITHIUM2_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM2_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM2_AVX2_polyveck_reduce(polyveck *v);
 void PQCLEAN_DILITHIUM2_AVX2_polyveck_caddq(polyveck *v);

crypto_sign/dilithium2/avx2/rejsample.h

@@ -7,8 +7,8 @@
 #define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES)
 #define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES)
 
-#define REJ_UNIFORM_ETA_NBLOCKS ((137+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES)
-#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES)
+#define REJ_UNIFORM_ETA_NBLOCKS ((136+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
+#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES)
 
 extern const uint8_t PQCLEAN_DILITHIUM2_AVX2_idxlut[256][8];
 

crypto_sign/dilithium2/avx2/sign.c

@@ -45,7 +45,7 @@ static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], co
 **************************************************/
 int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
     unsigned int i;
-    uint8_t seedbuf[3 * SEEDBYTES];
+    uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES];
     const uint8_t *rho, *rhoprime, *key;
     polyvecl rowbuf[2];
     polyvecl s1, *row = rowbuf;
@@ -54,10 +54,10 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
     /* Get randomness for rho, rhoprime and key */
     randombytes(seedbuf, SEEDBYTES);
-    shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES);
+    shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
     rho = seedbuf;
-    rhoprime = seedbuf + SEEDBYTES;
-    key = seedbuf + 2 * SEEDBYTES;
+    rhoprime = rho + SEEDBYTES;
+    key = rhoprime + CRHBYTES;
 
     /* Store rho, key */
     memcpy(pk, rho, SEEDBYTES);
@@ -70,10 +70,10 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
     /* Pack secret vectors */
     for (i = 0; i < L; i++) {
-        PQCLEAN_DILITHIUM2_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]);
+        PQCLEAN_DILITHIUM2_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]);
     }
     for (i = 0; i < K; i++) {
-        PQCLEAN_DILITHIUM2_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
+        PQCLEAN_DILITHIUM2_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
     }
 
     /* Transform s1 */
@@ -95,11 +95,11 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
         PQCLEAN_DILITHIUM2_AVX2_poly_caddq(&t1);
         PQCLEAN_DILITHIUM2_AVX2_poly_power2round(&t1, &t0, &t1);
         PQCLEAN_DILITHIUM2_AVX2_polyt1_pack(pk + SEEDBYTES + i * POLYT1_PACKEDBYTES, &t1);
-        PQCLEAN_DILITHIUM2_AVX2_polyt0_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0);
+        PQCLEAN_DILITHIUM2_AVX2_polyt0_pack(sk + 3 * SEEDBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0);
     }
 
-    /* Compute CRH(rho, t1) and store in secret key */
-    crh(sk + 2 * SEEDBYTES, pk, PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES);
+    /* Compute H(rho, t1) and store in secret key */
+    shake256(sk + 2 * SEEDBYTES, SEEDBYTES, pk, PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES);
 
     return 0;
 }
@@ -119,7 +119,7 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 **************************************************/
 int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
     unsigned int i, n, pos;
-    uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES];
+    uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES];
     uint8_t *rho, *tr, *key, *mu, *rhoprime;
     uint8_t hintbuf[N];
     uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES;
@@ -135,20 +135,20 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen,
 
     rho = seedbuf;
     tr = rho + SEEDBYTES;
-    key = tr + CRHBYTES;
+    key = tr + SEEDBYTES;
     mu = key + SEEDBYTES;
     rhoprime = mu + CRHBYTES;
     PQCLEAN_DILITHIUM2_AVX2_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
 
     /* Compute CRH(tr, msg) */
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, tr, CRHBYTES);
+    shake256_inc_absorb(&state, tr, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
     shake256_inc_ctx_release(&state);
 
-    crh(rhoprime, key, SEEDBYTES + CRHBYTES);
+    shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
 
     /* Expand matrix and transform vectors */
     PQCLEAN_DILITHIUM2_AVX2_polyvec_matrix_expand(mat, rho);
@@ -293,10 +293,10 @@ int PQCLEAN_DILITHIUM2_AVX2_crypto_sign_verify(const uint8_t *sig, size_t siglen
         return -1;
     }
 
-    /* Compute CRH(CRH(rho, t1), msg) */
-    crh(mu, pk, PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES);
+    /* Compute CRH(H(rho, t1), msg) */
+    shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM2_AVX2_CRYPTO_PUBLICKEYBYTES);
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, mu, CRHBYTES);
+    shake256_inc_absorb(&state, mu, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);

crypto_sign/dilithium2/avx2/symmetric.h

@@ -9,27 +9,18 @@
 typedef shake128incctx stream128_state;
 typedef shake256incctx stream256_state;
 
-void PQCLEAN_DILITHIUM2_AVX2_dilithium_shake128_stream_init(shake128incctx *state,
-        const uint8_t seed[SEEDBYTES],
-        uint16_t nonce);
+void PQCLEAN_DILITHIUM2_AVX2_dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
 
-void PQCLEAN_DILITHIUM2_AVX2_dilithium_shake256_stream_init(shake256incctx *state,
-        const uint8_t seed[CRHBYTES],
-        uint16_t nonce);
+void PQCLEAN_DILITHIUM2_AVX2_dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 #define STREAM128_BLOCKBYTES SHAKE128_RATE
 #define STREAM256_BLOCKBYTES SHAKE256_RATE
 
-#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES)
-#define stream128_init(STATE, SEED, NONCE) \
-    PQCLEAN_DILITHIUM2_AVX2_dilithium_shake128_stream_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
-    shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE)
+#define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2_AVX2_dilithium_shake128_stream_init(STATE, SEED, NONCE)
+#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE)
 #define stream128_release(STATE) shake128_inc_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
-    PQCLEAN_DILITHIUM2_AVX2_dilithium_shake256_stream_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
-    shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE)
+#define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2_AVX2_dilithium_shake256_stream_init(STATE, SEED, NONCE)
+#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE)
 #define stream256_release(STATE) shake256_inc_ctx_release(STATE)
 
 

crypto_sign/dilithium2/clean/api.h

@@ -5,7 +5,7 @@
 #include <stdint.h>
 
 #define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES 1312
-#define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_SECRETKEYBYTES 2544
+#define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_SECRETKEYBYTES 2528
 #define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_BYTES 2420
 #define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_ALGNAME "Dilithium2"
 

crypto_sign/dilithium2/clean/packing.c

@@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES],
 **************************************************/
 void PQCLEAN_DILITHIUM2_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_SECRETKEYBYTES],
                                       const uint8_t rho[SEEDBYTES],
-                                      const uint8_t tr[CRHBYTES],
+                                      const uint8_t tr[SEEDBYTES],
                                       const uint8_t key[SEEDBYTES],
                                       const polyveck *t0,
                                       const polyvecl *s1,
@@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM2_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_CLEAN_CRYPTO
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         sk[i] = tr[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM2_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_CLEAN_CRYPTO
 *              - uint8_t sk[]: byte array containing bit-packed sk
 **************************************************/
 void PQCLEAN_DILITHIUM2_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
-                                        uint8_t tr[CRHBYTES],
+                                        uint8_t tr[SEEDBYTES],
                                         uint8_t key[SEEDBYTES],
                                         polyveck *t0,
                                         polyvecl *s1,
@@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM2_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         tr[i] = sk[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM2_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);

crypto_sign/dilithium2/clean/packing.h

@@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM2_CLEAN_CRYPTO
 
 void PQCLEAN_DILITHIUM2_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_SECRETKEYBYTES],
                                       const uint8_t rho[SEEDBYTES],
-                                      const uint8_t tr[CRHBYTES],
+                                      const uint8_t tr[SEEDBYTES],
                                       const uint8_t key[SEEDBYTES],
                                       const polyveck *t0,
                                       const polyvecl *s1,
@@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM2_CLEAN_CRYP
 void PQCLEAN_DILITHIUM2_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES]);
 
 void PQCLEAN_DILITHIUM2_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
-                                        uint8_t tr[CRHBYTES],
+                                        uint8_t tr[SEEDBYTES],
                                         uint8_t key[SEEDBYTES],
                                         polyveck *t0,
                                         polyvecl *s1,

crypto_sign/dilithium2/clean/params.h

@@ -4,7 +4,7 @@
 
 
 #define SEEDBYTES 32
-#define CRHBYTES 48
+#define CRHBYTES 64
 #define N 256
 #define Q 8380417
 #define D 13
@@ -32,7 +32,7 @@
 #define POLYETA_PACKEDBYTES  96
 
 #define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \
+#define PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
         + L*POLYETA_PACKEDBYTES \
         + K*POLYETA_PACKEDBYTES \
         + K*POLYT0_PACKEDBYTES)

crypto_sign/dilithium2/clean/poly.c

@@ -438,28 +438,28 @@ static unsigned int rej_eta(int32_t *a,
 *              output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
 *
 * Arguments:   - poly *a: pointer to output polynomial
-*              - const uint8_t seed[]: byte array with seed of length SEEDBYTES
+*              - const uint8_t seed[]: byte array with seed of length CRHBYTES
 *              - uint16_t nonce: 2-byte nonce
 **************************************************/
-#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES)
+#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
 void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform_eta(poly *a,
-        const uint8_t seed[SEEDBYTES],
+        const uint8_t seed[CRHBYTES],
         uint16_t nonce) {
     unsigned int ctr;
-    unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES;
-    uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES];
-    stream128_state state;
+    unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES;
+    uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES];
+    stream256_state state;
 
-    stream128_init(&state, seed, nonce);
-    stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
+    stream256_init(&state, seed, nonce);
+    stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
 
     ctr = rej_eta(a->coeffs, N, buf, buflen);
 
     while (ctr < N) {
-        stream128_squeezeblocks(buf, 1, &state);
-        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES);
+        stream256_squeezeblocks(buf, 1, &state);
+        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
     }
-    stream128_release(&state);
+    stream256_release(&state);
 }
 
 /*************************************************

crypto_sign/dilithium2/clean/poly.h

@@ -29,7 +29,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform(poly *a,
         const uint8_t seed[SEEDBYTES],
         uint16_t nonce);
 void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform_eta(poly *a,
-        const uint8_t seed[SEEDBYTES],
+        const uint8_t seed[CRHBYTES],
         uint16_t nonce);
 void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform_gamma1(poly *a,
         const uint8_t seed[CRHBYTES],

crypto_sign/dilithium2/clean/polyvec.c

@@ -36,7 +36,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t, c
 /************ Vectors of polynomials of length L **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM2_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM2_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -178,7 +178,7 @@ int PQCLEAN_DILITHIUM2_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t bound)
 /************ Vectors of polynomials of length K **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM2_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM2_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < K; ++i) {

crypto_sign/dilithium2/clean/polyvec.h

@@ -9,7 +9,7 @@ typedef struct {
     poly vec[L];
 } polyvecl;
 
-void PQCLEAN_DILITHIUM2_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM2_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM2_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
@@ -36,7 +36,7 @@ typedef struct {
     poly vec[K];
 } polyveck;
 
-void PQCLEAN_DILITHIUM2_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM2_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM2_CLEAN_polyveck_reduce(polyveck *v);
 void PQCLEAN_DILITHIUM2_CLEAN_polyveck_caddq(polyveck *v);

crypto_sign/dilithium2/clean/sign.c

@@ -21,8 +21,8 @@
 * Returns 0 (success)
 **************************************************/
 int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
-    uint8_t seedbuf[3 * SEEDBYTES];
-    uint8_t tr[CRHBYTES];
+    uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES];
+    uint8_t tr[SEEDBYTES];
     const uint8_t *rho, *rhoprime, *key;
     polyvecl mat[K];
     polyvecl s1, s1hat;
@@ -30,10 +30,10 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
     /* Get randomness for rho, rhoprime and key */
     randombytes(seedbuf, SEEDBYTES);
-    shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES);
+    shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
     rho = seedbuf;
-    rhoprime = seedbuf + SEEDBYTES;
-    key = seedbuf + 2 * SEEDBYTES;
+    rhoprime = rho + SEEDBYTES;
+    key = rhoprime + CRHBYTES;
 
     /* Expand matrix */
     PQCLEAN_DILITHIUM2_CLEAN_polyvec_matrix_expand(mat, rho);
@@ -57,8 +57,8 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
     PQCLEAN_DILITHIUM2_CLEAN_polyveck_power2round(&t1, &t0, &t1);
     PQCLEAN_DILITHIUM2_CLEAN_pack_pk(pk, rho, &t1);
 
