Sync Kyber with upstream, enable Scan-Build with Kyber (#1252)

2025-10-04 00:02:01 -04:00 · 2022-07-11 11:53:20 +02:00 · 2022-07-11 11:53:20 +02:00 · e88cc366b5
commit e88cc366b5
parent 8ec55171b0
11 changed files with 9 additions and 23 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -137,8 +137,8 @@ jobs:
    steps:
      - checkout # change this from "checkout" to "*localCheckout" when running CircleCI locally
      - run:
-          name: Configure (excluding Kyber because of known issue)
-          command: mkdir build && cd build && pwd && source ~/.bashrc && scan-build-14 cmake -GNinja -DOQS_ENABLE_KEM_KYBER=OFF ..
+          name: Configure
+          command: mkdir build && cd build && pwd && source ~/.bashrc && scan-build-14 cmake -GNinja ..
      - run:
          name: Build
          command: scan-build-14 --status-bugs ninja
--- a/docs/algorithms/kem/kyber.md
+++ b/docs/algorithms/kem/kyber.md
@ -7,9 +7,9 @@
 - **Authors' website**: https://pq-crystals.org/
 - **Specification version**: NIST Round 3 submission.
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/pq-crystals/kyber/commit/faf5c3fe33e0b61c7c8a7888dd862bf5def17ad2 with copy_from_upstream patches
+  - **Source**: https://github.com/pq-crystals/kyber/commit/8e00ec73035147d18b27d06048dff322f8de1f29 with copy_from_upstream patches
  - **Implementation license (SPDX-Identifier)**: CC0-1.0
- **Optimized Implementation sources**: https://github.com/pq-crystals/kyber/commit/faf5c3fe33e0b61c7c8a7888dd862bf5def17ad2 with copy_from_upstream patches
+- **Optimized Implementation sources**: https://github.com/pq-crystals/kyber/commit/8e00ec73035147d18b27d06048dff322f8de1f29 with copy_from_upstream patches
  - **pqclean-aarch64**:<a name="pqclean-aarch64"></a>
      - **Source**: https://github.com/PQClean/PQClean/commit/4c9e5a3aa715cc8d1d0e377e4e6e682ebd7602d6 with copy_from_upstream patches
      - **Implementation license (SPDX-Identifier)**: CC0-1.0
@ -47,8 +47,6 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.

 Are implementations chosen based on runtime CPU feature detection? **Yes**.

-Implementation known to fail [scan-build](https://clang-analyzer.llvm.org/scan-build.html).
-
 ## Kyber768 implementation characteristics

 |        Implementation source        | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
@ -68,8 +66,6 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.

 Are implementations chosen based on runtime CPU feature detection? **Yes**.

-Implementation known to fail [scan-build](https://clang-analyzer.llvm.org/scan-build.html).
-
 ## Kyber1024 implementation characteristics

 |        Implementation source        | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
@ -89,8 +85,6 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.

 Are implementations chosen based on runtime CPU feature detection? **Yes**.

-Implementation known to fail [scan-build](https://clang-analyzer.llvm.org/scan-build.html).
-
 ## Explanation of Terms

