From 08ef5e0d049ba89c0b075a99cf28ad4d4a9b4c64 Mon Sep 17 00:00:00 2001 From: "John M. Schanck" Date: Sat, 9 Oct 2021 20:57:00 -0700 Subject: [PATCH] Kyber: pull from upstream --- kyber/VERSION | 2 +- kyber/checkout.sh | 36 ++++++------- kyber/meta/kyber1024-90s_avx2_api.h | 18 +++++++ kyber/meta/kyber1024-90s_clean_api.h | 18 +++++++ kyber/meta/kyber1024_avx2_api.h | 18 +++++++ kyber/meta/kyber1024_clean_api.h | 18 +++++++ kyber/meta/kyber512-90s_avx2_api.h | 18 +++++++ kyber/meta/kyber512-90s_clean_api.h | 18 +++++++ kyber/meta/kyber512_avx2_api.h | 18 +++++++ kyber/meta/kyber512_clean_api.h | 18 +++++++ kyber/meta/kyber768-90s_avx2_api.h | 18 +++++++ kyber/meta/kyber768-90s_clean_api.h | 18 +++++++ kyber/meta/kyber768_avx2_api.h | 18 +++++++ kyber/meta/kyber768_clean_api.h | 18 +++++++ kyber/package.sh | 79 ++++++++++++++-------------- kyber/patches/avx2_consts.h | 6 +-- kyber/patches/avx2_fips202x4.c | 28 +++++++++- kyber/patches/avx2_fips202x4.h | 2 +- kyber/patches/avx2_params.h | 24 +++++---- kyber/patches/avx2_poly.h | 10 ++-- kyber/patches/avx2_polyvec.c | 4 +- kyber/patches/avx2_symmetric.h | 27 ++++------ kyber/patches/ref_api.h | 63 ---------------------- kyber/patches/ref_ntt.h | 6 +-- kyber/patches/ref_params.h | 12 ++--- kyber/patches/ref_poly.h | 6 +-- kyber/patches/ref_reduce.c | 17 ------ kyber/patches/ref_reduce.h | 14 +++++ kyber/patches/ref_symmetric-aes.h | 4 +- kyber/patches/ref_symmetric.h | 12 ++--- 30 files changed, 371 insertions(+), 197 deletions(-) create mode 100644 kyber/meta/kyber1024-90s_avx2_api.h create mode 100644 kyber/meta/kyber1024-90s_clean_api.h create mode 100644 kyber/meta/kyber1024_avx2_api.h create mode 100644 kyber/meta/kyber1024_clean_api.h create mode 100644 kyber/meta/kyber512-90s_avx2_api.h create mode 100644 kyber/meta/kyber512-90s_clean_api.h create mode 100644 kyber/meta/kyber512_avx2_api.h create mode 100644 kyber/meta/kyber512_clean_api.h create mode 100644 kyber/meta/kyber768-90s_avx2_api.h create mode 100644 kyber/meta/kyber768-90s_clean_api.h create mode 100644 kyber/meta/kyber768_avx2_api.h create mode 100644 kyber/meta/kyber768_clean_api.h delete mode 100644 kyber/patches/ref_api.h delete mode 100644 kyber/patches/ref_reduce.c create mode 100644 kyber/patches/ref_reduce.h diff --git a/kyber/VERSION b/kyber/VERSION index f9e4eae..ec5167c 100644 --- a/kyber/VERSION +++ b/kyber/VERSION @@ -1 +1 @@ -6106678942f2bc2ce6bdfe93f6fc5548adfde24f +faf5c3fe33e0b61c7c8a7888dd862bf5def17ad2 diff --git a/kyber/checkout.sh b/kyber/checkout.sh index 5b509c4..84bf8f7 100755 --- a/kyber/checkout.sh +++ b/kyber/checkout.sh @@ -1,22 +1,21 @@ -PYTHON=/usr/bin/python3 +#!/bin/sh -BASE=`dirname $0` -BASE=`cd ${BASE} && pwd` +BASE=$(dirname "${0}") +BASE=$(cd "${BASE}" && pwd) -VERSION=$(cat ${BASE}/VERSION) +VERSION=$(cat "${BASE}"/VERSION) V1=upstream V2=upstream-patched -ARCHIVE=${VERSION}.zip +ARCHIVE="${VERSION}".zip +PATCHES="${BASE}"/patches -PATCHES=${BASE}/patches -SCRIPTS=${BASE}/scripts - -cd ${BASE} +cd "${BASE}" || exit if [ -e "${V1}" ] then - read -p "${V1} directory already exists. Delete it? " yn + printf "%s directory already exists. Delete it (y/n)? " "${V1}" + read -r yn if [ "${yn:-n}" != "y" ] then exit -1 @@ -26,7 +25,8 @@ fi if [ -e "${V2}" ] then - read -p "${V2} directory already exists. Delete it? " yn + printf "%s directory already exists. Delete it (y/n)? " "${V2}" + read -r yn if [ "${yn:-n}" != "y" ] then exit -1 @@ -34,19 +34,19 @@ then rm -rf ${V2} fi -if [ ! -f ${BASE}/${ARCHIVE} ] +if [ ! -f "${BASE}/${ARCHIVE}" ] then - wget -P ${BASE} https://github.com/pq-crystals/kyber/archive/${VERSION}.zip + wget -P "${BASE}" "https://github.com/pq-crystals/kyber/archive/${VERSION}.zip" fi -unzip -qq -d ${BASE} ${BASE}/${ARCHIVE} -mv kyber-${VERSION} ${V1} +unzip -qq -d "${BASE}" "${BASE}/${ARCHIVE}" +mv kyber-"${VERSION}" ${V1} mkdir -p ${V2} cp -rp ${V1}/* ${V2} -( cd ${V2} -for X in ${PATCHES}/* +( cd ${V2} || exit +for X in "${PATCHES}"/* do - patch -p1 < ${X} + patch -p1 < "${X}" done ) diff --git a/kyber/meta/kyber1024-90s_avx2_api.h b/kyber/meta/kyber1024-90s_avx2_api.h new file mode 100644 index 0000000..a5389ee --- /dev/null +++ b/kyber/meta/kyber1024-90s_avx2_api.h @@ -0,0 +1,18 @@ +#ifndef API_H +#define API_H + +#include + +#define CRYPTO_SECRETKEYBYTES 3168 +#define CRYPTO_PUBLICKEYBYTES 1568 +#define CRYPTO_CIPHERTEXTBYTES 1568 +#define CRYPTO_BYTES 32 +#define CRYPTO_ALGNAME "Kyber1024-90s" + +int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); + +int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); + +#endif diff --git a/kyber/meta/kyber1024-90s_clean_api.h b/kyber/meta/kyber1024-90s_clean_api.h new file mode 100644 index 0000000..a5389ee --- /dev/null +++ b/kyber/meta/kyber1024-90s_clean_api.h @@ -0,0 +1,18 @@ +#ifndef API_H +#define API_H + +#include + +#define CRYPTO_SECRETKEYBYTES 3168 +#define CRYPTO_PUBLICKEYBYTES 1568 +#define CRYPTO_CIPHERTEXTBYTES 1568 +#define CRYPTO_BYTES 32 +#define CRYPTO_ALGNAME "Kyber1024-90s" + +int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); + +int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); + +#endif diff --git a/kyber/meta/kyber1024_avx2_api.h b/kyber/meta/kyber1024_avx2_api.h new file mode 100644 index 0000000..7be2d2f --- /dev/null +++ b/kyber/meta/kyber1024_avx2_api.h @@ -0,0 +1,18 @@ +#ifndef API_H +#define API_H + +#include + +#define CRYPTO_SECRETKEYBYTES 3168 +#define CRYPTO_PUBLICKEYBYTES 1568 +#define CRYPTO_CIPHERTEXTBYTES 1568 +#define CRYPTO_BYTES 32 +#define CRYPTO_ALGNAME "Kyber1024" + +int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); + +int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); + +#endif diff --git a/kyber/meta/kyber1024_clean_api.h b/kyber/meta/kyber1024_clean_api.h new file mode 100644 index 0000000..7be2d2f --- /dev/null +++ b/kyber/meta/kyber1024_clean_api.h @@ -0,0 +1,18 @@ +#ifndef API_H +#define API_H + +#include + +#define CRYPTO_SECRETKEYBYTES 3168 +#define CRYPTO_PUBLICKEYBYTES 1568 +#define CRYPTO_CIPHERTEXTBYTES 1568 +#define CRYPTO_BYTES 32 +#define CRYPTO_ALGNAME "Kyber1024" + +int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); + +int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); + +#endif diff --git a/kyber/meta/kyber512-90s_avx2_api.h b/kyber/meta/kyber512-90s_avx2_api.h new file mode 100644 index 0000000..6e38a4f --- /dev/null +++ b/kyber/meta/kyber512-90s_avx2_api.h @@ -0,0 +1,18 @@ +#ifndef API_H +#define API_H + +#include + +#define CRYPTO_SECRETKEYBYTES 1632 +#define CRYPTO_PUBLICKEYBYTES 800 +#define CRYPTO_CIPHERTEXTBYTES 768 +#define CRYPTO_BYTES 32 +#define CRYPTO_ALGNAME "Kyber512-90s" + +int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); + +int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); + +#endif diff --git a/kyber/meta/kyber512-90s_clean_api.h b/kyber/meta/kyber512-90s_clean_api.h new file mode 100644 index 0000000..6e38a4f --- /dev/null +++ b/kyber/meta/kyber512-90s_clean_api.h @@ -0,0 +1,18 @@ +#ifndef API_H +#define API_H + +#include + +#define CRYPTO_SECRETKEYBYTES 1632 +#define CRYPTO_PUBLICKEYBYTES 800 +#define CRYPTO_CIPHERTEXTBYTES 768 +#define CRYPTO_BYTES 32 +#define CRYPTO_ALGNAME "Kyber512-90s" + +int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); + +int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); + +#endif diff --git a/kyber/meta/kyber512_avx2_api.h b/kyber/meta/kyber512_avx2_api.h new file mode 100644 index 0000000..fdc0a34 --- /dev/null +++ b/kyber/meta/kyber512_avx2_api.h @@ -0,0 +1,18 @@ +#ifndef API_H +#define API_H + +#include + +#define CRYPTO_SECRETKEYBYTES 1632 +#define CRYPTO_PUBLICKEYBYTES 800 +#define CRYPTO_CIPHERTEXTBYTES 768 +#define CRYPTO_BYTES 32 +#define CRYPTO_ALGNAME "Kyber512" + +int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); + +int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); + +#endif diff --git a/kyber/meta/kyber512_clean_api.h b/kyber/meta/kyber512_clean_api.h new file mode 100644 index 0000000..fdc0a34 --- /dev/null +++ b/kyber/meta/kyber512_clean_api.h @@ -0,0 +1,18 @@ +#ifndef API_H +#define API_H + +#include + +#define CRYPTO_SECRETKEYBYTES 1632 +#define CRYPTO_PUBLICKEYBYTES 800 +#define CRYPTO_CIPHERTEXTBYTES 768 +#define CRYPTO_BYTES 32 +#define CRYPTO_ALGNAME "Kyber512" + +int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); + +int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); + +#endif diff --git a/kyber/meta/kyber768-90s_avx2_api.h b/kyber/meta/kyber768-90s_avx2_api.h new file mode 100644 index 0000000..4b6ab36 --- /dev/null +++ b/kyber/meta/kyber768-90s_avx2_api.h @@ -0,0 +1,18 @@ +#ifndef API_H +#define API_H + +#include + +#define CRYPTO_SECRETKEYBYTES 2400 +#define CRYPTO_PUBLICKEYBYTES 1184 +#define CRYPTO_CIPHERTEXTBYTES 1088 +#define CRYPTO_BYTES 32 +#define CRYPTO_ALGNAME "Kyber768-90s" + +int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); + +int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); + +#endif diff --git a/kyber/meta/kyber768-90s_clean_api.h b/kyber/meta/kyber768-90s_clean_api.h new file mode 100644 index 0000000..4b6ab36 --- /dev/null +++ b/kyber/meta/kyber768-90s_clean_api.h @@ -0,0 +1,18 @@ +#ifndef API_H +#define API_H + +#include + +#define CRYPTO_SECRETKEYBYTES 2400 +#define CRYPTO_PUBLICKEYBYTES 1184 +#define CRYPTO_CIPHERTEXTBYTES 1088 +#define CRYPTO_BYTES 32 +#define CRYPTO_ALGNAME "Kyber768-90s" + +int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); + +int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); + +#endif diff --git a/kyber/meta/kyber768_avx2_api.h b/kyber/meta/kyber768_avx2_api.h new file mode 100644 index 0000000..341d7e5 --- /dev/null +++ b/kyber/meta/kyber768_avx2_api.h @@ -0,0 +1,18 @@ +#ifndef API_H +#define API_H + +#include + +#define CRYPTO_SECRETKEYBYTES 2400 +#define CRYPTO_PUBLICKEYBYTES 1184 +#define CRYPTO_CIPHERTEXTBYTES 1088 +#define CRYPTO_BYTES 32 +#define CRYPTO_ALGNAME "Kyber768" + +int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); + +int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); + +#endif diff --git a/kyber/meta/kyber768_clean_api.h b/kyber/meta/kyber768_clean_api.h new file mode 100644 index 0000000..341d7e5 --- /dev/null +++ b/kyber/meta/kyber768_clean_api.h @@ -0,0 +1,18 @@ +#ifndef API_H +#define API_H + +#include + +#define CRYPTO_SECRETKEYBYTES 2400 +#define CRYPTO_PUBLICKEYBYTES 1184 +#define CRYPTO_CIPHERTEXTBYTES 1088 +#define CRYPTO_BYTES 32 +#define CRYPTO_ALGNAME "Kyber768" + +int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); + +int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); + +#endif diff --git a/kyber/package.sh b/kyber/package.sh index e705f11..e3e50fe 100755 --- a/kyber/package.sh +++ b/kyber/package.sh @@ -3,15 +3,15 @@ VERSION=$(cat VERSION) PACKAGER=$(git rev-parse HEAD) -BASE=`dirname $0` -BASE=`cd $BASE && pwd` +BASE=$(dirname "${0}") +BASE=$(cd "${BASE}" && pwd) echo ${BASE} -ARCHIVE=${VERSION}.zip -BUILD=${BASE}/build -BUILD_CRYPTO_KEM=${BUILD}/crypto_kem -BUILD_UPSTREAM=${BUILD}/upstream -BUILD_TEST=${BUILD}/test +ARCHIVE="${VERSION}.zip" +BUILD="${BASE}/build" +BUILD_CRYPTO_KEM="${BUILD}/crypto_kem" +BUILD_UPSTREAM="${BUILD}/upstream" +BUILD_TEST="${BUILD}/test" function task { echo -e "[ ]" $1 @@ -22,70 +22,71 @@ function endtask { } function cleanup { - rm -rf ${BUILD} + rm -rf "${BUILD}" } trap cleanup EXIT if [ -e "${BUILD_CRYPTO_KEM}" ] then - read -p "${BUILD_CRYPTO_KEM} directory already exists. Delete it? " yn + printf "%s directory already exists. Delete it (y/n)? " "${BUILD_CRYPTO_KEM}" + read -r yn if [ "${yn:-n}" != "y" ] then exit -1 fi - rm -rf ${BUILD_CRYPTO_KEM} ${BUILD_TEST} + rm -rf "${BUILD_CRYPTO_KEM}" "${BUILD_TEST}" fi -mkdir -p ${BUILD_CRYPTO_KEM} ${BUILD_TEST} +mkdir -p "${BUILD_CRYPTO_KEM}" "${BUILD_TEST}" -if [ ! -f ${BASE}/${ARCHIVE} ] +if [ ! -f "${BASE}/${ARCHIVE}" ] then - wget -P ${BASE} https://github.com/pq-crystals/kyber/archive/${VERSION}.zip + wget -P "${BASE}" "https://github.com/pq-crystals/kyber/archive/${VERSION}.zip" fi task "Unpacking ${ARCHIVE}" -unzip -qq -d ${BUILD} ${BASE}/${ARCHIVE} -mv ${BUILD}/kyber-${VERSION} ${BUILD_UPSTREAM} +unzip -qq -d "${BUILD}" "${BASE}/${ARCHIVE}" +mv "${BUILD}/kyber-${VERSION}" "${BUILD_UPSTREAM}" endtask task 'Applying patches to upstream source code' -( cd ${BUILD_UPSTREAM} +( cd "${BUILD_UPSTREAM}" -for X in ${BASE}/patches/* +for X in "${BASE}"/patches/* do - patch -s -p1 < ${X} + patch -s -p1 < "${X}" done ) endtask for PARAM in kyber{512,768,1024}{,-90s} do - mkdir -p ${BUILD_CRYPTO_KEM}/${PARAM}/avx2 - mkdir -p ${BUILD_CRYPTO_KEM}/${PARAM}/clean + mkdir -p "${BUILD_CRYPTO_KEM}/${PARAM}/avx2" + mkdir -p "${BUILD_CRYPTO_KEM}/${PARAM}/clean" task "Copying upstream/ref to ${PARAM}/clean" - ( cd ${BUILD_UPSTREAM}/ref/ - OUT=${BUILD_CRYPTO_KEM}/${PARAM}/clean/ - cp -Lp cbd.c indcpa.c kem.c ntt.c poly.c polyvec.c reduce.c verify.c ${OUT} - cp -Lp api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h symmetric.h verify.h ${OUT} - [[ ${PARAM} =~ "90s" ]] && - cp -Lp symmetric-aes.{c,h} ${OUT} || - cp -Lp symmetric-shake.c ${OUT} ) + ( cd "${BUILD_UPSTREAM}/ref/" + OUT="${BUILD_CRYPTO_KEM}/${PARAM}/clean/" + cp -Lp cbd.c indcpa.c kem.c ntt.c poly.c polyvec.c reduce.c verify.c "${OUT}" + cp -Lp cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h symmetric.h verify.h "${OUT}" + ([[ "${PARAM}" =~ "90s" ]] && cp -Lp symmetric-aes.{c,h} "${OUT}") || cp -Lp symmetric-shake.c "${OUT}" + cp "${BASE}/meta/${PARAM}_clean_api.h" "${OUT}/api.h" + ) endtask task "Copying upstream/avx2 to ${PARAM}/avx2" - ( cd ${BUILD_UPSTREAM}/avx2/ - OUT=${BUILD_CRYPTO_KEM}/${PARAM}/avx2/ - cp -Lp cbd.c consts.c fq.inc indcpa.c kem.c poly.c polyvec.c rejsample.c shuffle.inc verify.c ${OUT} - cp -Lp align.h api.h cbd.h cdecl.h consts.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h rejsample.h symmetric.h verify.h ${OUT} - cp -Lp fq.inc shuffle.inc ${OUT} - cp -Lp basemul.S fq.S invntt.S ntt.S shuffle.S ${OUT} - [[ ${PARAM} =~ "90s" ]] && - cp -Lp aes256ctr.{c,h} ${OUT} || - cp -Lp fips202x4.{c,h} symmetric-shake.c ${OUT} ) + ( cd "${BUILD_UPSTREAM}/avx2/" || exit + OUT="${BUILD_CRYPTO_KEM}/${PARAM}/avx2/" + cp -Lp cbd.c consts.c fq.inc indcpa.c kem.c poly.c polyvec.c rejsample.c shuffle.inc verify.c "${OUT}" + cp -Lp align.h cbd.h cdecl.h consts.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h rejsample.h symmetric.h verify.h "${OUT}" + cp -Lp fq.inc shuffle.inc "${OUT}" + cp -Lp basemul.S fq.S invntt.S ntt.S shuffle.S "${OUT}" + ([[ "${PARAM}" =~ "90s" ]] && cp -Lp aes256ctr.{c,h} "${OUT}") || cp -Lp fips202x4.{c,h} symmetric-shake.c "${OUT}" + cp "${BASE}/meta/${PARAM}_avx2_api.h" "${OUT}/api.h" + ) endtask # Makefiles and other metadata -( cd ${BUILD_CRYPTO_KEM}/${PARAM}/ +( cd "${BUILD_CRYPTO_KEM}/${PARAM}/" echo "\ Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) @@ -95,7 +96,7 @@ code from sources and by authors listed in comments on top of the respective files." > clean/LICENSE cp clean/LICENSE avx2/LICENSE - cp -Lp ${BASE}/meta/crypto_kem_${PARAM}_META.yml META.yml + cp -Lp "${BASE}/meta/crypto_kem_${PARAM}_META.yml" META.yml echo "\ implementations: - name: clean @@ -168,7 +169,7 @@ $(basename -a avx2/*.inc | tr '\n' ' ') OBJECTS=$(basename -a avx2/*.c | sed 's/\.c/.o/' | tr '\n' ' ') \ $(basename -a avx2/*.S | sed 's/\.S/.o/' | tr '\n' ' ')" > avx2/Makefile - if [[ ${PARAM} =~ "90s" ]] + if [[ "${PARAM}" =~ "90s" ]] then echo "\ CFLAGS=-mavx2 -maes -mbmi2 -mpopcnt -O3 -Wall -Wextra -Wpedantic -Werror \\ diff --git a/kyber/patches/avx2_consts.h b/kyber/patches/avx2_consts.h index 4c7fc2e..1839e2c 100644 --- a/kyber/patches/avx2_consts.h +++ b/kyber/patches/avx2_consts.h @@ -30,9 +30,9 @@ -#if defined(__WIN32__) || defined(__APPLE__) -#define decorate(s) _##s -#define cdecl2(s) decorate(s) --#define cdecl(s) cdecl2(KYBER_NAMESPACE(_##s)) +-#define cdecl(s) cdecl2(KYBER_NAMESPACE(##s)) -#else --#define cdecl(s) KYBER_NAMESPACE(_##s) +-#define cdecl(s) KYBER_NAMESPACE(##s) -#endif -#endif - @@ -41,7 +41,7 @@ +#include "cdecl.h" + typedef ALIGNED_INT16(640) qdata_t; - #define qdata KYBER_NAMESPACE(_qdata) + #define qdata KYBER_NAMESPACE(qdata) extern const qdata_t qdata; -#endif diff --git a/kyber/patches/avx2_fips202x4.c b/kyber/patches/avx2_fips202x4.c index 6ad541e..dbb56d1 100644 --- a/kyber/patches/avx2_fips202x4.c +++ b/kyber/patches/avx2_fips202x4.c @@ -4,7 +4,7 @@ #include "fips202x4.h" /* Use implementation from the Keccak Code Package */ --#define KeccakF1600_StatePermute4x FIPS202X4_NAMESPACE(_KeccakP1600times4_PermuteAll_24rounds) +-#define KeccakF1600_StatePermute4x FIPS202X4_NAMESPACE(KeccakP1600times4_PermuteAll_24rounds) +#define KeccakF1600_StatePermute4x KeccakP1600times4_PermuteAll_24rounds extern void KeccakF1600_StatePermute4x(__m256i *s); @@ -26,4 +26,30 @@ s[r/8 - 1] = _mm256_xor_si256(s[r/8 - 1], t); } +@@ -67,16 +67,21 @@ + { + unsigned int i; + __m128d t; ++ double tmp; + + while(nblocks > 0) { + KeccakF1600_StatePermute4x(s); + for(i=0; i < r/8; ++i) { + t = _mm_castsi128_pd(_mm256_castsi256_si128(s[i])); +- _mm_storel_pd((__attribute__((__may_alias__)) double *)&out0[8*i], t); +- _mm_storeh_pd((__attribute__((__may_alias__)) double *)&out1[8*i], t); ++ _mm_storel_pd(&tmp, t); ++ memcpy(&out0[8*i], &tmp, 8); ++ _mm_storeh_pd(&tmp, t); ++ memcpy(&out1[8*i], &tmp, 8); + t = _mm_castsi128_pd(_mm256_extracti128_si256(s[i],1)); +- _mm_storel_pd((__attribute__((__may_alias__)) double *)&out2[8*i], t); +- _mm_storeh_pd((__attribute__((__may_alias__)) double *)&out3[8*i], t); ++ _mm_storel_pd(&tmp, t); ++ memcpy(&out2[8*i], &tmp, 8); ++ _mm_storeh_pd(&tmp, t); ++ memcpy(&out3[8*i], &tmp, 8); + } + + out0 += r; diff --git a/kyber/patches/avx2_fips202x4.h b/kyber/patches/avx2_fips202x4.h index b4ee168..6f21833 100644 --- a/kyber/patches/avx2_fips202x4.h +++ b/kyber/patches/avx2_fips202x4.h @@ -4,7 +4,7 @@ #include #include --#define FIPS202X4_NAMESPACE(s) pqcrystals_fips202x4_avx2##s +-#define FIPS202X4_NAMESPACE(s) pqcrystals_kyber_fips202x4_avx2_##s - typedef struct { __m256i s[25]; diff --git a/kyber/patches/avx2_params.h b/kyber/patches/avx2_params.h index 90b99f9..5c35b25 100644 --- a/kyber/patches/avx2_params.h +++ b/kyber/patches/avx2_params.h @@ -1,29 +1,33 @@ --- upstream/avx2/params.h +++ upstream-patched/avx2/params.h -@@ -5,31 +5,6 @@ - #define KYBER_K 3 /* Change this for different security strengths */ - #endif +@@ -1,35 +1,6 @@ + #ifndef PARAMS_H + #define PARAMS_H +-#ifndef KYBER_K +-#define KYBER_K 3 /* Change this for different security strengths */ +-#endif +- -//#define KYBER_90S /* Uncomment this if you want the 90S variant */ - -/* Don't change parameters below this line */ -#if (KYBER_K == 2) -#ifdef KYBER_90S --#define KYBER_NAMESPACE(s) pqcrystals_kyber512_90s_avx2##s +-#define KYBER_NAMESPACE(s) pqcrystals_kyber512_90s_avx2_##s -#else --#define KYBER_NAMESPACE(s) pqcrystals_kyber512_avx2##s +-#define KYBER_NAMESPACE(s) pqcrystals_kyber512_avx2_##s -#endif -#elif (KYBER_K == 3) -#ifdef KYBER_90S --#define KYBER_NAMESPACE(s) pqcrystals_kyber768_90s_avx2##s +-#define KYBER_NAMESPACE(s) pqcrystals_kyber768_90s_avx2_##s -#else --#define KYBER_NAMESPACE(s) pqcrystals_kyber768_avx2##s +-#define KYBER_NAMESPACE(s) pqcrystals_kyber768_avx2_##s -#endif -#elif (KYBER_K == 4) -#ifdef KYBER_90S --#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_90s_avx2##s +-#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_90s_avx2_##s -#else --#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_avx2##s +-#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_avx2_##s -#endif -#else -#error "KYBER_K must be in {2,3,4}" @@ -32,7 +36,7 @@ #define KYBER_N 256 #define KYBER_Q 3329 -@@ -40,14 +15,17 @@ +@@ -40,14 +11,17 @@ #define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES) #if KYBER_K == 2 diff --git a/kyber/patches/avx2_poly.h b/kyber/patches/avx2_poly.h index b223d7a..64525e4 100644 --- a/kyber/patches/avx2_poly.h +++ b/kyber/patches/avx2_poly.h @@ -9,12 +9,12 @@ #include "align.h" #include "params.h" @@ -20,7 +21,7 @@ - #define poly_frommsg KYBER_NAMESPACE(_poly_frommsg) + #define poly_frommsg KYBER_NAMESPACE(poly_frommsg) void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - #define poly_tomsg KYBER_NAMESPACE(_poly_tomsg) --void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *r); -+void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); + #define poly_tomsg KYBER_NAMESPACE(poly_tomsg) +-void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *r); ++void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a); - #define poly_getnoise_eta1 KYBER_NAMESPACE(_poly_getnoise_eta1) + #define poly_getnoise_eta1 KYBER_NAMESPACE(poly_getnoise_eta1) void poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); diff --git a/kyber/patches/avx2_polyvec.c b/kyber/patches/avx2_polyvec.c index a19b96f..48d19ce 100644 --- a/kyber/patches/avx2_polyvec.c +++ b/kyber/patches/avx2_polyvec.c @@ -20,7 +20,7 @@ const __m256i shufbidx = _mm256_set_epi8(11,10,10, 9, 9, 8, 8, 7, @@ -156,7 +156,7 @@ **************************************************/ - void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES+2], polyvec *a) + void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES+2], const polyvec *a) { - unsigned int i; + size_t i; @@ -38,7 +38,7 @@ for(i=0;i +@@ -10,22 +10,16 @@ + #include "sha2.h" #include "aes256ctr.h" -- + -#if (KYBER_SSBYTES != 32) -#error "90s variant of Kyber can only generate keys of length 256 bits" -#endif -+#include "sha2.h" - +- typedef aes256ctr_ctx xof_state; #define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES --#define hash_h(OUT, IN, INBYTES) SHA256(IN, INBYTES, OUT) --#define hash_g(OUT, IN, INBYTES) SHA512(IN, INBYTES, OUT) + #define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) + #define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) -#define xof_absorb(STATE, SEED, X, Y) \ - aes256ctr_init(STATE, SEED, (X) | ((uint16_t)(Y) << 8)) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \ - aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) \ - aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE) --#define kdf(OUT, IN, INBYTES) SHA256(IN, INBYTES, OUT) -+#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) -+#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) +#define xof_absorb(STATE, SEED, X, Y) aes256ctr_init(STATE, SEED, (X) | ((uint16_t)(Y) << 8)) +#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) +#define prf(OUT, OUTBYTES, KEY, NONCE) aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE) -+#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) + #define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) #else - +@@ -33,29 +27,25 @@ #include "fips202.h" #include "fips202x4.h" -typedef keccak_state xof_state; +typedef shake128ctx xof_state; - #define kyber_shake128_absorb KYBER_NAMESPACE(_kyber_shake128_absorb) + #define kyber_shake128_absorb KYBER_NAMESPACE(kyber_shake128_absorb) -void kyber_shake128_absorb(keccak_state *s, +void kyber_shake128_absorb(xof_state *s, const uint8_t seed[KYBER_SYMBYTES], uint8_t x, uint8_t y); - #define kyber_shake256_prf