mirror of
https://github.com/open-quantum-safe/liboqs.git
synced 2025-10-03 00:02:36 -04:00
d9c214cc64
* Pull ML-DSA from pq-crystals upstream. * Removes ML-DSA-ipd * Adds support for context strings to OQS SIG API. * Adding _with_ctx_str APIs, templating * Adds ACVP tests for ML-DSA * export symbols for acvp tests (dynamic linking) * remove IPD intermediate values * adds flag for ctx support * Update constant-time passes after line nubmer and function name changes * Update KATs * API with checks for signatures without ctx support * Additional test for signatures with ctx * Change alg_version to FIPS204 * Update ML-DSA security claim to SUF-CMA, according to FIPS204 * Update src/sig/sig.h * Fix test_alg_info --------- Signed-off-by: Basil Hess <bhe@zurich.ibm.com> Co-authored-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>
832 lines
31 KiB
Diff
832 lines
31 KiB
Diff
diff --git a/Dilithium2_META.yml b/Dilithium2_META.yml
|
|
index 122b3ca..2d5686a 100644
|
|
--- a/Dilithium2_META.yml
|
|
+++ b/ML-DSA-44_META.yml
|
|
@@ -1,4 +1,4 @@
|
|
-name: Dilithium2
|
|
+name: ML-DSA-44
|
|
type: signature
|
|
claimed-nist-level: 2
|
|
length-public-key: 1312
|
|
@@ -18,22 +18,22 @@ auxiliary-submitters:
|
|
- Damien Stehlé
|
|
implementations:
|
|
- name: ref
|
|
- version: https://github.com/pq-crystals/dilithium/tree/master
|
|
+ version: FIPS204
|
|
folder_name: ref
|
|
- compile_opts: -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING
|
|
- signature_keypair: pqcrystals_dilithium2_ref_keypair
|
|
- signature_signature: pqcrystals_dilithium2_ref_signature
|
|
- signature_verify: pqcrystals_dilithium2_ref_verify
|
|
- sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
|
|
- common_dep: common_ref
|
|
+ compile_opts: -DDILITHIUM_MODE=2
|
|
+ signature_keypair: pqcrystals_ml_dsa_44_ref_keypair
|
|
+ signature_signature: pqcrystals_ml_dsa_44_ref_signature
|
|
+ signature_verify: pqcrystals_ml_dsa_44_ref_verify
|
|
+ api-with-context-string: true
|
|
+ sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
|
|
- name: avx2
|
|
- version: https://github.com/pq-crystals/dilithium/tree/master
|
|
- compile_opts: -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING
|
|
- signature_keypair: pqcrystals_dilithium2_avx2_keypair
|
|
- signature_signature: pqcrystals_dilithium2_avx2_signature
|
|
- signature_verify: pqcrystals_dilithium2_avx2_verify
|
|
- sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
|
|
- common_dep: common_avx2
|
|
+ version: FIPS204
|
|
+ compile_opts: -DDILITHIUM_MODE=2
|
|
+ signature_keypair: pqcrystals_ml_dsa_44_avx2_keypair
|
|
+ signature_signature: pqcrystals_ml_dsa_44_avx2_signature
|
|
+ signature_verify: pqcrystals_ml_dsa_44_avx2_verify
|
|
+ api-with-context-string: true
|
|
+ sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
|
|
supported_platforms:
|
|
- architecture: x86_64
|
|
operating_systems:
|
|
diff --git a/Dilithium3_META.yml b/Dilithium3_META.yml
|
|
index b108b4f..47a4ba0 100644
|
|
--- a/Dilithium3_META.yml
|
|
+++ b/ML-DSA-65_META.yml
|
|
@@ -1,4 +1,4 @@
|
|
-name: Dilithium3
|
|
+name: ML-DSA-65
|
|
type: signature
|
|
claimed-nist-level: 3
|
|
length-public-key: 1952
|
|