-    /* Compute CRH(rho, t1) and write secret key */
-    crh(tr, pk, PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES);
+    /* Compute H(rho, t1) and write secret key */
+    shake256(tr, SEEDBYTES, pk, PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES);
     PQCLEAN_DILITHIUM2_CLEAN_pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
 
     return 0;
@@ -83,7 +83,7 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_signature(uint8_t *sig,
         size_t mlen,
         const uint8_t *sk) {
     unsigned int n;
-    uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES];
+    uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES];
     uint8_t *rho, *tr, *key, *mu, *rhoprime;
     uint16_t nonce = 0;
     polyvecl mat[K], s1, y, z;
@@ -93,20 +93,20 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_signature(uint8_t *sig,
 
     rho = seedbuf;
     tr = rho + SEEDBYTES;
-    key = tr + CRHBYTES;
+    key = tr + SEEDBYTES;
     mu = key + SEEDBYTES;
     rhoprime = mu + CRHBYTES;
     PQCLEAN_DILITHIUM2_CLEAN_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
 
     /* Compute CRH(tr, msg) */
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, tr, CRHBYTES);
+    shake256_inc_absorb(&state, tr, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
     shake256_inc_ctx_release(&state);
 
-    crh(rhoprime, key, SEEDBYTES + CRHBYTES);
+    shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
 
     /* Expand matrix and transform vectors */
     PQCLEAN_DILITHIUM2_CLEAN_polyvec_matrix_expand(mat, rho);
@@ -250,10 +250,10 @@ int PQCLEAN_DILITHIUM2_CLEAN_crypto_sign_verify(const uint8_t *sig,
         return -1;
     }
 
-    /* Compute CRH(CRH(rho, t1), msg) */
-    crh(mu, pk, PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES);
+    /* Compute CRH(H(rho, t1), msg) */
+    shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM2_CLEAN_CRYPTO_PUBLICKEYBYTES);
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, mu, CRHBYTES);
+    shake256_inc_absorb(&state, mu, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);

crypto_sign/dilithium2/clean/symmetric.h

@@ -20,7 +20,6 @@ void PQCLEAN_DILITHIUM2_CLEAN_dilithium_shake256_stream_init(shake256incctx *sta
 #define STREAM128_BLOCKBYTES SHAKE128_RATE
 #define STREAM256_BLOCKBYTES SHAKE256_RATE
 
-#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES)
 #define stream128_init(STATE, SEED, NONCE) \
     PQCLEAN_DILITHIUM2_CLEAN_dilithium_shake128_stream_init(STATE, SEED, NONCE)
 #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \

crypto_sign/dilithium2aes/META.yml

@@ -2,10 +2,10 @@ name: Dilithium2-AES
 type: signature
 claimed-nist-level: 2
 length-public-key: 1312
-length-secret-key: 2544
+length-secret-key: 2528
 length-signature: 2420
-nistkat-sha256: 23972a0a5f1f32781aa11fa57d9994ddd53c1bbcc732967f61d9d9aaef01c492
-testvectors-sha256: 22e68fe8bf781dee949a4297f9ba44d1c350a1d88bae03117cfb2ca494c6e604
+nistkat-sha256: 62569a8c8cf8781a60c88753dfa8806afac09e39f01df1bb6598ca29bac7f425
+testvectors-sha256: faea339481e765cefba110bfcf1abb81c98546bee2b9b63f2fbe63feed9886da
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:
@@ -17,9 +17,9 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
     - name: clean
-      version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium
+      version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium
     - name: avx2
-      version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium
+      version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium
       supported_platforms:
         - architecture: x86_64
           operating_systems:

crypto_sign/dilithium2aes/avx2/api.h

@@ -5,7 +5,7 @@
 #include <stdint.h>
 
 #define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES 1312
-#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES 2544
+#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES 2528
 #define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES 2420
 #define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_ALGNAME "Dilithium2-AES"
 

crypto_sign/dilithium2aes/avx2/packing.c

@@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM2AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES],
 **************************************************/
 void PQCLEAN_DILITHIUM2AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES],
                                         const uint8_t rho[SEEDBYTES],
-                                        const uint8_t tr[CRHBYTES],
+                                        const uint8_t tr[SEEDBYTES],
                                         const uint8_t key[SEEDBYTES],
                                         const polyveck *t0,
                                         const polyvecl *s1,
@@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM2AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_AVX2_CR
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         sk[i] = tr[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM2AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_AVX2_CR
 *              - uint8_t sk[]: byte array containing bit-packed sk
 **************************************************/
 void PQCLEAN_DILITHIUM2AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
-        uint8_t tr[CRHBYTES],
+        uint8_t tr[SEEDBYTES],
         uint8_t key[SEEDBYTES],
         polyveck *t0,
         polyvecl *s1,
@@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM2AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         tr[i] = sk[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM2AES_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);

crypto_sign/dilithium2aes/avx2/packing.h

@@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM2AES_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM2AES_AVX2_CR
 
 void PQCLEAN_DILITHIUM2AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES],
                                         const uint8_t rho[SEEDBYTES],
-                                        const uint8_t tr[CRHBYTES],
+                                        const uint8_t tr[SEEDBYTES],
                                         const uint8_t key[SEEDBYTES],
                                         const polyveck *t0,
                                         const polyvecl *s1,
@@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM2AES_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM2AES_AVX2_
 void PQCLEAN_DILITHIUM2AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES]);
 
 void PQCLEAN_DILITHIUM2AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
-        uint8_t tr[CRHBYTES],
+        uint8_t tr[SEEDBYTES],
         uint8_t key[SEEDBYTES],
         polyveck *t0,
         polyvecl *s1,

crypto_sign/dilithium2aes/avx2/params.h

@@ -4,7 +4,7 @@
 
 
 #define SEEDBYTES 32
-#define CRHBYTES 48
+#define CRHBYTES 64
 #define N 256
 #define Q 8380417
 #define D 13
@@ -32,7 +32,7 @@
 #define POLYETA_PACKEDBYTES  96
 
 #define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \
+#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
         + L*POLYETA_PACKEDBYTES \
         + K*POLYETA_PACKEDBYTES \
         + K*POLYT0_PACKEDBYTES)

crypto_sign/dilithium2aes/avx2/poly.c

@@ -460,27 +460,27 @@ static unsigned int rej_eta(int32_t *a,
 *              or AES256CTR(seed,nonce).
 *
 * Arguments:   - poly *a: pointer to output polynomial
-*              - const uint8_t seed[]: byte array with seed of length  SEEDBYTES
+*              - const uint8_t seed[]: byte array with seed of length CRHBYTES
 *              - uint16_t nonce: 2-byte nonce
 **************************************************/
-void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) {
+void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state) {
     unsigned int ctr;
-    ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf;
+    ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf;
 
-    stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
+    stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
     ctr = PQCLEAN_DILITHIUM2AES_AVX2_rej_eta_avx(a->coeffs, buf.coeffs);
 
     while (ctr < N) {
-        stream128_squeezeblocks(buf.coeffs, 1, state);
-        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES);
+        stream256_squeezeblocks(buf.coeffs, 1, state);
+        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES);
     }
 }
 
-void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
-    stream128_state state;
-    stream128_init(&state, seed, nonce);
+void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) {
+    stream256_state state;
+    stream256_init(&state, seed, nonce);
     PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(a, &state);
-    stream128_release(&state);
+    stream256_release(&state);
 }
 
 

crypto_sign/dilithium2aes/avx2/poly.h

@@ -28,8 +28,8 @@ void PQCLEAN_DILITHIUM2AES_AVX2_poly_use_hint(poly *b, const poly *a, const poly
 int PQCLEAN_DILITHIUM2AES_AVX2_poly_chknorm(const poly *a, int32_t B);
 void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_preinit(poly *a, stream128_state *state);
 void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state);
-void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state);
+void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
 void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state);
 void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
 void PQCLEAN_DILITHIUM2AES_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);

crypto_sign/dilithium2aes/avx2/polyvec.c

@@ -49,7 +49,7 @@ void PQCLEAN_DILITHIUM2AES_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t,
 /************ Vectors of polynomials of length L **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -57,7 +57,7 @@ void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t
     }
 }
 
-void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -182,7 +182,7 @@ int PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound
 /************ Vectors of polynomials of length K **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < K; ++i) {

crypto_sign/dilithium2aes/avx2/polyvec.h

@@ -9,9 +9,9 @@ typedef struct {
     poly vec[L];
 } polyvecl;
 
-void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
-void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_reduce(polyvecl *v);
 
@@ -33,7 +33,7 @@ typedef struct {
     poly vec[K];
 } polyveck;
 
-void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_reduce(polyveck *v);
 void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_caddq(polyveck *v);

crypto_sign/dilithium2aes/avx2/rejsample.h

@@ -7,8 +7,8 @@
 #define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES)
 #define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES)
 
-#define REJ_UNIFORM_ETA_NBLOCKS ((137+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES)
-#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES)
+#define REJ_UNIFORM_ETA_NBLOCKS ((136+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
+#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES)
 
 extern const uint8_t PQCLEAN_DILITHIUM2AES_AVX2_idxlut[256][8];
 

crypto_sign/dilithium2aes/avx2/sign.c

@@ -26,7 +26,7 @@
 **************************************************/
 int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
     unsigned int i;
-    uint8_t seedbuf[3 * SEEDBYTES];
+    uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES];
     const uint8_t *rho, *rhoprime, *key;
     uint64_t nonce;
     aes256ctr_ctx aesctx;
@@ -37,10 +37,10 @@ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
     /* Get randomness for rho, rhoprime and key */
     randombytes(seedbuf, SEEDBYTES);
-    shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES);
+    shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
     rho = seedbuf;
-    rhoprime = seedbuf + SEEDBYTES;
-    key = seedbuf + 2 * SEEDBYTES;
+    rhoprime = rho + SEEDBYTES;
+    key = rhoprime + CRHBYTES;
 
     /* Store rho, key */
     memcpy(pk, rho, SEEDBYTES);
@@ -62,10 +62,10 @@ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
     /* Pack secret vectors */
     for (i = 0; i < L; i++) {
-        PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]);
+        PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]);
     }
     for (i = 0; i < K; i++) {
-        PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
+        PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
     }
 
     /* Transform s1 */
@@ -93,11 +93,11 @@ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
         PQCLEAN_DILITHIUM2AES_AVX2_poly_caddq(&t1);
         PQCLEAN_DILITHIUM2AES_AVX2_poly_power2round(&t1, &t0, &t1);
         PQCLEAN_DILITHIUM2AES_AVX2_polyt1_pack(pk + SEEDBYTES + i * POLYT1_PACKEDBYTES, &t1);
-        PQCLEAN_DILITHIUM2AES_AVX2_polyt0_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0);
+        PQCLEAN_DILITHIUM2AES_AVX2_polyt0_pack(sk + 3 * SEEDBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0);
     }
 
-    /* Compute CRH(rho, t1) and store in secret key */
-    crh(sk + 2 * SEEDBYTES, pk, PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES);
+    /* Compute H(rho, t1) and store in secret key */
+    shake256(sk + 2 * SEEDBYTES, SEEDBYTES, pk, PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES);
 
     return 0;
 }
@@ -117,7 +117,7 @@ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 **************************************************/
 int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
     unsigned int i, n, pos;
-    uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES];
+    uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES];
     uint8_t *rho, *tr, *key, *mu, *rhoprime;
     uint8_t hintbuf[N];
     uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES;
@@ -133,20 +133,20 @@ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *sigle
 
     rho = seedbuf;
     tr = rho + SEEDBYTES;
-    key = tr + CRHBYTES;
+    key = tr + SEEDBYTES;
     mu = key + SEEDBYTES;
     rhoprime = mu + CRHBYTES;
     PQCLEAN_DILITHIUM2AES_AVX2_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
 
     /* Compute CRH(tr, msg) */
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, tr, CRHBYTES);
+    shake256_inc_absorb(&state, tr, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
     shake256_inc_ctx_release(&state);
 
-    crh(rhoprime, key, SEEDBYTES + CRHBYTES);
+    shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
 