KYBER_NAMESPACE(_kyber_shake256_prf) + #define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf) -void kyber_shake256_prf(uint8_t *out, - size_t outlen, - const uint8_t key[KYBER_SYMBYTES], diff --git a/kyber/patches/ref_api.h b/kyber/patches/ref_api.h deleted file mode 100644 index 1ee91a6..0000000 --- a/kyber/patches/ref_api.h +++ /dev/null @@ -1,63 +0,0 @@ ---- upstream/ref/api.h -+++ upstream-patched/ref/api.h -@@ -1,26 +1,33 @@ - #ifndef API_H - #define API_H - --#include "params.h" -- --#define CRYPTO_SECRETKEYBYTES KYBER_SECRETKEYBYTES --#define CRYPTO_PUBLICKEYBYTES KYBER_PUBLICKEYBYTES --#define CRYPTO_CIPHERTEXTBYTES KYBER_CIPHERTEXTBYTES --#define CRYPTO_BYTES KYBER_SSBYTES -+#include - - #if (KYBER_K == 2) -+#define CRYPTO_SECRETKEYBYTES 1632 -+#define CRYPTO_PUBLICKEYBYTES 800 -+#define CRYPTO_CIPHERTEXTBYTES 768 -+#define CRYPTO_BYTES 32 - #ifdef KYBER_90S - #define CRYPTO_ALGNAME "Kyber512-90s" - #else - #define CRYPTO_ALGNAME "Kyber512" - #endif - #elif (KYBER_K == 3) -+#define CRYPTO_SECRETKEYBYTES 2400 -+#define CRYPTO_PUBLICKEYBYTES 1184 -+#define CRYPTO_CIPHERTEXTBYTES 1088 -+#define CRYPTO_BYTES 32 - #ifdef KYBER_90S - #define CRYPTO_ALGNAME "Kyber768-90s" - #else - #define CRYPTO_ALGNAME "Kyber768" - #endif - #elif (KYBER_K == 4) -+#define CRYPTO_SECRETKEYBYTES 3168 -+#define CRYPTO_PUBLICKEYBYTES 1568 -+#define CRYPTO_CIPHERTEXTBYTES 1568 -+#define CRYPTO_BYTES 32 - #ifdef KYBER_90S - #define CRYPTO_ALGNAME "Kyber1024-90s" - #else -@@ -29,16 +36,12 @@ - #endif - - #define crypto_kem_keypair KYBER_NAMESPACE(_keypair) --int crypto_kem_keypair(unsigned char *pk, unsigned char *sk); -+int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - - #define crypto_kem_enc KYBER_NAMESPACE(_enc) --int crypto_kem_enc(unsigned char *ct, -- unsigned char *ss, -- const unsigned char *pk); -+int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - - #define crypto_kem_dec KYBER_NAMESPACE(_dec) --int crypto_kem_dec(unsigned char *ss, -- const unsigned char *ct, -- const unsigned char *sk); -+int crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - - #endif - diff --git a/kyber/patches/ref_ntt.h b/kyber/patches/ref_ntt.h index 4dc1cc6..6257a53 100644 --- a/kyber/patches/ref_ntt.h +++ b/kyber/patches/ref_ntt.h @@ -3,14 +3,14 @@ @@ -8,10 +8,10 @@ extern const int16_t zetas[128]; - #define ntt KYBER_NAMESPACE(_ntt) + #define ntt KYBER_NAMESPACE(ntt) -void ntt(int16_t poly[256]); +void ntt(int16_t r[256]); - #define invntt KYBER_NAMESPACE(_invntt) + #define invntt KYBER_NAMESPACE(invntt) -void invntt(int16_t poly[256]); +void invntt(int16_t r[256]); - #define basemul KYBER_NAMESPACE(_basemul) + #define basemul KYBER_NAMESPACE(basemul) void basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); diff --git a/kyber/patches/ref_params.h b/kyber/patches/ref_params.h index 76ea123..5425433 100644 --- a/kyber/patches/ref_params.h +++ b/kyber/patches/ref_params.h @@ -9,21 +9,21 @@ -/* Don't change parameters below this line */ -#if (KYBER_K == 2) -#ifdef KYBER_90S --#define KYBER_NAMESPACE(s) pqcrystals_kyber512_90s_ref##s +-#define KYBER_NAMESPACE(s) pqcrystals_kyber512_90s_ref_##s -#else --#define KYBER_NAMESPACE(s) pqcrystals_kyber512_ref##s +-#define KYBER_NAMESPACE(s) pqcrystals_kyber512_ref_##s -#endif -#elif (KYBER_K == 3) -#ifdef KYBER_90S --#define KYBER_NAMESPACE(s) pqcrystals_kyber768_90s_ref##s +-#define KYBER_NAMESPACE(s) pqcrystals_kyber768_90s_ref_##s -#else --#define KYBER_NAMESPACE(s) pqcrystals_kyber768_ref##s +-#define KYBER_NAMESPACE(s) pqcrystals_kyber768_ref_##s -#endif -#elif (KYBER_K == 4) -#ifdef KYBER_90S --#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_90s_ref##s +-#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_90s_ref_##s -#else --#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_ref##s +-#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_ref_##s -#endif -#else -#error "KYBER_K