Update Dilithium

jschanck · Feb 9, 2021 · 80749c8 · 80749c8
1 parent cea1fa5
commit 80749c8
Show file tree

Hide file tree

Showing 16 changed files with 98 additions and 98 deletions.
diff --git a/dilithium/VERSION b/dilithium/VERSION
@@ -1 +1 @@
-1e63a1e880401166f105ab44ec67464c9714a315
+adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897
diff --git a/dilithium/meta/crypto_sign_dilithium2_META.yml b/dilithium/meta/crypto_sign_dilithium2_META.yml
@@ -2,10 +2,10 @@ name: Dilithium2
 type: signature
 claimed-nist-level: 2
 length-public-key: 1312
-length-secret-key: 2544
+length-secret-key: 2528
 length-signature: 2420
-nistkat-sha256: 9c636528bf81c03df6ad8f9471cb1b4d9097d66af825d4f60b7ff0d941ca4d37
-testvectors-sha256: 166fc2481358d5a1b7a528b30af36ad069b049b5755cf63b843ce0f25f35aeb6
+nistkat-sha256: faa8998108fa541309c9df5044018c5d26cc23654594bef639dd64b838646cbd
+testvectors-sha256: 84f3da742881007e3d1d29c7390c7d707261ab8b20068a22b728e38e2fbac94b
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:

diff --git a/dilithium/meta/crypto_sign_dilithium2aes_META.yml b/dilithium/meta/crypto_sign_dilithium2aes_META.yml
@@ -2,10 +2,10 @@ name: Dilithium2-AES
 type: signature
 claimed-nist-level: 2
 length-public-key: 1312
-length-secret-key: 2544
+length-secret-key: 2528
 length-signature: 2420
-nistkat-sha256: 23972a0a5f1f32781aa11fa57d9994ddd53c1bbcc732967f61d9d9aaef01c492
-testvectors-sha256: 22e68fe8bf781dee949a4297f9ba44d1c350a1d88bae03117cfb2ca494c6e604
+nistkat-sha256: 62569a8c8cf8781a60c88753dfa8806afac09e39f01df1bb6598ca29bac7f425
+testvectors-sha256: faea339481e765cefba110bfcf1abb81c98546bee2b9b63f2fbe63feed9886da
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:

diff --git a/dilithium/meta/crypto_sign_dilithium3_META.yml b/dilithium/meta/crypto_sign_dilithium3_META.yml
@@ -2,10 +2,10 @@ name: Dilithium3
 type: signature
 claimed-nist-level: 3
 length-public-key: 1952
-length-secret-key: 4016
+length-secret-key: 4000
 length-signature: 3293
-nistkat-sha256: d0d4bb6945e14206d17b52f8a395d5a750ec8a73f2ea06b9f1cd226d225a9bfb
-testvectors-sha256: 531b85dbecaeaf135ad9004c8e2d5ce163b8e72d9c3a537e15bd383cf5f38aa4
+nistkat-sha256: 8439f580566c46b99449b2cbbd597ce59bcd5d184b90c1108b79a08f6bdbbcb1
+testvectors-sha256: 7d6c0db177a143415db7e609e3ecf603f73e7ceff35685f3ad65ac31b5e1aeeb
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:

diff --git a/dilithium/meta/crypto_sign_dilithium3aes_META.yml b/dilithium/meta/crypto_sign_dilithium3aes_META.yml
@@ -2,10 +2,10 @@ name: Dilithium3-AES
 type: signature
 claimed-nist-level: 3
 length-public-key: 1952
-length-secret-key: 4016
+length-secret-key: 4000
 length-signature: 3293
-nistkat-sha256: c1519093239804f90d1c9386e2a95b42b45dc65cbdc7c1dd777fe27de3840517
-testvectors-sha256: 9637ff196abfad19f3479e6a6ec3e91fc6de3bae89adf8617d91154063a3262a
+nistkat-sha256: 199db029b177b368d71bac8689e16394621b84ddc5517e8476312165288e63d3
+testvectors-sha256: a69ed1454332b6967c1b8da3ac4dce61ce163edec400e2f4631b6a8ab3409436
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:

diff --git a/dilithium/meta/crypto_sign_dilithium5_META.yml b/dilithium/meta/crypto_sign_dilithium5_META.yml
@@ -2,10 +2,10 @@ name: Dilithium5
 type: signature
 claimed-nist-level: 5
 length-public-key: 2592
-length-secret-key: 4880
+length-secret-key: 4864
 length-signature: 4595
-nistkat-sha256: 1d1ee6fb14b864bcc564ad9c416593b2ee1bf93cd65dfe70d9e400bc66be3229
-testvectors-sha256: 9bc663cbfc1b43cff759cfeddd365b665762bc36e1f1d0777ae1196f59617a70
+nistkat-sha256: 984ea5f06b13778292f60ecc07301af76e375f1bb9f4a39d676513439e1e83a2
+testvectors-sha256: 47f16494eb4109934d44a52bc85a12155e8814c8925d7ae6d19840fd9556a73c
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:

diff --git a/dilithium/meta/crypto_sign_dilithium5aes_META.yml b/dilithium/meta/crypto_sign_dilithium5aes_META.yml
@@ -2,10 +2,10 @@ name: Dilithium5-AES
 type: signature
 claimed-nist-level: 5
 length-public-key: 2592
-length-secret-key: 4880
+length-secret-key: 4864
 length-signature: 4595
-nistkat-sha256: 882d5050d6289875cbaa3bd920ec60ff3e2895257cbe8f76ed9d3735daa188c6
-testvectors-sha256: 8289af5b8aeb78bd6a642d1899364ce3ab9f3b2bd4c66da9a9031a9832e71545
+nistkat-sha256: 5734f0f32acf7190130448bbc121994a29fa4355deeee167ef65dbed014f6ee0
+testvectors-sha256: e790f11f4951965d38283f9a4440837c3158bd60c89bbe43807bad41095f1c39
 principal-submitters:
   - Vadim Lyubashevsky
 auxiliary-submitters:

diff --git a/dilithium/patches/avx2_api.h b/dilithium/patches/avx2_api.h
@@ -1,11 +1,11 @@
 --- upstream/avx2/api.h
 +++ upstream-patched/avx2/api.h
-@@ -4,149 +4,54 @@
+@@ -4,149 +4,53 @@
  #include <stddef.h>
  #include <stdint.h>
 