@@ -18,22 +18,22 @@ auxiliary-submitters:
|
|
- Damien Stehlé
|
|
implementations:
|
|
- name: ref
|
|
- version: https://github.com/pq-crystals/dilithium/tree/master
|
|
+ version: FIPS204
|
|
folder_name: ref
|
|
- compile_opts: -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING
|
|
- signature_keypair: pqcrystals_dilithium3_ref_keypair
|
|
- signature_signature: pqcrystals_dilithium3_ref_signature
|
|
- signature_verify: pqcrystals_dilithium3_ref_verify
|
|
- sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
|
|
- common_dep: common_ref
|
|
+ compile_opts: -DDILITHIUM_MODE=3
|
|
+ signature_keypair: pqcrystals_ml_dsa_65_ref_keypair
|
|
+ signature_signature: pqcrystals_ml_dsa_65_ref_signature
|
|
+ signature_verify: pqcrystals_ml_dsa_65_ref_verify
|
|
+ api-with-context-string: true
|
|
+ sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
|
|
- name: avx2
|
|
- version: https://github.com/pq-crystals/dilithium/tree/master
|
|
- compile_opts: -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING
|
|
- signature_keypair: pqcrystals_dilithium3_avx2_keypair
|
|
- signature_signature: pqcrystals_dilithium3_avx2_signature
|
|
- signature_verify: pqcrystals_dilithium3_avx2_verify
|
|
- sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
|
|
- common_dep: common_avx2
|
|
+ version: FIPS204
|
|
+ compile_opts: -DDILITHIUM_MODE=3
|
|
+ signature_keypair: pqcrystals_ml_dsa_65_avx2_keypair
|
|
+ signature_signature: pqcrystals_ml_dsa_65_avx2_signature
|
|
+ signature_verify: pqcrystals_ml_dsa_65_avx2_verify
|
|
+ api-with-context-string: true
|
|
+ sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
|
|
supported_platforms:
|
|
- architecture: x86_64
|
|
operating_systems:
|
|
diff --git a/Dilithium5_META.yml b/Dilithium5_META.yml
|
|
index 5163526..e9bff1e 100644
|
|
--- a/Dilithium5_META.yml
|
|
+++ b/ML-DSA-87_META.yml
|
|
@@ -1,4 +1,4 @@
|
|
-name: Dilithium5
|
|
+name: ML-DSA-87
|
|
type: signature
|
|
claimed-nist-level: 5
|
|
length-public-key: 2592
|
|
@@ -18,22 +18,22 @@ auxiliary-submitters:
|
|
- Damien Stehlé
|
|
implementations:
|
|
- name: ref
|
|
- version: https://github.com/pq-crystals/dilithium/tree/master
|
|
+ version: FIPS204
|
|
folder_name: ref
|
|
- compile_opts: -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING
|
|
- signature_keypair: pqcrystals_dilithium5_ref_keypair
|
|
- signature_signature: pqcrystals_dilithium5_ref_signature
|
|
- signature_verify: pqcrystals_dilithium5_ref_verify
|
|
- sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
|
|
- common_dep: common_ref
|
|
+ compile_opts: -DDILITHIUM_MODE=5
|
|
+ signature_keypair: pqcrystals_ml_dsa_87_ref_keypair
|
|
+ signature_signature: pqcrystals_ml_dsa_87_ref_signature
|
|
+ signature_verify: pqcrystals_ml_dsa_87_ref_verify
|
|
+ api-with-context-string: true
|
|
+ sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
|
|
- name: avx2
|
|
- version: https://github.com/pq-crystals/dilithium/tree/master
|
|
- compile_opts: -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING
|
|
- signature_keypair: pqcrystals_dilithium5_avx2_keypair
|
|
- signature_signature: pqcrystals_dilithium5_avx2_signature
|
|
- signature_verify: pqcrystals_dilithium5_avx2_verify