must be in {2,3,4}" diff --git a/kyber/patches/ref_poly.h b/kyber/patches/ref_poly.h index 68320e9..fcaab57 100644 --- a/kyber/patches/ref_poly.h +++ b/kyber/patches/ref_poly.h @@ -1,12 +1,12 @@ --- upstream/ref/poly.h +++ upstream-patched/ref/poly.h @@ -25,7 +25,7 @@ - #define poly_frommsg KYBER_NAMESPACE(_poly_frommsg) + #define poly_frommsg KYBER_NAMESPACE(poly_frommsg) void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); - #define poly_tomsg KYBER_NAMESPACE(_poly_tomsg) + #define poly_tomsg KYBER_NAMESPACE(poly_tomsg) -void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *r); +void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a); - #define poly_getnoise_eta1 KYBER_NAMESPACE(_poly_getnoise_eta1) + #define poly_getnoise_eta1 KYBER_NAMESPACE(poly_getnoise_eta1) void poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); diff --git a/kyber/patches/ref_reduce.c b/kyber/patches/ref_reduce.c deleted file mode 100644 index 9bc9aa7..0000000 --- a/kyber/patches/ref_reduce.c +++ /dev/null @@ -1,17 +0,0 @@ ---- upstream/ref/reduce.c -+++ upstream-patched/ref/reduce.c -@@ -18,11 +18,11 @@ - int32_t t; - int16_t u; - -- u = a*QINV; -+ u = (int16_t)(a*(int64_t)QINV); - t = (int32_t)u*KYBER_Q; - t = a - t; - t >>= 16; -- return t; -+ return (int16_t)t; - } - - /************************************************* - diff --git a/kyber/patches/ref_reduce.h b/kyber/patches/ref_reduce.h new file mode 100644 index 0000000..c10e98a --- /dev/null +++ b/kyber/patches/ref_reduce.h @@ -0,0 +1,14 @@ +--- upstream/ref/reduce.h ++++ upstream-patched/ref/reduce.h +@@ -4,8 +4,8 @@ + #include + #include "params.h" + +-#define MONT -1044 // 2^16 mod q +-#define QINV -3327 // q^-1 mod 2^16 ++#define MONT (-1044) // 2^16 mod q ++#define QINV (-3327) // q^-1 mod 2^16 + + #define montgomery_reduce KYBER_NAMESPACE(montgomery_reduce) + int16_t montgomery_reduce(int32_t a); + diff --git a/kyber/patches/ref_symmetric-aes.h b/kyber/patches/ref_symmetric-aes.h index c0c44ef..fd56616 100644 --- a/kyber/patches/ref_symmetric-aes.h +++ b/kyber/patches/ref_symmetric-aes.h @@ -1,9 +1,11 @@ --- upstream/ref/symmetric-aes.h +++ upstream-patched/ref/symmetric-aes.h -@@ -0,0 +1,23 @@ +@@ -0,0 +1,25 @@ +#ifndef SYMMETRIC_AES_H +#define SYMMETRIC_AES_H + ++#define AES256CTR_BLOCKBYTES 64 ++ +#include "aes.h" +#include +#include diff --git a/kyber/patches/ref_symmetric.h b/kyber/patches/ref_symmetric.h index 7bf710e..37b0ba9 100644 --- a/kyber/patches/ref_symmetric.h +++ b/kyber/patches/ref_symmetric.h @@ -1,6 +1,6 @@ --- upstream/ref/symmetric.h +++ upstream-patched/ref/symmetric.h -@@ -7,38 +7,39 @@ +@@ -7,17 +7,17 @@ #ifdef KYBER_90S @@ -15,15 +15,13 @@ -typedef aes256ctr_ctx xof_state; +typedef aes256xof_ctx xof_state; - #define kyber_aes256xof_absorb KYBER_NAMESPACE(_kyber_aes256xof_absorb) + #define kyber_aes256xof_absorb KYBER_NAMESPACE(kyber_aes256xof_absorb) -void kyber_aes256xof_absorb(aes256ctr_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y); +void kyber_aes256xof_absorb(aes256xof_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y); - #define kyber_aes256ctr_prf KYBER_NAMESPACE(_kyber_aes256ctr_prf) + #define kyber_aes256ctr_prf KYBER_NAMESPACE(kyber_aes256ctr_prf) void kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce); - --#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES -+#define XOF_BLOCKBYTES 64 +@@ -26,19 +26,20 @@ #define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) #define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) @@ -43,7 +41,7 @@ -typedef keccak_state xof_state; +typedef shake128ctx xof_state; - #define kyber_shake128_absorb KYBER_NAMESPACE(_kyber_shake128_absorb) + #define kyber_shake128_absorb KYBER_NAMESPACE(kyber_shake128_absorb) -void kyber_shake128_absorb(keccak_state *s, +void kyber_shake128_absorb(xof_state *s, const uint8_t seed[KYBER_SYMBYTES],