     /* Expand matrix and transform vectors */
     PQCLEAN_DILITHIUM2AES_AVX2_polyvec_matrix_expand(mat, rho);
@@ -297,10 +297,10 @@ int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_verify(const uint8_t *sig, size_t sig
         return -1;
     }
 
-    /* Compute CRH(CRH(rho, t1), msg) */
-    crh(mu, pk, PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES);
+    /* Compute CRH(H(rho, t1), msg) */
+    shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES);
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, mu, CRHBYTES);
+    shake256_inc_absorb(&state, mu, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);

crypto_sign/dilithium2aes/avx2/symmetric.h

@@ -13,7 +13,6 @@ typedef aes256ctr_ctx stream256_state;
 #define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
 #define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
 
-#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES)
 #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_init(STATE, SEED, NONCE)
 #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
 #define stream128_release(STATE)

crypto_sign/dilithium2aes/clean/api.h

@@ -5,7 +5,7 @@
 #include <stdint.h>
 
 #define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES 1312
-#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES 2544
+#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES 2528
 #define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES 2420
 #define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_ALGNAME "Dilithium2-AES"
 

crypto_sign/dilithium2aes/clean/packing.c

@@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES],
 **************************************************/
 void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES],
         const uint8_t rho[SEEDBYTES],
-        const uint8_t tr[CRHBYTES],
+        const uint8_t tr[SEEDBYTES],
         const uint8_t key[SEEDBYTES],
         const polyveck *t0,
         const polyvecl *s1,
@@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_CLEAN_
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         sk[i] = tr[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_CLEAN_
 *              - uint8_t sk[]: byte array containing bit-packed sk
 **************************************************/
 void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
-        uint8_t tr[CRHBYTES],
+        uint8_t tr[SEEDBYTES],
         uint8_t key[SEEDBYTES],
         polyveck *t0,
         polyvecl *s1,
@@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         tr[i] = sk[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);

crypto_sign/dilithium2aes/clean/packing.h

@@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM2AES_CLEAN_
 
 void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES],
         const uint8_t rho[SEEDBYTES],
-        const uint8_t tr[CRHBYTES],
+        const uint8_t tr[SEEDBYTES],
         const uint8_t key[SEEDBYTES],
         const polyveck *t0,
         const polyvecl *s1,
@@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM2AES_CLEA
 void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES]);
 
 void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
-        uint8_t tr[CRHBYTES],
+        uint8_t tr[SEEDBYTES],
         uint8_t key[SEEDBYTES],
         polyveck *t0,
         polyvecl *s1,

crypto_sign/dilithium2aes/clean/params.h

@@ -4,7 +4,7 @@
 
 
 #define SEEDBYTES 32
-#define CRHBYTES 48
+#define CRHBYTES 64
 #define N 256
 #define Q 8380417
 #define D 13
@@ -32,7 +32,7 @@
 #define POLYETA_PACKEDBYTES  96
 
 #define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \
+#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
         + L*POLYETA_PACKEDBYTES \
         + K*POLYETA_PACKEDBYTES \
         + K*POLYT0_PACKEDBYTES)

crypto_sign/dilithium2aes/clean/poly.c

@@ -438,28 +438,28 @@ static unsigned int rej_eta(int32_t *a,
 *              output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
 *
 * Arguments:   - poly *a: pointer to output polynomial
-*              - const uint8_t seed[]: byte array with seed of length SEEDBYTES
+*              - const uint8_t seed[]: byte array with seed of length CRHBYTES
 *              - uint16_t nonce: 2-byte nonce
 **************************************************/
-#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES)
+#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
 void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_eta(poly *a,
-        const uint8_t seed[SEEDBYTES],
+        const uint8_t seed[CRHBYTES],
         uint16_t nonce) {
     unsigned int ctr;
-    unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES;
-    uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES];
-    stream128_state state;
+    unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES;
+    uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES];
+    stream256_state state;
 
-    stream128_init(&state, seed, nonce);
-    stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
+    stream256_init(&state, seed, nonce);
+    stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
 
     ctr = rej_eta(a->coeffs, N, buf, buflen);
 
     while (ctr < N) {
-        stream128_squeezeblocks(buf, 1, &state);
-        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES);
+        stream256_squeezeblocks(buf, 1, &state);
+        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
     }
-    stream128_release(&state);
+    stream256_release(&state);
 }
 
 /*************************************************

crypto_sign/dilithium2aes/clean/poly.h

@@ -29,7 +29,7 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform(poly *a,
         const uint8_t seed[SEEDBYTES],
         uint16_t nonce);
 void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_eta(poly *a,
-        const uint8_t seed[SEEDBYTES],
+        const uint8_t seed[CRHBYTES],
         uint16_t nonce);
 void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_gamma1(poly *a,
         const uint8_t seed[CRHBYTES],

crypto_sign/dilithium2aes/clean/polyvec.c

@@ -36,7 +36,7 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t
 /************ Vectors of polynomials of length L **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -178,7 +178,7 @@ int PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t boun
 /************ Vectors of polynomials of length K **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < K; ++i) {

crypto_sign/dilithium2aes/clean/polyvec.h

@@ -9,7 +9,7 @@ typedef struct {
     poly vec[L];
 } polyvecl;
 
-void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
@@ -36,7 +36,7 @@ typedef struct {
     poly vec[K];
 } polyveck;
 
-void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_reduce(polyveck *v);
 void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_caddq(polyveck *v);

crypto_sign/dilithium2aes/clean/sign.c

@@ -21,8 +21,8 @@
 * Returns 0 (success)
 **************************************************/
 int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
-    uint8_t seedbuf[3 * SEEDBYTES];
-    uint8_t tr[CRHBYTES];
+    uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES];
+    uint8_t tr[SEEDBYTES];
     const uint8_t *rho, *rhoprime, *key;
     polyvecl mat[K];
     polyvecl s1, s1hat;
@@ -30,10 +30,10 @@ int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
     /* Get randomness for rho, rhoprime and key */
     randombytes(seedbuf, SEEDBYTES);
-    shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES);
+    shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
     rho = seedbuf;
-    rhoprime = seedbuf + SEEDBYTES;
-    key = seedbuf + 2 * SEEDBYTES;
+    rhoprime = rho + SEEDBYTES;
+    key = rhoprime + CRHBYTES;
 
     /* Expand matrix */
     PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_expand(mat, rho);
@@ -57,8 +57,8 @@ int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
     PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_power2round(&t1, &t0, &t1);
     PQCLEAN_DILITHIUM2AES_CLEAN_pack_pk(pk, rho, &t1);
 
-    /* Compute CRH(rho, t1) and write secret key */
-    crh(tr, pk, PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES);
+    /* Compute H(rho, t1) and write secret key */
+    shake256(tr, SEEDBYTES, pk, PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES);
     PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
 
     return 0;
@@ -83,7 +83,7 @@ int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_signature(uint8_t *sig,
         size_t mlen,
         const uint8_t *sk) {
     unsigned int n;
-    uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES];
+    uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES];
     uint8_t *rho, *tr, *key, *mu, *rhoprime;
     uint16_t nonce = 0;
     polyvecl mat[K], s1, y, z;
@@ -93,20 +93,20 @@ int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_signature(uint8_t *sig,
 
     rho = seedbuf;
     tr = rho + SEEDBYTES;
-    key = tr + CRHBYTES;
+    key = tr + SEEDBYTES;
     mu = key + SEEDBYTES;
     rhoprime = mu + CRHBYTES;
     PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
 
     /* Compute CRH(tr, msg) */
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, tr, CRHBYTES);
+    shake256_inc_absorb(&state, tr, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
     shake256_inc_ctx_release(&state);
 
-    crh(rhoprime, key, SEEDBYTES + CRHBYTES);
+    shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
 
     /* Expand matrix and transform vectors */
     PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_expand(mat, rho);
@@ -250,10 +250,10 @@ int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_verify(const uint8_t *sig,
         return -1;
     }
 
-    /* Compute CRH(CRH(rho, t1), msg) */
-    crh(mu, pk, PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES);
+    /* Compute CRH(H(rho, t1), msg) */
+    shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES);
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, mu, CRHBYTES);
+    shake256_inc_absorb(&state, mu, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);

crypto_sign/dilithium2aes/clean/symmetric.h

@@ -17,7 +17,6 @@ void PQCLEAN_DILITHIUM2AES_CLEAN_dilithium_aes256ctr_init(aes256ctr_ctx *state,
 #define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
 #define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
 
-#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES)
 #define stream128_init(STATE, SEED, NONCE) \
     PQCLEAN_DILITHIUM2AES_CLEAN_dilithium_aes256ctr_init(STATE, SEED, NONCE)
 #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \

crypto_sign/dilithium3/META.yml

@@ -2,10 +2,10 @@ name: Dilithium3
 type: signature
 claimed-nist-level: 3
 length-public-key: 1952
-length-secret-key: 4016
+length-secret-key: 4000
 length-signature: 3293
-nistkat-sha256: d0d4bb6945e14206d17b52f8a395d5a750ec8a73f2ea06b9f1cd226d225a9bfb
-testvectors-sha256: 531b85dbecaeaf135ad9004c8e2d5ce163b8e72d9c3a537e15bd383cf5f38aa4
+nistkat-sha256: 8439f580566c46b99449b2cbbd597ce59bcd5d184b90c1108b79a08f6bdbbcb1
+testvectors-sha256: 7d6c0db177a143415db7e609e3ecf603f73e7ceff35685f3ad65ac31b5e1aeeb
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:
@@ -17,9 +17,9 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
     - name: clean
-      version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium
+      version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium
     - name: avx2
-      version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium
+      version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium
       supported_platforms:
         - architecture: x86_64
           operating_systems:

crypto_sign/dilithium3/avx2/api.h

@@ -5,12 +5,11 @@
 #include <stdint.h>
 
 #define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES 1952
-#define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_SECRETKEYBYTES 4016
+#define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_SECRETKEYBYTES 4000
 #define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_BYTES 3293
 
 #define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_ALGNAME "Dilithium3"
 
-
 int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
 
 int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_signature(

crypto_sign/dilithium3/avx2/fips202x4.c

@@ -91,17 +91,22 @@ static void keccakx4_squeezeblocks(uint8_t *out0,
                                    unsigned int r,
                                    __m256i s[25]) {
     unsigned int i;
+    double temp0, temp1;
     __m128d t;
 
     while (nblocks > 0) {
         PQCLEAN_DILITHIUM3_AVX2_f1600x4(s, KeccakF_RoundConstants);
         for (i = 0; i < r / 8; ++i) {
             t = _mm_castsi128_pd(_mm256_castsi256_si128(s[i]));
-            _mm_storel_pd((double *)&out0[8 * i], t);
-            _mm_storeh_pd((double *)&out1[8 * i], t);
+            _mm_storel_pd(&temp0, t);
+            _mm_storeh_pd(&temp1, t);
+            memmove(&out0[8 * i], &temp0, sizeof(double));
+            memmove(&out1[8 * i], &temp1, sizeof(double));
             t = _mm_castsi128_pd(_mm256_extracti128_si256(s[i], 1));
-            _mm_storel_pd((double *)&out2[8 * i], t);
-            _mm_storeh_pd((double *)&out3[8 * i], t);
+            _mm_storel_pd(&temp0, t);
+            _mm_storeh_pd(&temp1, t);
+            memmove(&out2[8 * i], &temp0, sizeof(double));
+            memmove(&out3[8 * i], &temp1, sizeof(double));
         }
 
         out0 += r;

crypto_sign/dilithium3/avx2/packing.c

@@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM3_AVX2_unpack_pk(uint8_t rho[SEEDBYTES],
 **************************************************/
 void PQCLEAN_DILITHIUM3_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_AVX2_CRYPTO_SECRETKEYBYTES],
                                      const uint8_t rho[SEEDBYTES],
-                                     const uint8_t tr[CRHBYTES],
+                                     const uint8_t tr[SEEDBYTES],
                                      const uint8_t key[SEEDBYTES],
                                      const polyveck *t0,
                                      const polyvecl *s1,
@@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM3_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_AVX2_CRYPTO_S
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         sk[i] = tr[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM3_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM3_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_AVX2_CRYPTO_S
 *              - uint8_t sk[]: byte array containing bit-packed sk
 **************************************************/
 void PQCLEAN_DILITHIUM3_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
-                                       uint8_t tr[CRHBYTES],
+                                       uint8_t tr[SEEDBYTES],
                                        uint8_t key[SEEDBYTES],
                                        polyveck *t0,
                                        polyvecl *s1,
@@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM3_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         tr[i] = sk[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM3_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);

crypto_sign/dilithium3/avx2/packing.h

@@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM3_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM3_AVX2_CRYPTO_P
 
 void PQCLEAN_DILITHIUM3_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_AVX2_CRYPTO_SECRETKEYBYTES],
                                      const uint8_t rho[SEEDBYTES],
-                                     const uint8_t tr[CRHBYTES],
+                                     const uint8_t tr[SEEDBYTES],
                                      const uint8_t key[SEEDBYTES],
                                      const polyveck *t0,
                                      const polyvecl *s1,
@@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM3_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM3_AVX2_CRYPTO
 void PQCLEAN_DILITHIUM3_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES]);
 
 void PQCLEAN_DILITHIUM3_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
-                                       uint8_t tr[CRHBYTES],
+                                       uint8_t tr[SEEDBYTES],
                                        uint8_t key[SEEDBYTES],
                                        polyveck *t0,
                                        polyvecl *s1,

crypto_sign/dilithium3/avx2/params.h

@@ -4,7 +4,7 @@
 
 
 #define SEEDBYTES 32
-#define CRHBYTES 48
+#define CRHBYTES 64
 #define N 256
 #define Q 8380417
 #define D 13
@@ -32,7 +32,7 @@
 #define POLYETA_PACKEDBYTES 128
 
