From 98146649b0d4f4850cdcde6258d9df1f5ea7adc8 Mon Sep 17 00:00:00 2001
From: "John M. Schanck" <jmschanck@gmail.com>
Date: Sat, 1 Jan 2022 13:43:25 -0800
Subject: [PATCH] Dilithium: pull from upstream

---
 dilithium/VERSION                  |  2 +-
 dilithium/package.sh               | 14 ++++++++++++++
 dilithium/patches/avx2_aes256ctr.h | 12 ------------
 dilithium/patches/avx2_poly.c      | 21 ++++++---------------
 dilithium/patches/avx2_polyvec.c   |  4 ++--
 dilithium/patches/avx2_polyvec.h   |  4 ++--
 dilithium/patches/ref_poly.c       | 24 ++++++++++++------------
 dilithium/patches/ref_polyvec.c    |  4 ++--
 dilithium/patches/ref_polyvec.h    |  4 ++--
 9 files changed, 41 insertions(+), 48 deletions(-)
 delete mode 100644 dilithium/patches/avx2_aes256ctr.h

diff --git a/dilithium/VERSION b/dilithium/VERSION
index a7d0cf3..0f8075f 100644
--- a/dilithium/VERSION
+++ b/dilithium/VERSION
@@ -1 +1 @@
-adf7476d645fb808b5c5d2dd1ef1aaeefdc0c897
+61b51a71701b8ae9f546a1e5d220e1950ed20d06
diff --git a/dilithium/package.sh b/dilithium/package.sh
index 82a7fd2..e30a0fa 100755
--- a/dilithium/package.sh
+++ b/dilithium/package.sh
@@ -112,6 +112,20 @@ implementations:
               - avx2
               - popcnt" >> META.yml
 
+if [[ !(${PARAM} =~ "aes") ]]
+then
+  echo -n "
+    - name: aarch64
+      version: https://github.com/neon-ntt/neon-ntt/tree/014d2a0c21d705a523b3bfd2a740f8f0a2ba7a27
+      supported_platforms:
+        - architecture: arm_8
+          operating_systems:
+              - Linux
+              - Darwin
+          required_flags:
+              - asimd" >> META.yml
+fi
+
   echo "\
 # This Makefile can be used with GNU Make or BSD Make
 
diff --git a/dilithium/patches/avx2_aes256ctr.h b/dilithium/patches/avx2_aes256ctr.h
deleted file mode 100644
index f059ff9..0000000
--- a/dilithium/patches/avx2_aes256ctr.h
+++ /dev/null
@@ -1,12 +0,0 @@
---- upstream/avx2/aes256ctr.h
-+++ upstream-patched/avx2/aes256ctr.h
-@@ -27,7 +27,7 @@
- #define aes256ctr_prf AES256CTR_NAMESPACE(prf)
- void aes256ctr_prf(uint8_t *out,
-                    size_t outlen,
--                   const uint8_t key[32],
-+                   const uint8_t seed[32],
-                    uint64_t nonce);
- 
- #endif
-
diff --git a/dilithium/patches/avx2_poly.c b/dilithium/patches/avx2_poly.c
index b64f278..c122092 100644
--- a/dilithium/patches/avx2_poly.c
+++ b/dilithium/patches/avx2_poly.c
@@ -1,6 +1,6 @@
 --- upstream/avx2/poly.c
 +++ upstream-patched/avx2/poly.c
-@@ -422,6 +422,7 @@
+@@ -403,6 +403,7 @@
    stream128_state state;
    stream128_init(&state, seed, nonce);
    poly_uniform_preinit(a, &state);
@@ -8,16 +8,7 @@
  }
  
  #ifndef DILITHIUM_USE_AES
-@@ -535,7 +536,7 @@
- *              - const uint8_t seed[]: byte array with seed of length CRHBYTES
- *              - uint16_t nonce: 2-byte nonce
- **************************************************/
--void poly_uniform_eta_preinit(poly *a, stream128_state *state)
-+void poly_uniform_eta_preinit(poly *a, stream256_state *state)
- {
-   unsigned int ctr;
-   ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf;
-@@ -554,6 +555,7 @@
+@@ -535,6 +536,7 @@
    stream256_state state;
    stream256_init(&state, seed, nonce);
    poly_uniform_eta_preinit(a, &state);
@@ -25,7 +16,7 @@
  }
  