 -#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
--#define pqcrystals_dilithium2_SECRETKEYBYTES 2544
+-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
 -#define pqcrystals_dilithium2_BYTES 2420
 -
 -#define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
@@ -53,7 +53,7 @@
 -                                      const uint8_t *pk);
 -
 -#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
--#define pqcrystals_dilithium3_SECRETKEYBYTES 4016
+-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
 -#define pqcrystals_dilithium3_BYTES 3293
 -
 -#define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
@@ -101,7 +101,7 @@
 -                                      const uint8_t *pk);
 -
 -#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
--#define pqcrystals_dilithium5_SECRETKEYBYTES 4880
+-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
 -#define pqcrystals_dilithium5_BYTES 4595
 -
 -#define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
@@ -135,36 +135,37 @@
 -int pqcrystals_dilithium5aes_avx2_signature(uint8_t *sig, size_t *siglen,
 -                                           const uint8_t *m, size_t mlen,
 -                                           const uint8_t *sk);
+-
+-int pqcrystals_dilithium5aes_avx2(uint8_t *sm, size_t *smlen,
+-                                 const uint8_t *m, size_t mlen,
+-                                 const uint8_t *sk);
+-
+-int pqcrystals_dilithium5aes_avx2_verify(const uint8_t *sig, size_t siglen,
+-                                        const uint8_t *m, size_t mlen,
+-                                        const uint8_t *pk);
 +#if DILITHIUM_MODE == 2
 +  #define CRYPTO_PUBLICKEYBYTES 1312
-+  #define CRYPTO_SECRETKEYBYTES 2544
++  #define CRYPTO_SECRETKEYBYTES 2528
 +  #define CRYPTO_BYTES 2420
 +  #ifdef DILITHIUM_USE_AES
 +    #define CRYPTO_ALGNAME "Dilithium2-AES"
 +  #else
 +    #define CRYPTO_ALGNAME "Dilithium2"
-+#endif
-
--int pqcrystals_dilithium5aes_avx2(uint8_t *sm, size_t *smlen,
--                                 const uint8_t *m, size_t mlen,
--                                 const uint8_t *sk);
++  #endif
++
 +#elif DILITHIUM_MODE == 3
 +  #define CRYPTO_PUBLICKEYBYTES 1952
-+  #define CRYPTO_SECRETKEYBYTES 4016
++  #define CRYPTO_SECRETKEYBYTES 4000
 +  #define CRYPTO_BYTES 3293
 +
 +  #ifdef DILITHIUM_USE_AES
 +    #define CRYPTO_ALGNAME "Dilithium3-AES"
 +  #else
 +    #define CRYPTO_ALGNAME "Dilithium3"
-+#endif
-
--int pqcrystals_dilithium5aes_avx2_verify(const uint8_t *sig, size_t siglen,
--                                        const uint8_t *m, size_t mlen,
--                                        const uint8_t *pk);
++  #endif
 +#elif DILITHIUM_MODE == 5
 +  #define CRYPTO_PUBLICKEYBYTES 2592
-+  #define CRYPTO_SECRETKEYBYTES 4880
++  #define CRYPTO_SECRETKEYBYTES 4864
 +  #define CRYPTO_BYTES 4595
 +  #ifdef DILITHIUM_USE_AES
 +    #define CRYPTO_ALGNAME "Dilithium5-AES"

diff --git a/dilithium/patches/avx2_poly.c b/dilithium/patches/avx2_poly.c
@@ -8,23 +8,32 @@
  }
 
  #ifndef DILITHIUM_USE_AES
+@@ -535,7 +536,7 @@
+ *              - const uint8_t seed[]: byte array with seed of length CRHBYTES
+ *              - uint16_t nonce: 2-byte nonce
+ **************************************************/
+-void poly_uniform_eta_preinit(poly *a, stream128_state *state)
++void poly_uniform_eta_preinit(poly *a, stream256_state *state)
+ {
+   unsigned int ctr;
+   ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf;
 @@ -554,6 +555,7 @@
-   stream128_state state;
-   stream128_init(&state, seed, nonce);
+   stream256_state state;
+   stream256_init(&state, seed, nonce);
    poly_uniform_eta_preinit(a, &state);
-+  stream128_release(&state);
++  stream256_release(&state);
  }
 
  #ifndef DILITHIUM_USE_AES
-@@ -632,6 +634,7 @@
+@@ -637,6 +639,7 @@
    stream256_state state;
    stream256_init(&state, seed, nonce);
    poly_uniform_gamma1_preinit(a, &state);
 +  stream256_release(&state);
  }
 
  #ifndef DILITHIUM_USE_AES
-@@ -694,12 +697,12 @@
+@@ -698,12 +701,12 @@
    unsigned int i, b, pos;
    uint64_t signs;
    ALIGNED_UINT8(SHAKE256_RATE) buf;
@@ -42,7 +51,7 @@
 
    memcpy(&signs, buf.coeffs, 8);
    pos = 8;
-@@ -708,7 +711,7 @@
+@@ -712,7 +715,7 @@
    for(i = N-TAU; i < N; ++i) {
      do {
        if(pos >= SHAKE256_RATE) {
@@ -51,7 +60,7 @@
          pos = 0;
        }
 
