mirror of
https://github.com/open-quantum-safe/liboqs.git
synced 2025-10-05 00:05:12 -04:00
719a84ecdd
* Integrates pqcrystals (ref and avx2) with liboqs common AES code (for Kyber-90s and Dilithium-AES). * Extends libOQS AES-CTR with Incremental API: OQS_AES256_CTR_inc_init, OQS_AES256_CTR_inc_iv, OQS_AES256_CTR_inc_ivu64, OQS_AES256_CTR_inc_stream_iv, OQS_AES256_CTR_inc_stream_blks. * Adds some AES-CTR shim API. * Faster AESNI CTR code (improved iv handling, 4x interleaved blocks for higher throughput). * OpenSSL AES supporting CTR API. * Updated pqcrystals patches (API, context releases). * Removes redundant AES implementations from Kyber and Dilithium. * Copy-from-upstream with updated patches. * Uses internal AES on x86_64 (dist & AES) because of increased performance with the internal AESNI code. * Adds AES-CTR benchmarks to speed_common * Update CONFIGURE.md
246 lines
8.1 KiB
Diff
246 lines
8.1 KiB
Diff
88ad24c7c247d0f2f4c6b22a7e0a4696053b41d5
|
|
diff --git a/ref/poly.c b/ref/poly.c
|
|
index a6ba074..006e83c 100644
|
|
--- a/ref/poly.c
|
|
+++ b/ref/poly.c
|
|
@@ -365,6 +365,7 @@ void poly_uniform(poly *a,
|
|
buflen = STREAM128_BLOCKBYTES + off;
|
|
ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
|
|
}
|
|
+ stream128_release(&state);
|
|
}
|
|
|
|
/*************************************************
|
|
@@ -450,6 +451,7 @@ void poly_uniform_eta(poly *a,
|
|
stream256_squeezeblocks(buf, 1, &state);
|
|
ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
|
|
}
|
|
+ stream256_release(&state);
|
|
}
|
|
|
|
/*************************************************
|
|
@@ -473,6 +475,7 @@ void poly_uniform_gamma1(poly *a,
|
|
|
|
stream256_init(&state, seed, nonce);
|
|
stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
|
|
+ stream256_release(&state);
|
|
polyz_unpack(a, buf);
|
|
}
|
|
|
|
@@ -490,11 +493,11 @@ void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
|
|
unsigned int i, b, pos;
|
|
uint64_t signs;
|
|
uint8_t buf[SHAKE256_RATE];
|
|
- keccak_state state;
|
|
+ shake256incctx state;
|
|
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, seed, SEEDBYTES);
|
|
- shake256_finalize(&state);
|
|
+ shake256_inc_init(&state);
|
|
+ shake256_inc_absorb(&state, seed, SEEDBYTES);
|
|
+ shake256_inc_finalize(&state);
|
|
shake256_squeezeblocks(buf, 1, &state);
|
|
|
|
signs = 0;
|
|
@@ -518,6 +521,7 @@ void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
|
|
c->coeffs[b] = 1 - 2*(signs & 1);
|
|
signs >>= 1;
|
|
}
|
|
+ shake256_inc_ctx_release(&state);
|
|
}
|
|
|
|
/*************************************************
|
|
diff --git a/ref/sign.c b/ref/sign.c
|
|
index 5d0455c..16333eb 100644
|
|
--- a/ref/sign.c
|
|
+++ b/ref/sign.c
|
|
@@ -90,7 +90,7 @@ int crypto_sign_signature(uint8_t *sig,
|
|
polyvecl mat[K], s1, y, z;
|
|
polyveck t0, s2, w1, w0, h;
|
|
poly cp;
|
|
- keccak_state state;
|
|
+ shake256incctx state;
|
|
|
|
rho = seedbuf;
|
|
tr = rho + SEEDBYTES;
|
|
@@ -100,11 +100,11 @@ int crypto_sign_signature(uint8_t *sig,
|
|
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
|
|
|
|
/* Compute CRH(tr, msg) */
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, tr, SEEDBYTES);
|
|
- shake256_absorb(&state, m, mlen);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(mu, CRHBYTES, &state);
|
|
+ shake256_inc_init(&state);
|
|
+ shake256_inc_absorb(&state, tr, SEEDBYTES);
|
|
+ shake256_inc_absorb(&state, m, mlen);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(mu, CRHBYTES, &state);
|
|
|
|
#ifdef DILITHIUM_RANDOMIZED_SIGNING
|
|
randombytes(rhoprime, CRHBYTES);
|
|
@@ -134,11 +134,11 @@ rej:
|
|
polyveck_decompose(&w1, &w0, &w1);
|
|
polyveck_pack_w1(sig, &w1);
|
|
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, mu, CRHBYTES);
|
|
- shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(sig, SEEDBYTES, &state);
|
|
+ shake256_inc_ctx_reset(&state);
|
|
+ shake256_inc_absorb(&state, mu, CRHBYTES);
|
|
+ shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(sig, SEEDBYTES, &state);
|
|
poly_challenge(&cp, sig);
|
|
poly_ntt(&cp);
|
|
|
|
@@ -171,6 +171,8 @@ rej:
|
|
if(n > OMEGA)
|
|
goto rej;
|
|
|
|
+ shake256_inc_ctx_release(&state);
|
|
+
|
|
/* Write signature */
|
|
pack_sig(sig, sig, &z, &h);
|
|
*siglen = CRYPTO_BYTES;
|
|
@@ -236,7 +238,7 @@ int crypto_sign_verify(const uint8_t *sig,
|
|
poly cp;
|
|
polyvecl mat[K], z;
|
|
polyveck t1, w1, h;
|
|
- keccak_state state;
|
|
+ shake256incctx state;
|
|
|
|
if(siglen != CRYPTO_BYTES)
|
|
return -1;
|
|
