diff --git a/Dilithium2_META.yml b/Dilithium2_META.yml index 122b3ca..2d5686a 100644 --- a/Dilithium2_META.yml +++ b/ML-DSA-44_META.yml @@ -1,4 +1,4 @@ -name: Dilithium2 +name: ML-DSA-44 type: signature claimed-nist-level: 2 length-public-key: 1312 @@ -18,22 +18,22 @@ auxiliary-submitters: - Damien Stehlé implementations: - name: ref - version: https://github.com/pq-crystals/dilithium/tree/master + version: FIPS204 folder_name: ref - compile_opts: -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING - signature_keypair: pqcrystals_dilithium2_ref_keypair - signature_signature: pqcrystals_dilithium2_ref_signature - signature_verify: pqcrystals_dilithium2_ref_verify - sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c - common_dep: common_ref + compile_opts: -DDILITHIUM_MODE=2 + signature_keypair: pqcrystals_ml_dsa_44_ref_keypair + signature_signature: pqcrystals_ml_dsa_44_ref_signature + signature_verify: pqcrystals_ml_dsa_44_ref_verify + api-with-context-string: true + sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c - name: avx2 - version: https://github.com/pq-crystals/dilithium/tree/master - compile_opts: -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING - signature_keypair: pqcrystals_dilithium2_avx2_keypair - signature_signature: pqcrystals_dilithium2_avx2_signature - signature_verify: pqcrystals_dilithium2_avx2_verify - sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c - common_dep: common_avx2 + version: FIPS204 + compile_opts: -DDILITHIUM_MODE=2 + signature_keypair: pqcrystals_ml_dsa_44_avx2_keypair + signature_signature: pqcrystals_ml_dsa_44_avx2_signature + signature_verify: pqcrystals_ml_dsa_44_avx2_verify + api-with-context-string: true + sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c supported_platforms: - architecture: x86_64 operating_systems: diff --git a/Dilithium3_META.yml b/Dilithium3_META.yml index b108b4f..47a4ba0 100644 --- a/Dilithium3_META.yml +++ b/ML-DSA-65_META.yml @@ -1,4 +1,4 @@ -name: Dilithium3 +name: ML-DSA-65 type: signature claimed-nist-level: 3 length-public-key: 1952 @@ -18,22 +18,22 @@ auxiliary-submitters: - Damien Stehlé implementations: - name: ref - version: https://github.com/pq-crystals/dilithium/tree/master + version: FIPS204 folder_name: ref - compile_opts: -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING - signature_keypair: pqcrystals_dilithium3_ref_keypair - signature_signature: pqcrystals_dilithium3_ref_signature - signature_verify: pqcrystals_dilithium3_ref_verify - sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c - common_dep: common_ref + compile_opts: -DDILITHIUM_MODE=3 + signature_keypair: pqcrystals_ml_dsa_65_ref_keypair + signature_signature: pqcrystals_ml_dsa_65_ref_signature + signature_verify: pqcrystals_ml_dsa_65_ref_verify + api-with-context-string: true + sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c - name: avx2 - version: https://github.com/pq-crystals/dilithium/tree/master - compile_opts: -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING - signature_keypair: pqcrystals_dilithium3_avx2_keypair - signature_signature: pqcrystals_dilithium3_avx2_signature - signature_verify: pqcrystals_dilithium3_avx2_verify - sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c - common_dep: common_avx2 + version: FIPS204 + compile_opts: -DDILITHIUM_MODE=3 + signature_keypair: pqcrystals_ml_dsa_65_avx2_keypair + signature_signature: pqcrystals_ml_dsa_65_avx2_signature + signature_verify: pqcrystals_ml_dsa_65_avx2_verify + api-with-context-string: true + sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c supported_platforms: - architecture: x86_64 operating_systems: diff --git a/Dilithium5_META.yml b/Dilithium5_META.yml index 5163526..e9bff1e 100644 --- a/Dilithium5_META.yml +++ b/ML-DSA-87_META.yml @@ -1,4 +1,4 @@ -name: Dilithium5 +name: ML-DSA-87 type: signature claimed-nist-level: 5 length-public-key: 2592 @@ -18,22 +18,22 @@ auxiliary-submitters: - Damien Stehlé implementations: - name: ref - version: https://github.com/pq-crystals/dilithium/tree/master + version: FIPS204 folder_name: ref - compile_opts: -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING - signature_keypair: pqcrystals_dilithium5_ref_keypair - signature_signature: pqcrystals_dilithium5_ref_signature - signature_verify: pqcrystals_dilithium5_ref_verify - sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c - common_dep: common_ref + compile_opts: -DDILITHIUM_MODE=5 + signature_keypair: pqcrystals_ml_dsa_87_ref_keypair + signature_signature: pqcrystals_ml_dsa_87_ref_signature + signature_verify: pqcrystals_ml_dsa_87_ref_verify + api-with-context-string: true + sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c - name: avx2 - version: https://github.com/pq-crystals/dilithium/tree/master - compile_opts: -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING - signature_keypair: pqcrystals_dilithium5_avx2_keypair - signature_signature: pqcrystals_dilithium5_avx2_signature - signature_verify: pqcrystals_dilithium5_avx2_verify - sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c - common_dep: common_avx2 + version: FIPS204 + compile_opts: -DDILITHIUM_MODE=5 + signature_keypair: pqcrystals_ml_dsa_87_avx2_keypair + signature_signature: pqcrystals_ml_dsa_87_avx2_signature + signature_verify: pqcrystals_ml_dsa_87_avx2_verify + api-with-context-string: true + sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c supported_platforms: - architecture: x86_64 operating_systems: diff --git a/avx2/config.h b/avx2/config.h index a9facc0..3944cb4 100644 --- a/avx2/config.h +++ b/avx2/config.h @@ -11,17 +11,17 @@ #endif #if DILITHIUM_MODE == 2 -#define CRYPTO_ALGNAME "Dilithium2" -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_avx2 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_avx2_##s +#define CRYPTO_ALGNAME "ML-DSA-44" +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_avx2 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_avx2_##s #elif DILITHIUM_MODE == 3 -#define CRYPTO_ALGNAME "Dilithium3" -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_avx2 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_avx2_##s +#define CRYPTO_ALGNAME "ML-DSA-65" +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_avx2 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_avx2_##s #elif DILITHIUM_MODE == 5 -#define CRYPTO_ALGNAME "Dilithium5" -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_avx2 -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_avx2_##s +#define CRYPTO_ALGNAME "ML-DSA-87" +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_avx2 +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_avx2_##s #endif #endif diff --git a/avx2/f1600x4.S b/avx2/f1600x4.S index 5455129..497b8ca 100644 --- a/avx2/f1600x4.S +++ b/avx2/f1600x4.S @@ -905,5 +905,3 @@ addq $32, %rsi subq $1, %rax jnz looptop ret - -.section .note.GNU-stack,"",@progbits diff --git a/avx2/invntt.S b/avx2/invntt.S index d40ca13..3e9864c 100644 --- a/avx2/invntt.S +++ b/avx2/invntt.S @@ -236,5 +236,3 @@ levels6t7 2 levels6t7 3 ret - -.section .note.GNU-stack,"",@progbits diff --git a/avx2/ntt.S b/avx2/ntt.S index 026f057..ebe17d3 100644 --- a/avx2/ntt.S +++ b/avx2/ntt.S @@ -194,5 +194,3 @@ levels2t7 2 levels2t7 3 ret - -.section .note.GNU-stack,"",@progbits diff --git a/avx2/pointwise.S b/avx2/pointwise.S index 6b687c7..ae7ff79 100644 --- a/avx2/pointwise.S +++ b/avx2/pointwise.S @@ -209,5 +209,3 @@ cmp $16,%eax jb _looptop2 ret - -.section .note.GNU-stack,"",@progbits diff --git a/avx2/poly.c b/avx2/poly.c index 340e91d..0a4ecb6 100644 --- a/avx2/poly.c +++ b/avx2/poly.c @@ -401,6 +401,7 @@ void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) stream128_state state; stream128_init(&state, seed, nonce); poly_uniform_preinit(a, &state); + stream128_release(&state); } void poly_uniform_4x(poly *a0, @@ -415,7 +416,7 @@ void poly_uniform_4x(poly *a0, { unsigned int ctr0, ctr1, ctr2, ctr3; ALIGNED_UINT8(REJ_UNIFORM_BUFLEN+8) buf[4]; - keccakx4_state state; + shake128x4incctx state; __m256i f; f = _mm256_loadu_si256((__m256i *)seed); @@ -433,6 +434,7 @@ void poly_uniform_4x(poly *a0, buf[3].coeffs[SEEDBYTES+0] = nonce3; buf[3].coeffs[SEEDBYTES+1] = nonce3 >> 8; + shake128x4_inc_init(&state); shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2); shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_NBLOCKS, &state); @@ -449,6 +451,7 @@ void poly_uniform_4x(poly *a0, ctr2 += rej_uniform(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE); ctr3 += rej_uniform(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE); } + shake128x4_inc_ctx_release(&state); } /************************************************* @@ -530,6 +533,7 @@ void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) stream256_state state; stream256_init(&state, seed, nonce); poly_uniform_eta_preinit(a, &state); + stream256_release(&state); } void poly_uniform_eta_4x(poly *a0, @@ -546,7 +550,7 @@ void poly_uniform_eta_4x(poly *a0, ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf[4]; __m256i f; - keccakx4_state state; + shake256x4incctx state; f = _mm256_loadu_si256((__m256i *)&seed[0]); _mm256_store_si256(&buf[0].vec[0],f); @@ -568,6 +572,7 @@ void poly_uniform_eta_4x(poly *a0, buf[3].coeffs[64] = nonce3; buf[3].coeffs[65] = nonce3 >> 8; + shake256x4_inc_init(&state); shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66); shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state); @@ -584,6 +589,7 @@ void poly_uniform_eta_4x(poly *a0, ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE); ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE); } + shake256x4_inc_ctx_release(&state); } /************************************************* @@ -611,6 +617,7 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) stream256_state state; stream256_init(&state, seed, nonce); poly_uniform_gamma1_preinit(a, &state); + stream256_release(&state); } void poly_uniform_gamma1_4x(poly *a0, @@ -624,7 +631,7 @@ void poly_uniform_gamma1_4x(poly *a0, uint16_t nonce3) { ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf[4]; - keccakx4_state state; + shake256x4incctx state; __m256i f; f = _mm256_loadu_si256((__m256i *)&seed[0]); @@ -647,8 +654,10 @@ void poly_uniform_gamma1_4x(poly *a0, buf[3].coeffs[64] = nonce3; buf[3].coeffs[65] = nonce3 >> 8; + shake256x4_inc_init(&state); shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66); shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state); + shake256x4_inc_ctx_release(&state); polyz_unpack(a0, buf[0].coeffs); polyz_unpack(a1, buf[1].coeffs); @@ -670,12 +679,12 @@ void poly_challenge(poly * restrict c, const uint8_t seed[CTILDEBYTES]) { unsigned int i, b, pos; uint64_t signs; ALIGNED_UINT8(SHAKE256_RATE) buf; - keccak_state state; + shake256incctx state; - shake256_init(&state); - shake256_absorb(&state, seed, CTILDEBYTES); - shake256_finalize(&state); - shake256_squeezeblocks(buf.coeffs, 1, &state); + shake256_inc_init(&state); + shake256_inc_absorb(&state, seed, CTILDEBYTES); + shake256_inc_finalize(&state); + shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state); memcpy(&signs, buf.coeffs, 8); pos = 8; @@ -695,6 +704,7 @@ void poly_challenge(poly * restrict c, const uint8_t seed[CTILDEBYTES]) { c->coeffs[b] = 1 - 2*(signs & 1); signs >>= 1; } + shake256_inc_ctx_release(&state); } /************************************************* diff --git a/avx2/shuffle.S b/avx2/shuffle.S index 08c757c..133e051 100644 --- a/avx2/shuffle.S +++ b/avx2/shuffle.S @@ -50,5 +50,3 @@ call nttunpack128_avx add $256,%rdi call nttunpack128_avx ret - -.section .note.GNU-stack,"",@progbits diff --git a/avx2/sign.c b/avx2/sign.c index efb6ea3..532e37c 100644 --- a/avx2/sign.c +++ b/avx2/sign.c @@ -168,7 +168,7 @@ int crypto_sign_signature_internal(uint8_t *sig, size_t *siglen, const uint8_t * polyvecl y; polyveck w0; } tmpv; - keccak_state state; + shake256incctx state; rho = seedbuf; tr = rho + SEEDBYTES; @@ -178,20 +178,20 @@ int crypto_sign_signature_internal(uint8_t *sig, size_t *siglen, const uint8_t * unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute mu = CRH(tr, pre, msg) */ - shake256_init(&state); - shake256_absorb(&state, tr, TRBYTES); - shake256_absorb(&state, pre, prelen); - shake256_absorb(&state, m, mlen); - shake256_finalize(&state); - shake256_squeeze(mu, CRHBYTES, &state); + shake256_inc_init(&state); + shake256_inc_absorb(&state, tr, TRBYTES); + shake256_inc_absorb(&state, pre, prelen); + shake256_inc_absorb(&state, m, mlen); + shake256_inc_finalize(&state); + shake256_inc_squeeze(mu, CRHBYTES, &state); /* Compute rhoprime = CRH(key, rnd, mu) */ - shake256_init(&state); - shake256_absorb(&state, key, SEEDBYTES); - shake256_absorb(&state, rnd, RNDBYTES); - shake256_absorb(&state, mu, CRHBYTES); - shake256_finalize(&state); - shake256_squeeze(rhoprime, CRHBYTES, &state); + shake256_inc_ctx_reset(&state); + shake256_inc_absorb(&state, key, SEEDBYTES); + shake256_inc_absorb(&state, rnd, RNDBYTES); + shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_finalize(&state); + shake256_inc_squeeze(rhoprime, CRHBYTES, &state); /* Expand matrix and transform vectors */ polyvec_matrix_expand(mat, rho); @@ -231,11 +231,11 @@ rej: polyveck_decompose(&w1, &tmpv.w0, &w1); polyveck_pack_w1(sig, &w1); - shake256_init(&state); - shake256_absorb(&state, mu, CRHBYTES); - shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES); - shake256_finalize(&state); - shake256_squeeze(sig, CTILDEBYTES, &state); + shake256_inc_ctx_reset(&state); + shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES); + shake256_inc_finalize(&state); + shake256_inc_squeeze(sig, CTILDEBYTES, &state); poly_challenge(&c, sig); poly_ntt(&c); @@ -280,6 +280,7 @@ rej: hint[OMEGA + i] = pos = pos + n; } + shake256_inc_ctx_release(&state); /* Pack z into signature */ for(i = 0; i < L; i++) polyz_pack(sig + CTILDEBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]); @@ -384,19 +385,19 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen, const uint8_t polyvecl *row = rowbuf; polyvecl z; poly c, w1, h; - keccak_state state; + shake256incctx state; if(siglen != CRYPTO_BYTES) return -1; /* Compute CRH(H(rho, t1), pre, msg) */ shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES); - shake256_init(&state); - shake256_absorb(&state, mu, CRHBYTES); - shake256_absorb(&state, pre, prelen); - shake256_absorb(&state, m, mlen); - shake256_finalize(&state); - shake256_squeeze(mu, CRHBYTES, &state); + shake256_inc_init(&state); + shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, pre, prelen); + shake256_inc_absorb(&state, m, mlen); + shake256_inc_finalize(&state); + shake256_inc_squeeze(mu, CRHBYTES, &state); /* Expand challenge */ poly_challenge(&c, sig); @@ -426,12 +427,17 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen, const uint8_t /* Get hint polynomial and reconstruct w1 */ memset(h.vec, 0, sizeof(poly)); - if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) + if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) { + shake256_inc_ctx_release(&state); return -1; + } for(j = pos; j < hint[OMEGA + i]; ++j) { /* Coefficients are ordered for strong unforgeability */ - if(j > pos && hint[j] <= hint[j-1]) return -1; + if(j > pos && hint[j] <= hint[j-1]) { + shake256_inc_ctx_release(&state); + return -1; + } h.coeffs[hint[j]] = 1; } pos = hint[OMEGA + i]; @@ -443,14 +449,18 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen, const uint8_t /* Extra indices are zero for strong unforgeability */ for(j = pos; j < OMEGA; ++j) - if(hint[j]) return -1; + if(hint[j]) { + shake256_inc_ctx_release(&state); + return -1; + } /* Call random oracle and verify challenge */ - shake256_init(&state); - shake256_absorb(&state, mu, CRHBYTES); - shake256_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES); - shake256_finalize(&state); - shake256_squeeze(buf.coeffs, CTILDEBYTES, &state); + shake256_inc_ctx_reset(&state); + shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES); + shake256_inc_finalize(&state); + shake256_inc_squeeze(buf.coeffs, CTILDEBYTES, &state); + shake256_inc_ctx_release(&state); for(i = 0; i < CTILDEBYTES; ++i) if(buf.coeffs[i] != sig[i]) return -1; diff --git a/avx2/symmetric.h b/avx2/symmetric.h index 8f3c3c5..fa49963 100644 --- a/avx2/symmetric.h +++ b/avx2/symmetric.h @@ -6,21 +6,23 @@ #include "fips202.h" -typedef keccak_state stream128_state; -typedef keccak_state stream256_state; +typedef shake128incctx stream128_state; +typedef shake256incctx stream256_state; #define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init) -void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce); +void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce); #define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init) -void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce); +void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce); #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE #define stream128_init(STATE, SEED, NONCE) dilithium_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream128_release(STATE) shake128_inc_ctx_release(STATE) #define stream256_init(STATE, SEED, NONCE) dilithium_shake256_stream_init(STATE, SEED, NONCE) #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream256_release(STATE) shake256_inc_ctx_release(STATE) #endif diff --git a/ref/config.h b/ref/config.h index 98b8ccb..8008e11 100644 --- a/ref/config.h +++ b/ref/config.h @@ -11,17 +11,17 @@ #endif #if DILITHIUM_MODE == 2 -#define CRYPTO_ALGNAME "Dilithium2" -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_ref -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_ref_##s +#define CRYPTO_ALGNAME "ML-DSA-44" +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ref +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ref_##s #elif DILITHIUM_MODE == 3 -#define CRYPTO_ALGNAME "Dilithium3" -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_ref -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_ref_##s +#define CRYPTO_ALGNAME "ML-DSA-65" +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ref +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ref_##s #elif DILITHIUM_MODE == 5 -#define CRYPTO_ALGNAME "Dilithium5" -#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_ref -#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_ref_##s +#define CRYPTO_ALGNAME "ML-DSA-87" +#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ref +#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ref_##s #endif #endif diff --git a/ref/poly.c b/ref/poly.c index 0db4f42..691b5e8 100644 --- a/ref/poly.c +++ b/ref/poly.c @@ -365,6 +365,7 @@ void poly_uniform(poly *a, buflen = STREAM128_BLOCKBYTES + off; ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen); } + stream128_release(&state); } /************************************************* @@ -450,6 +451,7 @@ void poly_uniform_eta(poly *a, stream256_squeezeblocks(buf, 1, &state); ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES); } + stream256_release(&state); } /************************************************* @@ -473,6 +475,7 @@ void poly_uniform_gamma1(poly *a, stream256_init(&state, seed, nonce); stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state); + stream256_release(&state); polyz_unpack(a, buf); } @@ -490,11 +493,11 @@ void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]) { unsigned int i, b, pos; uint64_t signs; uint8_t buf[SHAKE256_RATE]; - keccak_state state; + shake256incctx state; - shake256_init(&state); - shake256_absorb(&state, seed, CTILDEBYTES); - shake256_finalize(&state); + shake256_inc_init(&state); + shake256_inc_absorb(&state, seed, CTILDEBYTES); + shake256_inc_finalize(&state); shake256_squeezeblocks(buf, 1, &state); signs = 0; @@ -518,6 +521,7 @@ void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]) { c->coeffs[b] = 1 - 2*(signs & 1); signs >>= 1; } + shake256_inc_ctx_release(&state); } /************************************************* diff --git a/ref/sign.c b/ref/sign.c index 7d3f882..abb033c 100644 --- a/ref/sign.c +++ b/ref/sign.c @@ -98,7 +98,7 @@ int crypto_sign_signature_internal(uint8_t *sig, polyvecl mat[K], s1, y, z; polyveck t0, s2, w1, w0, h; poly cp; - keccak_state state; + shake256incctx state; rho = seedbuf; tr = rho + SEEDBYTES; @@ -108,20 +108,20 @@ int crypto_sign_signature_internal(uint8_t *sig, unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); /* Compute mu = CRH(tr, pre, msg) */ - shake256_init(&state); - shake256_absorb(&state, tr, TRBYTES); - shake256_absorb(&state, pre, prelen); - shake256_absorb(&state, m, mlen); - shake256_finalize(&state); - shake256_squeeze(mu, CRHBYTES, &state); + shake256_inc_init(&state); + shake256_inc_absorb(&state, tr, TRBYTES); + shake256_inc_absorb(&state, pre, prelen); + shake256_inc_absorb(&state, m, mlen); + shake256_inc_finalize(&state); + shake256_inc_squeeze(mu, CRHBYTES, &state); /* Compute rhoprime = CRH(key, rnd, mu) */ - shake256_init(&state); - shake256_absorb(&state, key, SEEDBYTES); - shake256_absorb(&state, rnd, RNDBYTES); - shake256_absorb(&state, mu, CRHBYTES); - shake256_finalize(&state); - shake256_squeeze(rhoprime, CRHBYTES, &state); + shake256_inc_ctx_reset(&state); + shake256_inc_absorb(&state, key, SEEDBYTES); + shake256_inc_absorb(&state, rnd, RNDBYTES); + shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_finalize(&state); + shake256_inc_squeeze(rhoprime, CRHBYTES, &state); /* Expand matrix and transform vectors */ polyvec_matrix_expand(mat, rho); @@ -145,11 +145,11 @@ rej: polyveck_decompose(&w1, &w0, &w1); polyveck_pack_w1(sig, &w1); - shake256_init(&state); - shake256_absorb(&state, mu, CRHBYTES); - shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES); - shake256_finalize(&state); - shake256_squeeze(sig, CTILDEBYTES, &state); + shake256_inc_ctx_reset(&state); + shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES); + shake256_inc_finalize(&state); + shake256_inc_squeeze(sig, CTILDEBYTES, &state); poly_challenge(&cp, sig); poly_ntt(&cp); @@ -182,6 +182,8 @@ rej: if(n > OMEGA) goto rej; + shake256_inc_ctx_release(&state); + /* Write signature */ pack_sig(sig, sig, &z, &h); *siglen = CRYPTO_BYTES; @@ -303,7 +305,7 @@ int crypto_sign_verify_internal(const uint8_t *sig, poly cp; polyvecl mat[K], z; polyveck t1, w1, h; - keccak_state state; + shake256incctx state; if(siglen != CRYPTO_BYTES) return -1; @@ -316,12 +318,12 @@ int crypto_sign_verify_internal(const uint8_t *sig, /* Compute CRH(H(rho, t1), pre, msg) */ shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES); - shake256_init(&state); - shake256_absorb(&state, mu, TRBYTES); - shake256_absorb(&state, pre, prelen); - shake256_absorb(&state, m, mlen); - shake256_finalize(&state); - shake256_squeeze(mu, CRHBYTES, &state); + shake256_inc_init(&state); + shake256_inc_absorb(&state, mu, TRBYTES); + shake256_inc_absorb(&state, pre, prelen); + shake256_inc_absorb(&state, m, mlen); + shake256_inc_finalize(&state); + shake256_inc_squeeze(mu, CRHBYTES, &state); /* Matrix-vector