-@@ -719,6 +722,7 @@
+@@ -723,6 +726,7 @@
      c->coeffs[b] = 1 - 2*(signs & 1);
      signs >>= 1;
    }

diff --git a/dilithium/patches/avx2_sign.c b/dilithium/patches/avx2_sign.c
@@ -14,12 +14,12 @@
 
    /* Compute CRH(tr, msg) */
 -  shake256_init(&state);
--  shake256_absorb(&state, tr, CRHBYTES);
+-  shake256_absorb(&state, tr, SEEDBYTES);
 -  shake256_absorb(&state, m, mlen);
 -  shake256_finalize(&state);
 -  shake256_squeeze(mu, CRHBYTES, &state);
 +  shake256_inc_init(&state);
-+  shake256_inc_absorb(&state, tr, CRHBYTES);
++  shake256_inc_absorb(&state, tr, SEEDBYTES);
 +  shake256_inc_absorb(&state, m, mlen);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -55,15 +55,15 @@
    if(siglen != CRYPTO_BYTES)
      return -1;
 
-   /* Compute CRH(CRH(rho, t1), msg) */
-   crh(mu, pk, CRYPTO_PUBLICKEYBYTES);
+   /* Compute CRH(H(rho, t1), msg) */
+   shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
 -  shake256_init(&state);
--  shake256_absorb(&state, mu, CRHBYTES);
+-  shake256_absorb(&state, mu, SEEDBYTES);
 -  shake256_absorb(&state, m, mlen);
 -  shake256_finalize(&state);
 -  shake256_squeeze(mu, CRHBYTES, &state);
 +  shake256_inc_init(&state);
-+  shake256_inc_absorb(&state, mu, CRHBYTES);
++  shake256_inc_absorb(&state, mu, SEEDBYTES);
 +  shake256_inc_absorb(&state, m, mlen);
 +  shake256_inc_finalize(&state);
 +  shake256_inc_squeeze(mu, CRHBYTES, &state);

diff --git a/dilithium/patches/avx2_symmetric.h b/dilithium/patches/avx2_symmetric.h
@@ -1,7 +1,7 @@
 --- upstream/avx2/symmetric.h
 +++ upstream-patched/avx2/symmetric.h
-@@ -18,30 +18,42 @@
- #define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES)
+@@ -17,29 +17,33 @@
+
  #define stream128_init(STATE, SEED, NONCE) aes256ctr_init(STATE, SEED, NONCE)
  #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
 +#define stream128_release(STATE)
@@ -20,33 +20,22 @@
 
  #define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
 -void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-+void dilithium_shake128_stream_init(shake128incctx *state,
-+                                    const uint8_t seed[SEEDBYTES],
-+                                    uint16_t nonce);
++void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
 
  #define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
 -void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
-+void dilithium_shake256_stream_init(shake256incctx *state,
-+                                    const uint8_t seed[CRHBYTES],
-+                                    uint16_t nonce);
++void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
  #define STREAM128_BLOCKBYTES SHAKE128_RATE
  #define STREAM256_BLOCKBYTES SHAKE256_RATE
 
- #define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES)
--#define stream128_init(STATE, SEED, NONCE) dilithium_shake128_stream_init(STATE, SEED, NONCE)
+ #define stream128_init(STATE, SEED, NONCE) dilithium_shake128_stream_init(STATE, SEED, NONCE)
 -#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
--#define stream256_init(STATE, SEED, NONCE) dilithium_shake256_stream_init(STATE, SEED, NONCE)
--#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
-+#define stream128_init(STATE, SEED, NONCE) \
-+        dilithium_shake128_stream_init(STATE, SEED, NONCE)
-+#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
-+        shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE)
++#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE)
 +#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
-+#define stream256_init(STATE, SEED, NONCE) \
-+        dilithium_shake256_stream_init(STATE, SEED, NONCE)
-+#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
-+        shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE)
+ #define stream256_init(STATE, SEED, NONCE) dilithium_shake256_stream_init(STATE, SEED, NONCE)
+-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
++#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE)
 +#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
 