 - **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
--- a/docs/algorithms/kem/kyber.yml
+++ b/docs/algorithms/kem/kyber.yml
@ -17,7 +17,7 @@ website: https://pq-crystals.org/
 nist-round: 3
 spec-version: NIST Round 3 submission
 primary-upstream:
-  source: https://github.com/pq-crystals/kyber/commit/faf5c3fe33e0b61c7c8a7888dd862bf5def17ad2
+  source: https://github.com/pq-crystals/kyber/commit/8e00ec73035147d18b27d06048dff322f8de1f29
    with copy_from_upstream patches
  spdx-license-identifier: CC0-1.0
 optimized-upstreams:
--- a/scripts/copy_from_upstream/copy_from_upstream.yml
+++ b/scripts/copy_from_upstream/copy_from_upstream.yml
@ -13,7 +13,7 @@ upstreams:
    name: pqcrystals-kyber
    git_url: https://github.com/pq-crystals/kyber.git
    git_branch: master
-    git_commit: faf5c3fe33e0b61c7c8a7888dd862bf5def17ad2
+    git_commit: 8e00ec73035147d18b27d06048dff322f8de1f29
    kem_meta_path: '{pretty_name_full}_META.yml'
    kem_scheme_path: '.'
    patches: [pqcrystals-kyber-yml.patch, pqcrystals-kyber-ref-shake-aes.patch, pqcrystals-kyber-avx2-shake-aes.patch]
--- a/scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake-aes.patch
+++ b/scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake-aes.patch
@ -1,6 +1,6 @@
 c6a44a0dbb6735caf40ad4856063282feab56d98
 diff --git a/avx2/indcpa.c b/avx2/indcpa.c
-index bd6ec9f..78f6810 100644
+index 926f6e87..b8840863 100644
 --- a/avx2/indcpa.c
 +++ b/avx2/indcpa.c
@@ -178,7 +178,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
@ -140,7 +140,7 @@ index bd6ec9f..78f6810 100644
 #else
 #if KYBER_K == 2
   poly_getnoise_eta1_4x(skpv.vec+0, skpv.vec+1, e.vec+0, e.vec+1, noiseseed, 0, 1, 2, 3);
-@@ -554,22 +565,23 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
+@@ -554,20 +565,22 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
   uint64_t nonce = 0;
   ALIGNED_UINT8(NOISE_NBLOCKS*AES256CTR_BLOCKBYTES+32) buf; /* +32 bytes as required by poly_cbd_eta1 */
   aes256ctr_ctx state;
@ -161,10 +161,8 @@ index bd6ec9f..78f6810 100644
     poly_cbd_eta2(&ep.vec[i], buf.vec);
   }
   aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-  state.n = _mm_loadl_epi64((__m128i *)&nonce);
-   nonce += 1;
 +  aes256_ctx_release(&state);
-+  
+
   poly_cbd_eta2(&epp, buf.vec);
 #else
 #if KYBER_K == 2
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024-90s_avx2/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024-90s_avx2/indcpa.c
@ -579,7 +579,6 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
    poly_cbd_eta2(&ep.vec[i], buf.vec);
  }
  aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-  nonce += 1;
  aes256_ctx_release(&state);

  poly_cbd_eta2(&epp, buf.vec);
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.c
@ -579,7 +579,6 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
    poly_cbd_eta2(&ep.vec[i], buf.vec);
  }
  aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-  nonce += 1;
  aes256_ctx_release(&state);

  poly_cbd_eta2(&epp, buf.vec);
--- a/src/kem/kyber/pqcrystals-kyber_kyber512-90s_avx2/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512-90s_avx2/indcpa.c
@ -579,7 +579,6 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
    poly_cbd_eta2(&ep.vec[i], buf.vec);
  }
  aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-  nonce += 1;
  aes256_ctx_release(&state);

  poly_cbd_eta2(&epp, buf.vec);
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.c
@ -579,7 +579,6 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
    poly_cbd_eta2(&ep.vec[i], buf.vec);
  }
  aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-  nonce += 1;
  aes256_ctx_release(&state);

  poly_cbd_eta2(&epp, buf.vec);
--- a/src/kem/kyber/pqcrystals-kyber_kyber768-90s_avx2/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768-90s_avx2/indcpa.c
@ -579,7 +579,6 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
    poly_cbd_eta2(&ep.vec[i], buf.vec);
  }
  aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-  nonce += 1;
  aes256_ctx_release(&state);

  poly_cbd_eta2(&epp, buf.vec);
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.c
@ -579,7 +579,6 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
    poly_cbd_eta2(&ep.vec[i], buf.vec);
  }
  aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-  nonce += 1;
  aes256_ctx_release(&state);

  poly_cbd_eta2(&epp, buf.vec);