multiplication; compute Az - c2^dt1 */ poly_challenge(&cp, c); @@ -345,11 +347,12 @@ int crypto_sign_verify_internal(const uint8_t *sig, polyveck_pack_w1(buf, &w1); /* Call random oracle and verify challenge */ - shake256_init(&state); - shake256_absorb(&state, mu, CRHBYTES); - shake256_absorb(&state, buf, K*POLYW1_PACKEDBYTES); - shake256_finalize(&state); - shake256_squeeze(c2, CTILDEBYTES, &state); + shake256_inc_ctx_reset(&state); + shake256_inc_absorb(&state, mu, CRHBYTES); + shake256_inc_absorb(&state, buf, K*POLYW1_PACKEDBYTES); + shake256_inc_finalize(&state); + shake256_inc_squeeze(c2, CTILDEBYTES, &state); + shake256_inc_ctx_release(&state); for(i = 0; i < CTILDEBYTES; ++i) if(c[i] != c2[i]) return -1; diff --git a/ref/sign.h b/ref/sign.h index 2741e8f..0b5f74a 100644 --- a/ref/sign.h +++ b/ref/sign.h @@ -1,6 +1,8 @@ #ifndef SIGN_H #define SIGN_H +#include + #include #include #include "params.h" @@ -11,7 +13,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk); #define crypto_sign_signature_internal DILITHIUM_NAMESPACE(signature_internal) -int crypto_sign_signature_internal(uint8_t *sig, +OQS_API int crypto_sign_signature_internal(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, @@ -33,7 +35,7 @@ int crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *sk); #define crypto_sign_verify_internal DILITHIUM_NAMESPACE(verify_internal) -int crypto_sign_verify_internal(const uint8_t *sig, +OQS_API int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, diff --git a/ref/symmetric-shake.c b/ref/symmetric-shake.c index 11ec09c..963f649 100644 --- a/ref/symmetric-shake.c +++ b/ref/symmetric-shake.c @@ -3,26 +3,26 @@ #include "symmetric.h" #include "fips202.h" -void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce) +void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce) { uint8_t t[2]; t[0] = nonce; t[1] = nonce >> 8; - shake128_init(state); - shake128_absorb(state, seed, SEEDBYTES); - shake128_absorb(state, t, 2); - shake128_finalize(state); + shake128_inc_init(state); + shake128_inc_absorb(state, seed, SEEDBYTES); + shake128_inc_absorb(state, t, 2); + shake128_inc_finalize(state); } -void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce) +void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce) { uint8_t t[2]; t[0] = nonce; t[1] = nonce >> 8; - shake256_init(state); - shake256_absorb(state, seed, CRHBYTES); - shake256_absorb(state, t, 2); - shake256_finalize(state); + shake256_inc_init(state); + shake256_inc_absorb(state, seed, CRHBYTES); + shake256_inc_absorb(state, t, 2); + shake256_inc_finalize(state); } diff --git a/ref/symmetric.h b/ref/symmetric.h index cba12d1..211de3b 100644 --- a/ref/symmetric.h +++ b/ref/symmetric.h @@ -6,16 +6,16 @@ #include "fips202.h" -typedef keccak_state stream128_state; -typedef keccak_state stream256_state; +typedef shake128incctx stream128_state; +typedef shake256incctx stream256_state; #define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init) -void dilithium_shake128_stream_init(keccak_state *state, +void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce); #define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init) -void dilithium_shake256_stream_init(keccak_state *state, +void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce); @@ -26,9 +26,11 @@ void dilithium_shake256_stream_init(keccak_state *state, dilithium_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \ shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream128_release(STATE) shake128_inc_ctx_release(STATE) #define stream256_init(STATE, SEED, NONCE) \ dilithium_shake256_stream_init(STATE, SEED, NONCE) #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \ shake256_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream256_release(STATE) shake256_inc_ctx_release(STATE) #endif