@@ -249,11 +251,11 @@ int crypto_sign_verify(const uint8_t *sig,
|
|
|
|
/* Compute CRH(H(rho, t1), msg) */
|
|
shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, mu, SEEDBYTES);
|
|
- shake256_absorb(&state, m, mlen);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(mu, CRHBYTES, &state);
|
|
+ shake256_inc_init(&state);
|
|
+ shake256_inc_absorb(&state, mu, SEEDBYTES);
|
|
+ shake256_inc_absorb(&state, m, mlen);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(mu, CRHBYTES, &state);
|
|
|
|
/* Matrix-vector multiplication; compute Az - c2^dt1 */
|
|
poly_challenge(&cp, c);
|
|
@@ -277,11 +279,12 @@ int crypto_sign_verify(const uint8_t *sig,
|
|
polyveck_pack_w1(buf, &w1);
|
|
|
|
/* Call random oracle and verify challenge */
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, mu, CRHBYTES);
|
|
- shake256_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(c2, SEEDBYTES, &state);
|
|
+ shake256_inc_ctx_reset(&state);
|
|
+ shake256_inc_absorb(&state, mu, CRHBYTES);
|
|
+ shake256_inc_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(c2, SEEDBYTES, &state);
|
|
+ shake256_inc_ctx_release(&state);
|
|
for(i = 0; i < SEEDBYTES; ++i)
|
|
if(c[i] != c2[i])
|
|
return -1;
|
|
diff --git a/ref/symmetric-shake.c b/ref/symmetric-shake.c
|
|
index 11ec09c..963f649 100644
|
|
--- a/ref/symmetric-shake.c
|
|
+++ b/ref/symmetric-shake.c
|
|
@@ -3,26 +3,26 @@
|
|
#include "symmetric.h"
|
|
#include "fips202.h"
|
|
|
|
-void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
|
|
+void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
|
|
{
|
|
uint8_t t[2];
|
|
t[0] = nonce;
|
|
t[1] = nonce >> 8;
|
|
|
|
- shake128_init(state);
|
|
- shake128_absorb(state, seed, SEEDBYTES);
|
|
- shake128_absorb(state, t, 2);
|
|
- shake128_finalize(state);
|
|
+ shake128_inc_init(state);
|
|
+ shake128_inc_absorb(state, seed, SEEDBYTES);
|
|
+ shake128_inc_absorb(state, t, 2);
|
|
+ shake128_inc_finalize(state);
|
|
}
|
|
|
|
-void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
|
|
+void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
|
|
{
|
|
uint8_t t[2];
|
|
t[0] = nonce;
|
|
t[1] = nonce >> 8;
|
|
|
|
- shake256_init(state);
|
|
- shake256_absorb(state, seed, CRHBYTES);
|
|
- shake256_absorb(state, t, 2);
|
|
- shake256_finalize(state);
|
|
+ shake256_inc_init(state);
|
|
+ shake256_inc_absorb(state, seed, CRHBYTES);
|
|
+ shake256_inc_absorb(state, t, 2);
|
|
+ shake256_inc_finalize(state);
|
|
}
|
|
diff --git a/ref/symmetric.h b/ref/symmetric.h
|
|
index 0b34fb6..13c88da 100644
|
|
--- a/ref/symmetric.h
|
|
+++ b/ref/symmetric.h
|
|
@@ -24,25 +24,29 @@ void dilithium_aes256ctr_init(aes256ctr_ctx *state,
|
|
dilithium_aes256ctr_init(STATE, SEED, NONCE)
|
|
#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
|
|
aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
|
|
+#define stream128_release(STATE) \
|
|
+ aes256_ctx_release(STATE)
|
|
#define stream256_init(STATE, SEED, NONCE) \
|
|
dilithium_aes256ctr_init(STATE, SEED, NONCE)
|
|
#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
|
|
aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
|
|
+#define stream256_release(STATE) \
|
|
+ aes256_ctx_release(STATE)
|
|
|
|
#else
|
|
|
|
#include "fips202.h"
|
|
|
|
-typedef keccak_state stream128_state;
|
|
-typedef keccak_state stream256_state;
|
|
+typedef shake128incctx stream128_state;
|
|
+typedef shake256incctx stream256_state;
|
|
|
|
#define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
|
|
-void dilithium_shake128_stream_init(keccak_state *state,
|
|
+void dilithium_shake128_stream_init(shake128incctx *state,
|
|
const uint8_t seed[SEEDBYTES],
|
|
uint16_t nonce);
|
|
|
|
#define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
|
|
-void dilithium_shake256_stream_init(keccak_state *state,
|
|
+void dilithium_shake256_stream_init(shake256incctx *state,
|
|
const uint8_t seed[CRHBYTES],
|
|
uint16_t nonce);
|
|
|
|
@@ -53,10 +57,12 @@ void dilithium_shake256_stream_init(keccak_state *state,
|
|
dilithium_shake128_stream_init(STATE, SEED, NONCE)
|
|
#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
|
|
shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
|
|
+#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
|
|
#define stream256_init(STATE, SEED, NONCE) \
|
|
dilithium_shake256_stream_init(STATE, SEED, NONCE)
|
|
#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
|
|
shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
|
|
+#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
|
|
|
|
#endif
|
|
|