 #define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \
+#define PQCLEAN_DILITHIUM3_AVX2_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
         + L*POLYETA_PACKEDBYTES \
         + K*POLYETA_PACKEDBYTES \
         + K*POLYT0_PACKEDBYTES)

crypto_sign/dilithium3/avx2/poly.c

@@ -505,34 +505,34 @@ static unsigned int rej_eta(int32_t *a,
 *              or AES256CTR(seed,nonce).
 *
 * Arguments:   - poly *a: pointer to output polynomial
-*              - const uint8_t seed[]: byte array with seed of length  SEEDBYTES
+*              - const uint8_t seed[]: byte array with seed of length CRHBYTES
 *              - uint16_t nonce: 2-byte nonce
 **************************************************/
-void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) {
+void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state) {
     unsigned int ctr;
-    ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf;
+    ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf;
 
-    stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
+    stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
     ctr = PQCLEAN_DILITHIUM3_AVX2_rej_eta_avx(a->coeffs, buf.coeffs);
 
     while (ctr < N) {
-        stream128_squeezeblocks(buf.coeffs, 1, state);
-        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES);
+        stream256_squeezeblocks(buf.coeffs, 1, state);
+        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES);
     }
 }
 
-void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
-    stream128_state state;
-    stream128_init(&state, seed, nonce);
+void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) {
+    stream256_state state;
+    stream256_init(&state, seed, nonce);
     PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_preinit(a, &state);
-    stream128_release(&state);
+    stream256_release(&state);
 }
 
 void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_4x(poly *a0,
         poly *a1,
         poly *a2,
         poly *a3,
-        const uint8_t seed[32],
+        const uint8_t seed[64],
         uint16_t nonce0,
         uint16_t nonce1,
         uint16_t nonce2,
@@ -543,23 +543,28 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_4x(poly *a0,
     __m256i f;
     keccakx4_state state;
 
-    f = _mm256_loadu_si256((__m256i *)seed);
-    _mm256_store_si256(buf[0].vec, f);
-    _mm256_store_si256(buf[1].vec, f);
-    _mm256_store_si256(buf[2].vec, f);
-    _mm256_store_si256(buf[3].vec, f);
-
-    buf[0].coeffs[SEEDBYTES + 0] = nonce0;
-    buf[0].coeffs[SEEDBYTES + 1] = nonce0 >> 8;
-    buf[1].coeffs[SEEDBYTES + 0] = nonce1;
-    buf[1].coeffs[SEEDBYTES + 1] = nonce1 >> 8;
-    buf[2].coeffs[SEEDBYTES + 0] = nonce2;
-    buf[2].coeffs[SEEDBYTES + 1] = nonce2 >> 8;
-    buf[3].coeffs[SEEDBYTES + 0] = nonce3;
-    buf[3].coeffs[SEEDBYTES + 1] = nonce3 >> 8;
-
-    PQCLEAN_DILITHIUM3_AVX2_shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2);
-    PQCLEAN_DILITHIUM3_AVX2_shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
+    f = _mm256_loadu_si256((__m256i *)&seed[0]);
+    _mm256_store_si256(&buf[0].vec[0], f);
+    _mm256_store_si256(&buf[1].vec[0], f);
+    _mm256_store_si256(&buf[2].vec[0], f);
+    _mm256_store_si256(&buf[3].vec[0], f);
+    f = _mm256_loadu_si256((__m256i *)&seed[32]);
+    _mm256_store_si256(&buf[0].vec[1], f);
+    _mm256_store_si256(&buf[1].vec[1], f);
+    _mm256_store_si256(&buf[2].vec[1], f);
+    _mm256_store_si256(&buf[3].vec[1], f);
+
+    buf[0].coeffs[64] = nonce0;
+    buf[0].coeffs[65] = nonce0 >> 8;
+    buf[1].coeffs[64] = nonce1;
+    buf[1].coeffs[65] = nonce1 >> 8;
+    buf[2].coeffs[64] = nonce2;
+    buf[2].coeffs[65] = nonce2 >> 8;
+    buf[3].coeffs[64] = nonce3;
+    buf[3].coeffs[65] = nonce3 >> 8;
+
+    PQCLEAN_DILITHIUM3_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
+    PQCLEAN_DILITHIUM3_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
 
     ctr0 = PQCLEAN_DILITHIUM3_AVX2_rej_eta_avx(a0->coeffs, buf[0].coeffs);
     ctr1 = PQCLEAN_DILITHIUM3_AVX2_rej_eta_avx(a1->coeffs, buf[1].coeffs);
@@ -567,12 +572,12 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_4x(poly *a0,
     ctr3 = PQCLEAN_DILITHIUM3_AVX2_rej_eta_avx(a3->coeffs, buf[3].coeffs);
 
     while (ctr0 < N || ctr1 < N || ctr2 < N || ctr3 < N) {
-        PQCLEAN_DILITHIUM3_AVX2_shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
+        PQCLEAN_DILITHIUM3_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
 
-        ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE128_RATE);
-        ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE128_RATE);
-        ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE);
-        ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE);
+        ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE256_RATE);
+        ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE256_RATE);
+        ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE);
+        ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE);
     }
 }
 
@@ -606,7 +611,7 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_gamma1_4x(poly *a0,
         poly *a1,
         poly *a2,
         poly *a3,
-        const uint8_t seed[48],
+        const uint8_t seed[64],
         uint16_t nonce0,
         uint16_t nonce1,
         uint16_t nonce2,
@@ -614,29 +619,28 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_gamma1_4x(poly *a0,
     ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES + 14) buf[4];
     keccakx4_state state;
     __m256i f;
-    __m128i g;
 
-    f = _mm256_loadu_si256((__m256i *)seed);
-    _mm256_store_si256(buf[0].vec, f);
-    _mm256_store_si256(buf[1].vec, f);
-    _mm256_store_si256(buf[2].vec, f);
-    _mm256_store_si256(buf[3].vec, f);
-    g = _mm_loadu_si128((__m128i *)&seed[32]);
-    _mm_store_si128((__m128i *)&buf[0].vec[1], g);
-    _mm_store_si128((__m128i *)&buf[1].vec[1], g);
-    _mm_store_si128((__m128i *)&buf[2].vec[1], g);
-    _mm_store_si128((__m128i *)&buf[3].vec[1], g);
-
-    buf[0].coeffs[CRHBYTES + 0] = nonce0;
-    buf[0].coeffs[CRHBYTES + 1] = nonce0 >> 8;
-    buf[1].coeffs[CRHBYTES + 0] = nonce1;
-    buf[1].coeffs[CRHBYTES + 1] = nonce1 >> 8;
-    buf[2].coeffs[CRHBYTES + 0] = nonce2;
-    buf[2].coeffs[CRHBYTES + 1] = nonce2 >> 8;
-    buf[3].coeffs[CRHBYTES + 0] = nonce3;
-    buf[3].coeffs[CRHBYTES + 1] = nonce3 >> 8;
-
-    PQCLEAN_DILITHIUM3_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, CRHBYTES + 2);
+    f = _mm256_loadu_si256((__m256i *)&seed[0]);
+    _mm256_store_si256(&buf[0].vec[0], f);
+    _mm256_store_si256(&buf[1].vec[0], f);
+    _mm256_store_si256(&buf[2].vec[0], f);
+    _mm256_store_si256(&buf[3].vec[0], f);
+    f = _mm256_loadu_si256((__m256i *)&seed[32]);
+    _mm256_store_si256(&buf[0].vec[1], f);
+    _mm256_store_si256(&buf[1].vec[1], f);
+    _mm256_store_si256(&buf[2].vec[1], f);
+    _mm256_store_si256(&buf[3].vec[1], f);
+
+    buf[0].coeffs[64] = nonce0;
+    buf[0].coeffs[65] = nonce0 >> 8;
+    buf[1].coeffs[64] = nonce1;
+    buf[1].coeffs[65] = nonce1 >> 8;
+    buf[2].coeffs[64] = nonce2;
+    buf[2].coeffs[65] = nonce2 >> 8;
+    buf[3].coeffs[64] = nonce3;
+    buf[3].coeffs[65] = nonce3 >> 8;
+
+    PQCLEAN_DILITHIUM3_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
     PQCLEAN_DILITHIUM3_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
 
     PQCLEAN_DILITHIUM3_AVX2_polyz_unpack(a0, buf[0].coeffs);

crypto_sign/dilithium3/avx2/poly.h

@@ -28,8 +28,8 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_use_hint(poly *b, const poly *a, const poly *h
 int PQCLEAN_DILITHIUM3_AVX2_poly_chknorm(const poly *a, int32_t B);
 void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_preinit(poly *a, stream128_state *state);
 void PQCLEAN_DILITHIUM3_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state);
-void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state);
+void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
 void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state);
 void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
 void PQCLEAN_DILITHIUM3_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
@@ -47,7 +47,7 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_4x(poly *a0,
         poly *a1,
         poly *a2,
         poly *a3,
-        const uint8_t seed[SEEDBYTES],
+        const uint8_t seed[CRHBYTES],
         uint16_t nonce0,
         uint16_t nonce1,
         uint16_t nonce2,

crypto_sign/dilithium3/avx2/polyvec.c

@@ -98,7 +98,7 @@ void PQCLEAN_DILITHIUM3_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, co
 /************ Vectors of polynomials of length L **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -106,7 +106,7 @@ void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t see
     }
 }
 
-void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -231,7 +231,7 @@ int PQCLEAN_DILITHIUM3_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound)
 /************ Vectors of polynomials of length K **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM3_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM3_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < K; ++i) {

crypto_sign/dilithium3/avx2/polyvec.h

@@ -9,9 +9,9 @@ typedef struct {
     poly vec[L];
 } polyvecl;
 
-void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
-void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM3_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM3_AVX2_polyvecl_reduce(polyvecl *v);
 
@@ -33,7 +33,7 @@ typedef struct {
     poly vec[K];
 } polyveck;
 
-void PQCLEAN_DILITHIUM3_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM3_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM3_AVX2_polyveck_reduce(polyveck *v);
 void PQCLEAN_DILITHIUM3_AVX2_polyveck_caddq(polyveck *v);

crypto_sign/dilithium3/avx2/rejsample.h

@@ -7,8 +7,8 @@
 #define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES)
 #define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES)
 
-#define REJ_UNIFORM_ETA_NBLOCKS ((228+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES)
-#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES)
+#define REJ_UNIFORM_ETA_NBLOCKS ((227+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
+#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES)
 
 extern const uint8_t PQCLEAN_DILITHIUM3_AVX2_idxlut[256][8];
 

crypto_sign/dilithium3/avx2/sign.c

@@ -53,7 +53,7 @@ static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], co
 **************************************************/
 int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
     unsigned int i;
-    uint8_t seedbuf[3 * SEEDBYTES];
+    uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES];
     const uint8_t *rho, *rhoprime, *key;
     polyvecl rowbuf[2];
     polyvecl s1, *row = rowbuf;
@@ -62,10 +62,10 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
     /* Get randomness for rho, rhoprime and key */
     randombytes(seedbuf, SEEDBYTES);
-    shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES);
+    shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
     rho = seedbuf;
-    rhoprime = seedbuf + SEEDBYTES;
-    key = seedbuf + 2 * SEEDBYTES;
+    rhoprime = rho + SEEDBYTES;
+    key = rhoprime + CRHBYTES;
 