  #ifndef DILITHIUM_USE_AES
-@@ -637,6 +639,7 @@
+@@ -618,6 +620,7 @@
    stream256_state state;
    stream256_init(&state, seed, nonce);
    poly_uniform_gamma1_preinit(a, &state);
@@ -33,7 +24,7 @@
  }
  
  #ifndef DILITHIUM_USE_AES
-@@ -698,12 +701,12 @@
+@@ -679,12 +682,12 @@
    unsigned int i, b, pos;
    uint64_t signs;
    ALIGNED_UINT8(SHAKE256_RATE) buf;
@@ -51,7 +42,7 @@
  
    memcpy(&signs, buf.coeffs, 8);
    pos = 8;
-@@ -712,7 +715,7 @@
+@@ -693,7 +696,7 @@
    for(i = N-TAU; i < N; ++i) {
      do {
        if(pos >= SHAKE256_RATE) {
@@ -60,7 +51,7 @@
          pos = 0;
        }
  
-@@ -723,6 +726,7 @@
+@@ -704,6 +707,7 @@
      c->coeffs[b] = 1 - 2*(signs & 1);
      signs >>= 1;
    }
diff --git a/dilithium/patches/avx2_polyvec.c b/dilithium/patches/avx2_polyvec.c
index a68aede..0d99fcc 100644
--- a/dilithium/patches/avx2_polyvec.c
+++ b/dilithium/patches/avx2_polyvec.c
@@ -79,7 +79,7 @@
    poly_uniform_4x(&rowa->vec[3], &rowa->vec[4], &rowa->vec[5], &rowa->vec[6], rho, 1795, 1796, 1797, 1798);
    poly_nttunpack(&rowa->vec[3]);
    poly_nttunpack(&rowa->vec[4]);
-@@ -377,9 +386,10 @@
+@@ -362,9 +371,10 @@
  int polyvecl_chknorm(const polyvecl *v, int32_t bound)  {
    unsigned int i;
  
@@ -91,7 +91,7 @@
  
    return 0;
  }
-@@ -543,9 +553,10 @@
+@@ -513,9 +523,10 @@
  int polyveck_chknorm(const polyveck *v, int32_t bound) {
    unsigned int i;
  
diff --git a/dilithium/patches/avx2_polyvec.h b/dilithium/patches/avx2_polyvec.h
index d3b2c9b..1ce9e17 100644
--- a/dilithium/patches/avx2_polyvec.h
+++ b/dilithium/patches/avx2_polyvec.h
@@ -1,6 +1,6 @@
 --- upstream/avx2/polyvec.h
 +++ upstream-patched/avx2/polyvec.h
-@@ -31,8 +31,7 @@
+@@ -28,8 +28,7 @@
  void polyvecl_invntt_tomont(polyvecl *v);
  #define polyvecl_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_poly_montgomery)
  void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v);
@@ -10,7 +10,7 @@
  void polyvecl_pointwise_acc_montgomery(poly *w,
                                         const polyvecl *u,
                                         const polyvecl *v);
-@@ -79,7 +78,7 @@
+@@ -74,7 +73,7 @@
  #define polyveck_make_hint DILITHIUM_NAMESPACE(polyveck_make_hint)
  unsigned int polyveck_make_hint(uint8_t *hint, const polyveck *v0, const polyveck *v1);
  #define polyveck_use_hint DILITHIUM_NAMESPACE(polyveck_use_hint)
diff --git a/dilithium/patches/ref_poly.c b/dilithium/patches/ref_poly.c
index 31561ff..775faab 100644
--- a/dilithium/patches/ref_poly.c
+++ b/dilithium/patches/ref_poly.c
@@ -1,6 +1,6 @@
 --- upstream/ref/poly.c
 +++ upstream-patched/ref/poly.c
-@@ -383,6 +383,7 @@
+@@ -365,6 +365,7 @@
      buflen = STREAM128_BLOCKBYTES + off;
      ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
    }
@@ -8,7 +8,7 @@
  }
  
  /*************************************************
-@@ -468,6 +469,7 @@
+@@ -450,6 +451,7 @@
      stream256_squeezeblocks(buf, 1, &state);
      ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
    }
@@ -16,7 +16,7 @@
  }
  
  /*************************************************
-@@ -491,6 +493,7 @@
+@@ -473,6 +475,7 @@
  
    stream256_init(&state, seed, nonce);
    stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
@@ -24,7 +24,7 @@
    polyz_unpack(a, buf);
  }
  