  #endif

diff --git a/dilithium/patches/ref_api.h b/dilithium/patches/ref_api.h
@@ -1,11 +1,11 @@
 --- upstream/ref/api.h
 +++ upstream-patched/ref/api.h
-@@ -4,149 +4,54 @@
+@@ -4,149 +4,53 @@
  #include <stddef.h>
  #include <stdint.h>
 
 -#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
--#define pqcrystals_dilithium2_SECRETKEYBYTES 2544
+-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
 -#define pqcrystals_dilithium2_BYTES 2420
 -
 -#define pqcrystals_dilithium2_ref_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
@@ -53,7 +53,7 @@
 -                                      const uint8_t *pk);
 -
 -#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
--#define pqcrystals_dilithium3_SECRETKEYBYTES 4016
+-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
 -#define pqcrystals_dilithium3_BYTES 3293
 -
 -#define pqcrystals_dilithium3_ref_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
@@ -101,7 +101,7 @@
 -                                      const uint8_t *pk);
 -
 -#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
--#define pqcrystals_dilithium5_SECRETKEYBYTES 4880
+-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
 -#define pqcrystals_dilithium5_BYTES 4595
 -
 -#define pqcrystals_dilithium5_ref_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
@@ -135,36 +135,37 @@
 -int pqcrystals_dilithium5aes_ref_signature(uint8_t *sig, size_t *siglen,
 -                                           const uint8_t *m, size_t mlen,
 -                                           const uint8_t *sk);
+-
+-int pqcrystals_dilithium5aes_ref(uint8_t *sm, size_t *smlen,
+-                                 const uint8_t *m, size_t mlen,
+-                                 const uint8_t *sk);
+-
+-int pqcrystals_dilithium5aes_ref_verify(const uint8_t *sig, size_t siglen,
+-                                        const uint8_t *m, size_t mlen,
+-                                        const uint8_t *pk);
 +#if DILITHIUM_MODE == 2
 +  #define CRYPTO_PUBLICKEYBYTES 1312
-+  #define CRYPTO_SECRETKEYBYTES 2544
++  #define CRYPTO_SECRETKEYBYTES 2528
 +  #define CRYPTO_BYTES 2420
 +  #ifdef DILITHIUM_USE_AES
 +    #define CRYPTO_ALGNAME "Dilithium2-AES"
 +  #else
 +    #define CRYPTO_ALGNAME "Dilithium2"
-+#endif
-
--int pqcrystals_dilithium5aes_ref(uint8_t *sm, size_t *smlen,
--                                 const uint8_t *m, size_t mlen,
--                                 const uint8_t *sk);
++  #endif
++
 +#elif DILITHIUM_MODE == 3
 +  #define CRYPTO_PUBLICKEYBYTES 1952
-+  #define CRYPTO_SECRETKEYBYTES 4016
++  #define CRYPTO_SECRETKEYBYTES 4000
 +  #define CRYPTO_BYTES 3293
 +
 +  #ifdef DILITHIUM_USE_AES
 +    #define CRYPTO_ALGNAME "Dilithium3-AES"
 +  #else
 +    #define CRYPTO_ALGNAME "Dilithium3"
-+#endif
-
--int pqcrystals_dilithium5aes_ref_verify(const uint8_t *sig, size_t siglen,
--                                        const uint8_t *m, size_t mlen,
--                                        const uint8_t *pk);
++  #endif
 +#elif DILITHIUM_MODE == 5
 +  #define CRYPTO_PUBLICKEYBYTES 2592
-+  #define CRYPTO_SECRETKEYBYTES 4880
++  #define CRYPTO_SECRETKEYBYTES 4864
 +  #define CRYPTO_BYTES 4595
 +  #ifdef DILITHIUM_USE_AES
 +    #define CRYPTO_ALGNAME "Dilithium5-AES"
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		1e63a1e880401166f105ab44ec67464c9714a315
		adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897