     /* Store rho, key */
     memcpy(pk, rho, SEEDBYTES);
@@ -79,10 +79,10 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
     /* Pack secret vectors */
     for (i = 0; i < L; i++) {
-        PQCLEAN_DILITHIUM3_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]);
+        PQCLEAN_DILITHIUM3_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]);
     }
     for (i = 0; i < K; i++) {
-        PQCLEAN_DILITHIUM3_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
+        PQCLEAN_DILITHIUM3_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
     }
 
     /* Transform s1 */
@@ -104,11 +104,11 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
         PQCLEAN_DILITHIUM3_AVX2_poly_caddq(&t1);
         PQCLEAN_DILITHIUM3_AVX2_poly_power2round(&t1, &t0, &t1);
         PQCLEAN_DILITHIUM3_AVX2_polyt1_pack(pk + SEEDBYTES + i * POLYT1_PACKEDBYTES, &t1);
-        PQCLEAN_DILITHIUM3_AVX2_polyt0_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0);
+        PQCLEAN_DILITHIUM3_AVX2_polyt0_pack(sk + 3 * SEEDBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0);
     }
 
-    /* Compute CRH(rho, t1) and store in secret key */
-    crh(sk + 2 * SEEDBYTES, pk, PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES);
+    /* Compute H(rho, t1) and store in secret key */
+    shake256(sk + 2 * SEEDBYTES, SEEDBYTES, pk, PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES);
 
     return 0;
 }
@@ -128,7 +128,7 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 **************************************************/
 int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
     unsigned int i, n, pos;
-    uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES];
+    uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES];
     uint8_t *rho, *tr, *key, *mu, *rhoprime;
     uint8_t hintbuf[N];
     uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES;
@@ -144,20 +144,20 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen,
 
     rho = seedbuf;
     tr = rho + SEEDBYTES;
-    key = tr + CRHBYTES;
+    key = tr + SEEDBYTES;
     mu = key + SEEDBYTES;
     rhoprime = mu + CRHBYTES;
     PQCLEAN_DILITHIUM3_AVX2_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
 
     /* Compute CRH(tr, msg) */
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, tr, CRHBYTES);
+    shake256_inc_absorb(&state, tr, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
     shake256_inc_ctx_release(&state);
 
-    crh(rhoprime, key, SEEDBYTES + CRHBYTES);
+    shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
 
     /* Expand matrix and transform vectors */
     PQCLEAN_DILITHIUM3_AVX2_polyvec_matrix_expand(mat, rho);
@@ -303,10 +303,10 @@ int PQCLEAN_DILITHIUM3_AVX2_crypto_sign_verify(const uint8_t *sig, size_t siglen
         return -1;
     }
 
-    /* Compute CRH(CRH(rho, t1), msg) */
-    crh(mu, pk, PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES);
+    /* Compute CRH(H(rho, t1), msg) */
+    shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM3_AVX2_CRYPTO_PUBLICKEYBYTES);
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, mu, CRHBYTES);
+    shake256_inc_absorb(&state, mu, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);

crypto_sign/dilithium3/avx2/symmetric.h

@@ -9,27 +9,18 @@
 typedef shake128incctx stream128_state;
 typedef shake256incctx stream256_state;
 
-void PQCLEAN_DILITHIUM3_AVX2_dilithium_shake128_stream_init(shake128incctx *state,
-        const uint8_t seed[SEEDBYTES],
-        uint16_t nonce);
+void PQCLEAN_DILITHIUM3_AVX2_dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
 
-void PQCLEAN_DILITHIUM3_AVX2_dilithium_shake256_stream_init(shake256incctx *state,
-        const uint8_t seed[CRHBYTES],
-        uint16_t nonce);
+void PQCLEAN_DILITHIUM3_AVX2_dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 #define STREAM128_BLOCKBYTES SHAKE128_RATE
 #define STREAM256_BLOCKBYTES SHAKE256_RATE
 
-#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES)
-#define stream128_init(STATE, SEED, NONCE) \
-    PQCLEAN_DILITHIUM3_AVX2_dilithium_shake128_stream_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
-    shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE)
+#define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3_AVX2_dilithium_shake128_stream_init(STATE, SEED, NONCE)
+#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE)
 #define stream128_release(STATE) shake128_inc_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
-    PQCLEAN_DILITHIUM3_AVX2_dilithium_shake256_stream_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
-    shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE)
+#define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3_AVX2_dilithium_shake256_stream_init(STATE, SEED, NONCE)
+#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE)
 #define stream256_release(STATE) shake256_inc_ctx_release(STATE)
 
 

crypto_sign/dilithium3/clean/api.h

@@ -5,12 +5,11 @@
 #include <stdint.h>
 
 #define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES 1952
-#define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_SECRETKEYBYTES 4016
+#define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_SECRETKEYBYTES 4000
 #define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_BYTES 3293
 
 #define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_ALGNAME "Dilithium3"
 
-
 int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
 
 int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_signature(

crypto_sign/dilithium3/clean/packing.c

@@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES],
 **************************************************/
 void PQCLEAN_DILITHIUM3_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_SECRETKEYBYTES],
                                       const uint8_t rho[SEEDBYTES],
-                                      const uint8_t tr[CRHBYTES],
+                                      const uint8_t tr[SEEDBYTES],
                                       const uint8_t key[SEEDBYTES],
                                       const polyveck *t0,
                                       const polyvecl *s1,
@@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM3_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_CLEAN_CRYPTO
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         sk[i] = tr[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM3_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_CLEAN_CRYPTO
 *              - uint8_t sk[]: byte array containing bit-packed sk
 **************************************************/
 void PQCLEAN_DILITHIUM3_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
-                                        uint8_t tr[CRHBYTES],
+                                        uint8_t tr[SEEDBYTES],
                                         uint8_t key[SEEDBYTES],
                                         polyveck *t0,
                                         polyvecl *s1,
@@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM3_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         tr[i] = sk[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM3_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);

crypto_sign/dilithium3/clean/packing.h

@@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM3_CLEAN_CRYPTO
 
 void PQCLEAN_DILITHIUM3_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_SECRETKEYBYTES],
                                       const uint8_t rho[SEEDBYTES],
-                                      const uint8_t tr[CRHBYTES],
+                                      const uint8_t tr[SEEDBYTES],
                                       const uint8_t key[SEEDBYTES],
                                       const polyveck *t0,
                                       const polyvecl *s1,
@@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM3_CLEAN_CRYP
 void PQCLEAN_DILITHIUM3_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES]);
 
 void PQCLEAN_DILITHIUM3_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
-                                        uint8_t tr[CRHBYTES],
+                                        uint8_t tr[SEEDBYTES],
                                         uint8_t key[SEEDBYTES],
                                         polyveck *t0,
                                         polyvecl *s1,

crypto_sign/dilithium3/clean/params.h

@@ -4,7 +4,7 @@
 
 
 #define SEEDBYTES 32
-#define CRHBYTES 48
+#define CRHBYTES 64
 #define N 256
 #define Q 8380417
 #define D 13
@@ -32,7 +32,7 @@
 #define POLYETA_PACKEDBYTES 128
 
 #define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \
+#define PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
         + L*POLYETA_PACKEDBYTES \
         + K*POLYETA_PACKEDBYTES \
         + K*POLYT0_PACKEDBYTES)

crypto_sign/dilithium3/clean/poly.c

@@ -436,28 +436,28 @@ static unsigned int rej_eta(int32_t *a,
 *              output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
 *
 * Arguments:   - poly *a: pointer to output polynomial
-*              - const uint8_t seed[]: byte array with seed of length SEEDBYTES
+*              - const uint8_t seed[]: byte array with seed of length CRHBYTES
 *              - uint16_t nonce: 2-byte nonce
 **************************************************/
-#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES)
+#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
 void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_eta(poly *a,
-        const uint8_t seed[SEEDBYTES],
+        const uint8_t seed[CRHBYTES],
         uint16_t nonce) {
     unsigned int ctr;
-    unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES;
-    uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES];
-    stream128_state state;
+    unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES;
+    uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES];
+    stream256_state state;
 
-    stream128_init(&state, seed, nonce);
-    stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
+    stream256_init(&state, seed, nonce);
+    stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
 
     ctr = rej_eta(a->coeffs, N, buf, buflen);
 
     while (ctr < N) {
-        stream128_squeezeblocks(buf, 1, &state);
-        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES);
+        stream256_squeezeblocks(buf, 1, &state);
+        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
     }
-    stream128_release(&state);
+    stream256_release(&state);
 }
 
 /*************************************************

crypto_sign/dilithium3/clean/poly.h

@@ -29,7 +29,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform(poly *a,
         const uint8_t seed[SEEDBYTES],
         uint16_t nonce);
 void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_eta(poly *a,
-        const uint8_t seed[SEEDBYTES],
+        const uint8_t seed[CRHBYTES],
         uint16_t nonce);
 void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_gamma1(poly *a,
         const uint8_t seed[CRHBYTES],

crypto_sign/dilithium3/clean/polyvec.c

@@ -36,7 +36,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t, c
 /************ Vectors of polynomials of length L **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM3_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM3_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -178,7 +178,7 @@ int PQCLEAN_DILITHIUM3_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t bound)
 /************ Vectors of polynomials of length K **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM3_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM3_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < K; ++i) {

crypto_sign/dilithium3/clean/polyvec.h

@@ -9,7 +9,7 @@ typedef struct {
     poly vec[L];
 } polyvecl;
 
-void PQCLEAN_DILITHIUM3_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM3_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM3_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
@@ -36,7 +36,7 @@ typedef struct {
     poly vec[K];
 } polyveck;
 
-void PQCLEAN_DILITHIUM3_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM3_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM3_CLEAN_polyveck_reduce(polyveck *v);
 void PQCLEAN_DILITHIUM3_CLEAN_polyveck_caddq(polyveck *v);

crypto_sign/dilithium3/clean/sign.c

@@ -21,8 +21,8 @@
 * Returns 0 (success)
 **************************************************/
 int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
-    uint8_t seedbuf[3 * SEEDBYTES];
-    uint8_t tr[CRHBYTES];
+    uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES];
+    uint8_t tr[SEEDBYTES];
     const uint8_t *rho, *rhoprime, *key;
     polyvecl mat[K];
     polyvecl s1, s1hat;
@@ -30,10 +30,10 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
     /* Get randomness for rho, rhoprime and key */
     randombytes(seedbuf, SEEDBYTES);
-    shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES);
+    shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
     rho = seedbuf;
-    rhoprime = seedbuf + SEEDBYTES;
-    key = seedbuf + 2 * SEEDBYTES;
+    rhoprime = rho + SEEDBYTES;
+    key = rhoprime + CRHBYTES;
 
     /* Expand matrix */
     PQCLEAN_DILITHIUM3_CLEAN_polyvec_matrix_expand(mat, rho);
@@ -57,8 +57,8 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
     PQCLEAN_DILITHIUM3_CLEAN_polyveck_power2round(&t1, &t0, &t1);
     PQCLEAN_DILITHIUM3_CLEAN_pack_pk(pk, rho, &t1);
 
-    /* Compute CRH(rho, t1) and write secret key */
-    crh(tr, pk, PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES);
+    /* Compute H(rho, t1) and write secret key */
+    shake256(tr, SEEDBYTES, pk, PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES);
     PQCLEAN_DILITHIUM3_CLEAN_pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
 
     return 0;
@@ -83,7 +83,7 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_signature(uint8_t *sig,
         size_t mlen,
         const uint8_t *sk) {
     unsigned int n;
-    uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES];
+    uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES];
     uint8_t *rho, *tr, *key, *mu, *rhoprime;
     uint16_t nonce = 0;
     polyvecl mat[K], s1, y, z;
@@ -93,20 +93,20 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_signature(uint8_t *sig,
 
     rho = seedbuf;
     tr = rho + SEEDBYTES;
-    key = tr + CRHBYTES;
+    key = tr + SEEDBYTES;
     mu = key + SEEDBYTES;
     rhoprime = mu + CRHBYTES;
     PQCLEAN_DILITHIUM3_CLEAN_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
 