-@@ -508,12 +511,12 @@
+@@ -490,12 +493,12 @@
    unsigned int i, b, pos;
    uint64_t signs;
    uint8_t buf[SHAKE256_RATE];
@@ -42,7 +42,7 @@
  
    signs = 0;
    for(i = 0; i < 8; ++i)
-@@ -525,7 +528,7 @@
+@@ -507,7 +510,7 @@
    for(i = N-TAU; i < N; ++i) {
      do {
        if(pos >= SHAKE256_RATE) {
@@ -51,7 +51,7 @@
          pos = 0;
        }
  
-@@ -536,6 +539,7 @@
+@@ -518,6 +521,7 @@
      c->coeffs[b] = 1 - 2*(signs & 1);
      signs >>= 1;
    }
@@ -59,7 +59,7 @@
  }
  
  /*************************************************
-@@ -554,14 +558,14 @@
+@@ -536,14 +540,14 @@
  
  #if ETA == 2
    for(i = 0; i < N/8; ++i) {
@@ -82,7 +82,7 @@
  
      r[3*i+0]  = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6);
      r[3*i+1]  = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
-@@ -569,8 +573,8 @@
+@@ -551,8 +555,8 @@
    }
  #elif ETA == 4
    for(i = 0; i < N/2; ++i) {
@@ -93,7 +93,7 @@
      r[i] = t[0] | (t[1] << 4);
    }
  #endif
-@@ -637,11 +641,11 @@
+@@ -619,11 +623,11 @@
    DBENCH_START();
  
    for(i = 0; i < N/4; ++i) {
@@ -110,7 +110,7 @@
    }
  
    DBENCH_STOP(*tpack);
-@@ -694,26 +698,26 @@
+@@ -676,26 +680,26 @@
      t[6] = (1 << (D-1)) - a->coeffs[8*i+6];
      t[7] = (1 << (D-1)) - a->coeffs[8*i+7];
  
@@ -157,7 +157,7 @@
    }
  
    DBENCH_STOP(*tpack);
-@@ -803,30 +807,30 @@
+@@ -785,30 +789,30 @@
      t[2] = GAMMA1 - a->coeffs[4*i+2];
      t[3] = GAMMA1 - a->coeffs[4*i+3];
  
@@ -206,7 +206,7 @@
    }
  #endif
  
-@@ -909,16 +913,16 @@
+@@ -891,16 +895,16 @@
  
  #if GAMMA2 == (Q-1)/88
    for(i = 0; i < N/4; ++i) {
diff --git a/dilithium/patches/ref_polyvec.c b/dilithium/patches/ref_polyvec.c
index 17e3aa1..4c13cab 100644
--- a/dilithium/patches/ref_polyvec.c
+++ b/dilithium/patches/ref_polyvec.c
@@ -24,7 +24,7 @@
  }
  
  void polyvecl_reduce(polyvecl *v) {
-@@ -155,9 +157,10 @@
+@@ -140,9 +142,10 @@
  int polyvecl_chknorm(const polyvecl *v, int32_t bound)  {
    unsigned int i;
  
@@ -36,7 +36,7 @@
  
    return 0;
  }
-@@ -322,9 +325,10 @@
+@@ -292,9 +295,10 @@
  int polyveck_chknorm(const polyveck *v, int32_t bound) {
    unsigned int i;
  
diff --git a/dilithium/patches/ref_polyvec.h b/dilithium/patches/ref_polyvec.h
index 559a062..e32fd0e 100644
--- a/dilithium/patches/ref_polyvec.h
+++ b/dilithium/patches/ref_polyvec.h
@@ -1,6 +1,6 @@
 --- upstream/ref/polyvec.h
 +++ upstream-patched/ref/polyvec.h
-@@ -31,8 +31,7 @@
+@@ -28,8 +28,7 @@
  void polyvecl_invntt_tomont(polyvecl *v);
  #define polyvecl_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_poly_montgomery)
  void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v);
@@ -10,7 +10,7 @@
  void polyvecl_pointwise_acc_montgomery(poly *w,
                                         const polyvecl *u,
                                         const polyvecl *v);
-@@ -84,7 +83,7 @@
+@@ -79,7 +78,7 @@
                                  const polyveck *v0,
                                  const polyveck *v1);
  #define polyveck_use_hint DILITHIUM_NAMESPACE(polyveck_use_hint)