     /* Compute CRH(tr, msg) */
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, tr, CRHBYTES);
+    shake256_inc_absorb(&state, tr, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
     shake256_inc_ctx_release(&state);
 
-    crh(rhoprime, key, SEEDBYTES + CRHBYTES);
+    shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
 
     /* Expand matrix and transform vectors */
     PQCLEAN_DILITHIUM3_CLEAN_polyvec_matrix_expand(mat, rho);
@@ -250,10 +250,10 @@ int PQCLEAN_DILITHIUM3_CLEAN_crypto_sign_verify(const uint8_t *sig,
         return -1;
     }
 
-    /* Compute CRH(CRH(rho, t1), msg) */
-    crh(mu, pk, PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES);
+    /* Compute CRH(H(rho, t1), msg) */
+    shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM3_CLEAN_CRYPTO_PUBLICKEYBYTES);
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, mu, CRHBYTES);
+    shake256_inc_absorb(&state, mu, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);

crypto_sign/dilithium3/clean/symmetric.h

@@ -20,7 +20,6 @@ void PQCLEAN_DILITHIUM3_CLEAN_dilithium_shake256_stream_init(shake256incctx *sta
 #define STREAM128_BLOCKBYTES SHAKE128_RATE
 #define STREAM256_BLOCKBYTES SHAKE256_RATE
 
-#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES)
 #define stream128_init(STATE, SEED, NONCE) \
     PQCLEAN_DILITHIUM3_CLEAN_dilithium_shake128_stream_init(STATE, SEED, NONCE)
 #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \

crypto_sign/dilithium3aes/META.yml

@@ -2,10 +2,10 @@ name: Dilithium3-AES
 type: signature
 claimed-nist-level: 3
 length-public-key: 1952
-length-secret-key: 4016
+length-secret-key: 4000
 length-signature: 3293
-nistkat-sha256: c1519093239804f90d1c9386e2a95b42b45dc65cbdc7c1dd777fe27de3840517
-testvectors-sha256: 9637ff196abfad19f3479e6a6ec3e91fc6de3bae89adf8617d91154063a3262a
+nistkat-sha256: 199db029b177b368d71bac8689e16394621b84ddc5517e8476312165288e63d3
+testvectors-sha256: a69ed1454332b6967c1b8da3ac4dce61ce163edec400e2f4631b6a8ab3409436
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:
@@ -17,9 +17,9 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
     - name: clean
-      version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium
+      version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium
     - name: avx2
-      version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium
+      version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium
       supported_platforms:
         - architecture: x86_64
           operating_systems:

crypto_sign/dilithium3aes/avx2/api.h

@@ -5,12 +5,11 @@
 #include <stdint.h>
 
 #define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES 1952
-#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES 4016
+#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES 4000
 #define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES 3293
 
 #define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_ALGNAME "Dilithium3-AES"
 
-
 int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
 
 int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_signature(

crypto_sign/dilithium3aes/avx2/packing.c

@@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM3AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES],
 **************************************************/
 void PQCLEAN_DILITHIUM3AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES],
                                         const uint8_t rho[SEEDBYTES],
-                                        const uint8_t tr[CRHBYTES],
+                                        const uint8_t tr[SEEDBYTES],
                                         const uint8_t key[SEEDBYTES],
                                         const polyveck *t0,
                                         const polyvecl *s1,
@@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM3AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_AVX2_CR
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         sk[i] = tr[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM3AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_AVX2_CR
 *              - uint8_t sk[]: byte array containing bit-packed sk
 **************************************************/
 void PQCLEAN_DILITHIUM3AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
-        uint8_t tr[CRHBYTES],
+        uint8_t tr[SEEDBYTES],
         uint8_t key[SEEDBYTES],
         polyveck *t0,
         polyvecl *s1,
@@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM3AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         tr[i] = sk[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM3AES_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);

crypto_sign/dilithium3aes/avx2/packing.h

@@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM3AES_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM3AES_AVX2_CR
 
 void PQCLEAN_DILITHIUM3AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES],
                                         const uint8_t rho[SEEDBYTES],
-                                        const uint8_t tr[CRHBYTES],
+                                        const uint8_t tr[SEEDBYTES],
                                         const uint8_t key[SEEDBYTES],
                                         const polyveck *t0,
                                         const polyvecl *s1,
@@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM3AES_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM3AES_AVX2_
 void PQCLEAN_DILITHIUM3AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES]);
 
 void PQCLEAN_DILITHIUM3AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
-        uint8_t tr[CRHBYTES],
+        uint8_t tr[SEEDBYTES],
         uint8_t key[SEEDBYTES],
         polyveck *t0,
         polyvecl *s1,

crypto_sign/dilithium3aes/avx2/params.h

@@ -4,7 +4,7 @@
 
 
 #define SEEDBYTES 32
-#define CRHBYTES 48
+#define CRHBYTES 64
 #define N 256
 #define Q 8380417
 #define D 13
@@ -32,7 +32,7 @@
 #define POLYETA_PACKEDBYTES 128
 
 #define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \
+#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
         + L*POLYETA_PACKEDBYTES \
         + K*POLYETA_PACKEDBYTES \
         + K*POLYT0_PACKEDBYTES)

crypto_sign/dilithium3aes/avx2/poly.c

@@ -458,27 +458,27 @@ static unsigned int rej_eta(int32_t *a,
 *              or AES256CTR(seed,nonce).
 *
 * Arguments:   - poly *a: pointer to output polynomial
-*              - const uint8_t seed[]: byte array with seed of length  SEEDBYTES
+*              - const uint8_t seed[]: byte array with seed of length CRHBYTES
 *              - uint16_t nonce: 2-byte nonce
 **************************************************/
-void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) {
+void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state) {
     unsigned int ctr;
-    ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf;
+    ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf;
 
-    stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
+    stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
     ctr = PQCLEAN_DILITHIUM3AES_AVX2_rej_eta_avx(a->coeffs, buf.coeffs);
 
     while (ctr < N) {
-        stream128_squeezeblocks(buf.coeffs, 1, state);
-        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES);
+        stream256_squeezeblocks(buf.coeffs, 1, state);
+        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES);
     }
 }
 
-void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
-    stream128_state state;
-    stream128_init(&state, seed, nonce);
+void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) {
+    stream256_state state;
+    stream256_init(&state, seed, nonce);
     PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(a, &state);
-    stream128_release(&state);
+    stream256_release(&state);
 }
 
 

crypto_sign/dilithium3aes/avx2/poly.h

@@ -28,8 +28,8 @@ void PQCLEAN_DILITHIUM3AES_AVX2_poly_use_hint(poly *b, const poly *a, const poly
 int PQCLEAN_DILITHIUM3AES_AVX2_poly_chknorm(const poly *a, int32_t B);
 void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_preinit(poly *a, stream128_state *state);
 void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state);
-void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state);
+void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
 void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state);
 void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
 void PQCLEAN_DILITHIUM3AES_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);

crypto_sign/dilithium3aes/avx2/polyvec.c

@@ -49,7 +49,7 @@ void PQCLEAN_DILITHIUM3AES_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t,
 /************ Vectors of polynomials of length L **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -57,7 +57,7 @@ void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t
     }
 }
 
-void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -182,7 +182,7 @@ int PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound
 /************ Vectors of polynomials of length K **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < K; ++i) {

crypto_sign/dilithium3aes/avx2/polyvec.h

@@ -9,9 +9,9 @@ typedef struct {
     poly vec[L];
 } polyvecl;
 
-void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
-void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_reduce(polyvecl *v);
 
@@ -33,7 +33,7 @@ typedef struct {
     poly vec[K];
 } polyveck;
 
-void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_reduce(polyveck *v);
 void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_caddq(polyveck *v);

crypto_sign/dilithium3aes/avx2/rejsample.h

@@ -7,8 +7,8 @@
 #define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES)
 #define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES)
 
-#define REJ_UNIFORM_ETA_NBLOCKS ((228+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES)
-#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES)
+#define REJ_UNIFORM_ETA_NBLOCKS ((227+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
+#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES)
 
 extern const uint8_t PQCLEAN_DILITHIUM3AES_AVX2_idxlut[256][8];
 

crypto_sign/dilithium3aes/avx2/sign.c

@@ -26,7 +26,7 @@
 **************************************************/
 int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
     unsigned int i;
-    uint8_t seedbuf[3 * SEEDBYTES];
+    uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES];
     const uint8_t *rho, *rhoprime, *key;
     uint64_t nonce;
     aes256ctr_ctx aesctx;
@@ -37,10 +37,10 @@ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
     /* Get randomness for rho, rhoprime and key */
     randombytes(seedbuf, SEEDBYTES);
-    shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES);
+    shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
     rho = seedbuf;
-    rhoprime = seedbuf + SEEDBYTES;
-    key = seedbuf + 2 * SEEDBYTES;
+    rhoprime = rho + SEEDBYTES;
+    key = rhoprime + CRHBYTES;
 
     /* Store rho, key */
     memcpy(pk, rho, SEEDBYTES);
@@ -62,10 +62,10 @@ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
     /* Pack secret vectors */
     for (i = 0; i < L; i++) {
-        PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]);
+        PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]);
     }
     for (i = 0; i < K; i++) {
-        PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
+        PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + 3 * SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
     }
 
     /* Transform s1 */
@@ -93,11 +93,11 @@ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
         PQCLEAN_DILITHIUM3AES_AVX2_poly_caddq(&t1);
         PQCLEAN_DILITHIUM3AES_AVX2_poly_power2round(&t1, &t0, &t1);
         PQCLEAN_DILITHIUM3AES_AVX2_polyt1_pack(pk + SEEDBYTES + i * POLYT1_PACKEDBYTES, &t1);
-        PQCLEAN_DILITHIUM3AES_AVX2_polyt0_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0);
+        PQCLEAN_DILITHIUM3AES_AVX2_polyt0_pack(sk + 3 * SEEDBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0);
     }
 
-    /* Compute CRH(rho, t1) and store in secret key */
-    crh(sk + 2 * SEEDBYTES, pk, PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES);
+    /* Compute H(rho, t1) and store in secret key */
+    shake256(sk + 2 * SEEDBYTES, SEEDBYTES, pk, PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES);
 
     return 0;
 }
@@ -117,7 +117,7 @@ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 **************************************************/
 int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
     unsigned int i, n, pos;
-    uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES];
+    uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES];
     uint8_t *rho, *tr, *key, *mu, *rhoprime;
     uint8_t hintbuf[N];
     uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES;
@@ -133,20 +133,20 @@ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *sigle
 
     rho = seedbuf;
     tr = rho + SEEDBYTES;
-    key = tr + CRHBYTES;
+    key = tr + SEEDBYTES;
     mu = key + SEEDBYTES;
     rhoprime = mu + CRHBYTES;
     PQCLEAN_DILITHIUM3AES_AVX2_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
 
     /* Compute CRH(tr, msg) */
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, tr, CRHBYTES);
+    shake256_inc_absorb(&state, tr, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
     shake256_inc_ctx_release(&state);
 
-    crh(rhoprime, key, SEEDBYTES + CRHBYTES);
+    shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
 
     /* Expand matrix and transform vectors */
     PQCLEAN_DILITHIUM3AES_AVX2_polyvec_matrix_expand(mat, rho);
@@ -297,10 +297,10 @@ int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_verify(const uint8_t *sig, size_t sig
         return -1;
     }
 
-    /* Compute CRH(CRH(rho, t1), msg) */
-    crh(mu, pk, PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES);
+    /* Compute CRH(H(rho, t1), msg) */
+    shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES);
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, mu, CRHBYTES);
+    shake256_inc_absorb(&state, mu, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);

crypto_sign/dilithium3aes/avx2/symmetric.h

@@ -13,7 +13,6 @@ typedef aes256ctr_ctx stream256_state;
 #define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
 #define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
 
-#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES)
 #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_init(STATE, SEED, NONCE)
 #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
 #define stream128_release(STATE)

crypto_sign/dilithium3aes/clean/api.h

@@ -5,12 +5,11 @@
 #include <stdint.h>
 
 #define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES 1952
-#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES 4016
+#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES 4000
 #define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES 3293
 
 #define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_ALGNAME "Dilithium3-AES"
 
-
 int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
 
 int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_signature(

crypto_sign/dilithium3aes/clean/packing.c

@@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES],
 **************************************************/
 void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES],
         const uint8_t rho[SEEDBYTES],
-        const uint8_t tr[CRHBYTES],
+        const uint8_t tr[SEEDBYTES],
         const uint8_t key[SEEDBYTES],
         const polyveck *t0,
         const polyvecl *s1,
@@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_CLEAN_
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         sk[i] = tr[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_CLEAN_
 *              - uint8_t sk[]: byte array containing bit-packed sk
 **************************************************/
 void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
-        uint8_t tr[CRHBYTES],
+        uint8_t tr[SEEDBYTES],
         uint8_t key[SEEDBYTES],
         polyveck *t0,
         polyvecl *s1,
@@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         tr[i] = sk[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);

crypto_sign/dilithium3aes/clean/packing.h

@@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM3AES_CLEAN_
 
 void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES],
         const uint8_t rho[SEEDBYTES],
-        const uint8_t tr[CRHBYTES],
+        const uint8_t tr[SEEDBYTES],
         const uint8_t key[SEEDBYTES],
         const polyveck *t0,
         const polyvecl *s1,
@@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM3AES_CLEA
 void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES]);
 
 void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
-        uint8_t tr[CRHBYTES],
+        uint8_t tr[SEEDBYTES],
         uint8_t key[SEEDBYTES],
         polyveck *t0,
         polyvecl *s1,

crypto_sign/dilithium3aes/clean/params.h

@@ -4,7 +4,7 @@
 
 
 #define SEEDBYTES 32
-#define CRHBYTES 48
+#define CRHBYTES 64
 #define N 256
 #define Q 8380417
 #define D 13
@@ -32,7 +32,7 @@
 #define POLYETA_PACKEDBYTES 128
 
 #define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \
+#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
         + L*POLYETA_PACKEDBYTES \
         + K*POLYETA_PACKEDBYTES \
         + K*POLYT0_PACKEDBYTES)

crypto_sign/dilithium3aes/clean/poly.c

@@ -436,28 +436,28 @@ static unsigned int rej_eta(int32_t *a,
 *              output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
 *
 * Arguments:   - poly *a: pointer to output polynomial
-*              - const uint8_t seed[]: byte array with seed of length SEEDBYTES
+*              - const uint8_t seed[]: byte array with seed of length CRHBYTES
 *              - uint16_t nonce: 2-byte nonce
 **************************************************/
-#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES)
+#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
 void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_eta(poly *a,
-        const uint8_t seed[SEEDBYTES],
+        const uint8_t seed[CRHBYTES],
         uint16_t nonce) {
     unsigned int ctr;
-    unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES;
-    uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES];
-    stream128_state state;
+    unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES;
+    uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES];
+    stream256_state state;
 
-    stream128_init(&state, seed, nonce);
-    stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
+    stream256_init(&state, seed, nonce);
+    stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
 
     ctr = rej_eta(a->coeffs, N, buf, buflen);
 
     while (ctr < N) {
-        stream128_squeezeblocks(buf, 1, &state);
-        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES);
+        stream256_squeezeblocks(buf, 1, &state);
+        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
     }
-    stream128_release(&state);
+    stream256_release(&state);
 }
 
 /*************************************************

crypto_sign/dilithium3aes/clean/poly.h

@@ -29,7 +29,7 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform(poly *a,
         const uint8_t seed[SEEDBYTES],
         uint16_t nonce);
 void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_eta(poly *a,
-        const uint8_t seed[SEEDBYTES],
+        const uint8_t seed[CRHBYTES],
         uint16_t nonce);
 void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_gamma1(poly *a,
         const uint8_t seed[CRHBYTES],

crypto_sign/dilithium3aes/clean/polyvec.c

@@ -36,7 +36,7 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t
 /************ Vectors of polynomials of length L **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -178,7 +178,7 @@ int PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t boun
 /************ Vectors of polynomials of length K **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < K; ++i) {

crypto_sign/dilithium3aes/clean/polyvec.h

@@ -9,7 +9,7 @@ typedef struct {
     poly vec[L];
 } polyvecl;
 
-void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
@@ -36,7 +36,7 @@ typedef struct {
     poly vec[K];
 } polyveck;
 
-void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_reduce(polyveck *v);
 void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_caddq(polyveck *v);

crypto_sign/dilithium3aes/clean/sign.c

@@ -21,8 +21,8 @@
 * Returns 0 (success)
 **************************************************/
 int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
-    uint8_t seedbuf[3 * SEEDBYTES];
-    uint8_t tr[CRHBYTES];
+    uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES];
+    uint8_t tr[SEEDBYTES];
     const uint8_t *rho, *rhoprime, *key;
     polyvecl mat[K];
     polyvecl s1, s1hat;
@@ -30,10 +30,10 @@ int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
     /* Get randomness for rho, rhoprime and key */
     randombytes(seedbuf, SEEDBYTES);
-    shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES);
+    shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
     rho = seedbuf;
-    rhoprime = seedbuf + SEEDBYTES;
-    key = seedbuf + 2 * SEEDBYTES;
+    rhoprime = rho + SEEDBYTES;
+    key = rhoprime + CRHBYTES;
 
     /* Expand matrix */
     PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_expand(mat, rho);
@@ -57,8 +57,8 @@ int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
     PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_power2round(&t1, &t0, &t1);
     PQCLEAN_DILITHIUM3AES_CLEAN_pack_pk(pk, rho, &t1);
 
-    /* Compute CRH(rho, t1) and write secret key */
-    crh(tr, pk, PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES);
+    /* Compute H(rho, t1) and write secret key */
+    shake256(tr, SEEDBYTES, pk, PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES);
     PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
 
     return 0;
@@ -83,7 +83,7 @@ int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_signature(uint8_t *sig,
         size_t mlen,
         const uint8_t *sk) {
     unsigned int n;
-    uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES];
+    uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES];
     uint8_t *rho, *tr, *key, *mu, *rhoprime;
     uint16_t nonce = 0;
     polyvecl mat[K], s1, y, z;
@@ -93,20 +93,20 @@ int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_signature(uint8_t *sig,
 
     rho = seedbuf;
     tr = rho + SEEDBYTES;
-    key = tr + CRHBYTES;
+    key = tr + SEEDBYTES;
     mu = key + SEEDBYTES;
     rhoprime = mu + CRHBYTES;
     PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
 
     /* Compute CRH(tr, msg) */
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, tr, CRHBYTES);
+    shake256_inc_absorb(&state, tr, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);
     shake256_inc_ctx_release(&state);
 
-    crh(rhoprime, key, SEEDBYTES + CRHBYTES);
+    shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
 
     /* Expand matrix and transform vectors */
     PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_expand(mat, rho);
@@ -250,10 +250,10 @@ int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_verify(const uint8_t *sig,
         return -1;
     }
 
-    /* Compute CRH(CRH(rho, t1), msg) */
-    crh(mu, pk, PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES);
+    /* Compute CRH(H(rho, t1), msg) */
+    shake256(mu, SEEDBYTES, pk, PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES);
     shake256_inc_init(&state);
-    shake256_inc_absorb(&state, mu, CRHBYTES);
+    shake256_inc_absorb(&state, mu, SEEDBYTES);
     shake256_inc_absorb(&state, m, mlen);
     shake256_inc_finalize(&state);
     shake256_inc_squeeze(mu, CRHBYTES, &state);

crypto_sign/dilithium3aes/clean/symmetric.h

@@ -17,7 +17,6 @@ void PQCLEAN_DILITHIUM3AES_CLEAN_dilithium_aes256ctr_init(aes256ctr_ctx *state,
 #define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
 #define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
 
-#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES)
 #define stream128_init(STATE, SEED, NONCE) \
     PQCLEAN_DILITHIUM3AES_CLEAN_dilithium_aes256ctr_init(STATE, SEED, NONCE)
 #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \

crypto_sign/dilithium5/META.yml

@@ -2,10 +2,10 @@ name: Dilithium5
 type: signature
 claimed-nist-level: 5
 length-public-key: 2592
-length-secret-key: 4880
+length-secret-key: 4864
 length-signature: 4595
-nistkat-sha256: 1d1ee6fb14b864bcc564ad9c416593b2ee1bf93cd65dfe70d9e400bc66be3229
-testvectors-sha256: 9bc663cbfc1b43cff759cfeddd365b665762bc36e1f1d0777ae1196f59617a70
+nistkat-sha256: 984ea5f06b13778292f60ecc07301af76e375f1bb9f4a39d676513439e1e83a2
+testvectors-sha256: 47f16494eb4109934d44a52bc85a12155e8814c8925d7ae6d19840fd9556a73c
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:
@@ -17,9 +17,9 @@ auxiliary-submitters:
   - Damien Stehlé
 implementations:
     - name: clean
-      version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium
+      version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium
     - name: avx2
-      version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium
+      version: https://github.com/pq-crystals/dilithium/commit/adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897 via https://github.com/jschanck/package-pqclean/tree/80749c85/dilithium
       supported_platforms:
         - architecture: x86_64
           operating_systems:

crypto_sign/dilithium5/avx2/api.h

@@ -5,7 +5,7 @@
 #include <stdint.h>
 
 #define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_PUBLICKEYBYTES 2592
-#define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_SECRETKEYBYTES 4880
+#define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_SECRETKEYBYTES 4864
 #define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_BYTES 4595
 #define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_ALGNAME "Dilithium5"
 

crypto_sign/dilithium5/avx2/fips202x4.c

@@ -91,17 +91,22 @@ static void keccakx4_squeezeblocks(uint8_t *out0,
                                    unsigned int r,
                                    __m256i s[25]) {
     unsigned int i;
+    double temp0, temp1;
     __m128d t;
 
     while (nblocks > 0) {
         PQCLEAN_DILITHIUM5_AVX2_f1600x4(s, KeccakF_RoundConstants);
         for (i = 0; i < r / 8; ++i) {
             t = _mm_castsi128_pd(_mm256_castsi256_si128(s[i]));
-            _mm_storel_pd((double *)&out0[8 * i], t);
-            _mm_storeh_pd((double *)&out1[8 * i], t);
+            _mm_storel_pd(&temp0, t);
+            _mm_storeh_pd(&temp1, t);
+            memmove(&out0[8 * i], &temp0, sizeof(double));
+            memmove(&out1[8 * i], &temp1, sizeof(double));
             t = _mm_castsi128_pd(_mm256_extracti128_si256(s[i], 1));
-            _mm_storel_pd((double *)&out2[8 * i], t);
-            _mm_storeh_pd((double *)&out3[8 * i], t);
+            _mm_storel_pd(&temp0, t);
+            _mm_storeh_pd(&temp1, t);
+            memmove(&out2[8 * i], &temp0, sizeof(double));
+            memmove(&out3[8 * i], &temp1, sizeof(double));
         }
 
         out0 += r;

crypto_sign/dilithium5/avx2/packing.c

@@ -67,7 +67,7 @@ void PQCLEAN_DILITHIUM5_AVX2_unpack_pk(uint8_t rho[SEEDBYTES],
 **************************************************/
 void PQCLEAN_DILITHIUM5_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5_AVX2_CRYPTO_SECRETKEYBYTES],
                                      const uint8_t rho[SEEDBYTES],
-                                     const uint8_t tr[CRHBYTES],
+                                     const uint8_t tr[SEEDBYTES],
                                      const uint8_t key[SEEDBYTES],
                                      const polyveck *t0,
                                      const polyvecl *s1,
@@ -84,10 +84,10 @@ void PQCLEAN_DILITHIUM5_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5_AVX2_CRYPTO_S
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         sk[i] = tr[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM5_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -118,7 +118,7 @@ void PQCLEAN_DILITHIUM5_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5_AVX2_CRYPTO_S
 *              - uint8_t sk[]: byte array containing bit-packed sk
 **************************************************/
 void PQCLEAN_DILITHIUM5_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
-                                       uint8_t tr[CRHBYTES],
+                                       uint8_t tr[SEEDBYTES],
                                        uint8_t key[SEEDBYTES],
                                        polyveck *t0,
                                        polyvecl *s1,
@@ -136,10 +136,10 @@ void PQCLEAN_DILITHIUM5_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
     }
     sk += SEEDBYTES;
 
-    for (i = 0; i < CRHBYTES; ++i) {
+    for (i = 0; i < SEEDBYTES; ++i) {
         tr[i] = sk[i];
     }
-    sk += CRHBYTES;
+    sk += SEEDBYTES;
 
     for (i = 0; i < L; ++i) {
         PQCLEAN_DILITHIUM5_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);

crypto_sign/dilithium5/avx2/packing.h

@@ -8,7 +8,7 @@ void PQCLEAN_DILITHIUM5_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM5_AVX2_CRYPTO_P
 
 void PQCLEAN_DILITHIUM5_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5_AVX2_CRYPTO_SECRETKEYBYTES],
                                      const uint8_t rho[SEEDBYTES],
-                                     const uint8_t tr[CRHBYTES],
+                                     const uint8_t tr[SEEDBYTES],
                                      const uint8_t key[SEEDBYTES],
                                      const polyveck *t0,
                                      const polyvecl *s1,
@@ -19,7 +19,7 @@ void PQCLEAN_DILITHIUM5_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM5_AVX2_CRYPTO
 void PQCLEAN_DILITHIUM5_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM5_AVX2_CRYPTO_PUBLICKEYBYTES]);
 
 void PQCLEAN_DILITHIUM5_AVX2_unpack_sk(uint8_t rho[SEEDBYTES],
-                                       uint8_t tr[CRHBYTES],
+                                       uint8_t tr[SEEDBYTES],
                                        uint8_t key[SEEDBYTES],
                                        polyveck *t0,
                                        polyvecl *s1,

crypto_sign/dilithium5/avx2/params.h

@@ -4,7 +4,7 @@
 
 
 #define SEEDBYTES 32
-#define CRHBYTES 48
+#define CRHBYTES 64
 #define N 256
 #define Q 8380417
 #define D 13
@@ -32,7 +32,7 @@
 #define POLYETA_PACKEDBYTES  96
 
 #define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \
+#define PQCLEAN_DILITHIUM5_AVX2_CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
         + L*POLYETA_PACKEDBYTES \
         + K*POLYETA_PACKEDBYTES \
         + K*POLYT0_PACKEDBYTES)

crypto_sign/dilithium5/avx2/poly.c

@@ -507,34 +507,34 @@ static unsigned int rej_eta(int32_t *a,
 *              or AES256CTR(seed,nonce).
 *
 * Arguments:   - poly *a: pointer to output polynomial
-*              - const uint8_t seed[]: byte array with seed of length  SEEDBYTES
+*              - const uint8_t seed[]: byte array with seed of length CRHBYTES
 *              - uint16_t nonce: 2-byte nonce
 **************************************************/
-void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) {
+void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state) {
     unsigned int ctr;
-    ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf;
+    ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf;
 
-    stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
+    stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
     ctr = PQCLEAN_DILITHIUM5_AVX2_rej_eta_avx(a->coeffs, buf.coeffs);
 
     while (ctr < N) {
-        stream128_squeezeblocks(buf.coeffs, 1, state);
-        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES);
+        stream256_squeezeblocks(buf.coeffs, 1, state);
+        ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES);
     }
 }
 
-void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
-    stream128_state state;
-    stream128_init(&state, seed, nonce);
+void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) {
+    stream256_state state;
+    stream256_init(&state, seed, nonce);
     PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_preinit(a, &state);
-    stream128_release(&state);
+    stream256_release(&state);
 }
 
 void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_4x(poly *a0,
         poly *a1,
         poly *a2,
         poly *a3,
-        const uint8_t seed[32],
+        const uint8_t seed[64],
         uint16_t nonce0,
         uint16_t nonce1,
         uint16_t nonce2,
@@ -545,23 +545,28 @@ void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_4x(poly *a0,
     __m256i f;
     keccakx4_state state;
 
-    f = _mm256_loadu_si256((__m256i *)seed);
-    _mm256_store_si256(buf[0].vec, f);
-    _mm256_store_si256(buf[1].vec, f);
-    _mm256_store_si256(buf[2].vec, f);
-    _mm256_store_si256(buf[3].vec, f);
-
-    buf[0].coeffs[SEEDBYTES + 0] = nonce0;
-    buf[0].coeffs[SEEDBYTES + 1] = nonce0 >> 8;
-    buf[1].coeffs[SEEDBYTES + 0] = nonce1;
-    buf[1].coeffs[SEEDBYTES + 1] = nonce1 >> 8;
-    buf[2].coeffs[SEEDBYTES + 0] = nonce2;
-    buf[2].coeffs[SEEDBYTES + 1] = nonce2 >> 8;
-    buf[3].coeffs[SEEDBYTES + 0] = nonce3;
-    buf[3].coeffs[SEEDBYTES + 1] = nonce3 >> 8;
-
-    PQCLEAN_DILITHIUM5_AVX2_shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2);
-    PQCLEAN_DILITHIUM5_AVX2_shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
+    f = _mm256_loadu_si256((__m256i *)&seed[0]);
+    _mm256_store_si256(&buf[0].vec[0], f);
+    _mm256_store_si256(&buf[1].vec[0], f);
+    _mm256_store_si256(&buf[2].vec[0], f);
+    _mm256_store_si256(&buf[3].vec[0], f);
+    f = _mm256_loadu_si256((__m256i *)&seed[32]);
+    _mm256_store_si256(&buf[0].vec[1], f);
+    _mm256_store_si256(&buf[1].vec[1], f);
+    _mm256_store_si256(&buf[2].vec[1], f);
+    _mm256_store_si256(&buf[3].vec[1], f);
+
+    buf[0].coeffs[64] = nonce0;
+    buf[0].coeffs[65] = nonce0 >> 8;
+    buf[1].coeffs[64] = nonce1;
+    buf[1].coeffs[65] = nonce1 >> 8;
+    buf[2].coeffs[64] = nonce2;
+    buf[2].coeffs[65] = nonce2 >> 8;
+    buf[3].coeffs[64] = nonce3;
+    buf[3].coeffs[65] = nonce3 >> 8;
+
+    PQCLEAN_DILITHIUM5_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
+    PQCLEAN_DILITHIUM5_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
 
     ctr0 = PQCLEAN_DILITHIUM5_AVX2_rej_eta_avx(a0->coeffs, buf[0].coeffs);
     ctr1 = PQCLEAN_DILITHIUM5_AVX2_rej_eta_avx(a1->coeffs, buf[1].coeffs);
@@ -569,12 +574,12 @@ void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_4x(poly *a0,
     ctr3 = PQCLEAN_DILITHIUM5_AVX2_rej_eta_avx(a3->coeffs, buf[3].coeffs);
 
     while (ctr0 < N || ctr1 < N || ctr2 < N || ctr3 < N) {
-        PQCLEAN_DILITHIUM5_AVX2_shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
+        PQCLEAN_DILITHIUM5_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
 
-        ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE128_RATE);
-        ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE128_RATE);
-        ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE);
-        ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE);
+        ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE256_RATE);
+        ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE256_RATE);
+        ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE);
+        ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE);
     }
 }
 
@@ -608,7 +613,7 @@ void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_gamma1_4x(poly *a0,
         poly *a1,
         poly *a2,
         poly *a3,
-        const uint8_t seed[48],
+        const uint8_t seed[64],
         uint16_t nonce0,
         uint16_t nonce1,
         uint16_t nonce2,
@@ -616,29 +621,28 @@ void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_gamma1_4x(poly *a0,
     ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES + 14) buf[4];
     keccakx4_state state;
     __m256i f;
-    __m128i g;
 
-    f = _mm256_loadu_si256((__m256i *)seed);
-    _mm256_store_si256(buf[0].vec, f);
-    _mm256_store_si256(buf[1].vec, f);
-    _mm256_store_si256(buf[2].vec, f);
-    _mm256_store_si256(buf[3].vec, f);
-    g = _mm_loadu_si128((__m128i *)&seed[32]);
-    _mm_store_si128((__m128i *)&buf[0].vec[1], g);
-    _mm_store_si128((__m128i *)&buf[1].vec[1], g);
-    _mm_store_si128((__m128i *)&buf[2].vec[1], g);
-    _mm_store_si128((__m128i *)&buf[3].vec[1], g);
-
-    buf[0].coeffs[CRHBYTES + 0] = nonce0;
-    buf[0].coeffs[CRHBYTES + 1] = nonce0 >> 8;
-    buf[1].coeffs[CRHBYTES + 0] = nonce1;
-    buf[1].coeffs[CRHBYTES + 1] = nonce1 >> 8;
-    buf[2].coeffs[CRHBYTES + 0] = nonce2;
-    buf[2].coeffs[CRHBYTES + 1] = nonce2 >> 8;
-    buf[3].coeffs[CRHBYTES + 0] = nonce3;
-    buf[3].coeffs[CRHBYTES + 1] = nonce3 >> 8;
-
-    PQCLEAN_DILITHIUM5_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, CRHBYTES + 2);
+    f = _mm256_loadu_si256((__m256i *)&seed[0]);
+    _mm256_store_si256(&buf[0].vec[0], f);
+    _mm256_store_si256(&buf[1].vec[0], f);
+    _mm256_store_si256(&buf[2].vec[0], f);
+    _mm256_store_si256(&buf[3].vec[0], f);
+    f = _mm256_loadu_si256((__m256i *)&seed[32]);
+    _mm256_store_si256(&buf[0].vec[1], f);
+    _mm256_store_si256(&buf[1].vec[1], f);
+    _mm256_store_si256(&buf[2].vec[1], f);
+    _mm256_store_si256(&buf[3].vec[1], f);
+
+    buf[0].coeffs[64] = nonce0;
+    buf[0].coeffs[65] = nonce0 >> 8;
+    buf[1].coeffs[64] = nonce1;
+    buf[1].coeffs[65] = nonce1 >> 8;
+    buf[2].coeffs[64] = nonce2;
+    buf[2].coeffs[65] = nonce2 >> 8;
+    buf[3].coeffs[64] = nonce3;
+    buf[3].coeffs[65] = nonce3 >> 8;
+
+    PQCLEAN_DILITHIUM5_AVX2_shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
     PQCLEAN_DILITHIUM5_AVX2_shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
 
     PQCLEAN_DILITHIUM5_AVX2_polyz_unpack(a0, buf[0].coeffs);

crypto_sign/dilithium5/avx2/poly.h

@@ -28,8 +28,8 @@ void PQCLEAN_DILITHIUM5_AVX2_poly_use_hint(poly *b, const poly *a, const poly *h
 int PQCLEAN_DILITHIUM5_AVX2_poly_chknorm(const poly *a, int32_t B);
 void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_preinit(poly *a, stream128_state *state);
 void PQCLEAN_DILITHIUM5_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state);
-void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_preinit(poly *a, stream256_state *state);
+void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
 void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state);
 void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
 void PQCLEAN_DILITHIUM5_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
@@ -47,7 +47,7 @@ void PQCLEAN_DILITHIUM5_AVX2_poly_uniform_eta_4x(poly *a0,
         poly *a1,
         poly *a2,
         poly *a3,
-        const uint8_t seed[SEEDBYTES],
+        const uint8_t seed[CRHBYTES],
         uint16_t nonce0,
         uint16_t nonce1,
         uint16_t nonce2,

crypto_sign/dilithium5/avx2/polyvec.c

@@ -138,7 +138,7 @@ void PQCLEAN_DILITHIUM5_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, co
 /************ Vectors of polynomials of length L **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -146,7 +146,7 @@ void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t see
     }
 }
 
-void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < L; ++i) {
@@ -271,7 +271,7 @@ int PQCLEAN_DILITHIUM5_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound)
 /************ Vectors of polynomials of length K **************/
 /**************************************************************/
 
-void PQCLEAN_DILITHIUM5_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void PQCLEAN_DILITHIUM5_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
     unsigned int i;
 
     for (i = 0; i < K; ++i) {

crypto_sign/dilithium5/avx2/polyvec.h

@@ -9,9 +9,9 @@ typedef struct {
     poly vec[L];
 } polyvecl;
 
-void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
-void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM5_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM5_AVX2_polyvecl_reduce(polyvecl *v);
 
@@ -33,7 +33,7 @@ typedef struct {
     poly vec[K];
 } polyveck;
 
-void PQCLEAN_DILITHIUM5_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void PQCLEAN_DILITHIUM5_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 void PQCLEAN_DILITHIUM5_AVX2_polyveck_reduce(polyveck *v);
 void PQCLEAN_DILITHIUM5_AVX2_polyveck_caddq(polyveck *v);