|
|
- sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
|
|
- common_dep: common_avx2
|
|
+ version: FIPS204
|
|
+ compile_opts: -DDILITHIUM_MODE=5
|
|
+ signature_keypair: pqcrystals_ml_dsa_87_avx2_keypair
|
|
+ signature_signature: pqcrystals_ml_dsa_87_avx2_signature
|
|
+ signature_verify: pqcrystals_ml_dsa_87_avx2_verify
|
|
+ api-with-context-string: true
|
|
+ sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
|
|
supported_platforms:
|
|
- architecture: x86_64
|
|
operating_systems:
|
|
diff --git a/avx2/config.h b/avx2/config.h
|
|
index a9facc0..3944cb4 100644
|
|
--- a/avx2/config.h
|
|
+++ b/avx2/config.h
|
|
@@ -11,17 +11,17 @@
|
|
#endif
|
|
|
|
#if DILITHIUM_MODE == 2
|
|
-#define CRYPTO_ALGNAME "Dilithium2"
|
|
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_avx2
|
|
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_avx2_##s
|
|
+#define CRYPTO_ALGNAME "ML-DSA-44"
|
|
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_avx2
|
|
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_avx2_##s
|
|
#elif DILITHIUM_MODE == 3
|
|
-#define CRYPTO_ALGNAME "Dilithium3"
|
|
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_avx2
|
|
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_avx2_##s
|
|
+#define CRYPTO_ALGNAME "ML-DSA-65"
|
|
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_avx2
|
|
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_avx2_##s
|
|
#elif DILITHIUM_MODE == 5
|
|
-#define CRYPTO_ALGNAME "Dilithium5"
|
|
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_avx2
|
|
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_avx2_##s
|
|
+#define CRYPTO_ALGNAME "ML-DSA-87"
|
|
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_avx2
|
|
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_avx2_##s
|
|
#endif
|
|
|
|
#endif
|
|
diff --git a/avx2/f1600x4.S b/avx2/f1600x4.S
|
|
index 5455129..497b8ca 100644
|
|
--- a/avx2/f1600x4.S
|
|
+++ b/avx2/f1600x4.S
|
|
@@ -905,5 +905,3 @@ addq $32, %rsi
|
|
subq $1, %rax
|
|
jnz looptop
|
|
ret
|
|
-
|
|
-.section .note.GNU-stack,"",@progbits
|
|
diff --git a/avx2/invntt.S b/avx2/invntt.S
|
|
index d40ca13..3e9864c 100644
|
|
--- a/avx2/invntt.S
|
|
+++ b/avx2/invntt.S
|
|
@@ -236,5 +236,3 @@ levels6t7 2
|
|
levels6t7 3
|
|
|
|
ret
|
|
-
|
|
-.section .note.GNU-stack,"",@progbits
|
|
diff --git a/avx2/ntt.S b/avx2/ntt.S
|
|
index 026f057..ebe17d3 100644
|
|
--- a/avx2/ntt.S
|
|
+++ b/avx2/ntt.S
|
|
@@ -194,5 +194,3 @@ levels2t7 2
|
|
levels2t7 3
|
|
|
|
ret
|
|
-
|
|
-.section .note.GNU-stack,"",@progbits
|
|
diff --git a/avx2/pointwise.S b/avx2/pointwise.S
|
|
index 6b687c7..ae7ff79 100644
|
|
--- a/avx2/pointwise.S
|
|
+++ b/avx2/pointwise.S
|
|
@@ -209,5 +209,3 @@ cmp $16,%eax
|
|
jb _looptop2
|
|
|
|
ret
|
|
-
|
|
-.section .note.GNU-stack,"",@progbits
|
|
diff --git a/avx2/poly.c b/avx2/poly.c
|
|
index 340e91d..0a4ecb6 100644
|
|
--- a/avx2/poly.c
|
|
+++ b/avx2/poly.c
|
|
@@ -401,6 +401,7 @@ void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
|
|
stream128_state state;
|
|
stream128_init(&state, seed, nonce);
|
|
poly_uniform_preinit(a, &state);
|
|
+ stream128_release(&state);
|
|
}
|
|
|
|
void poly_uniform_4x(poly *a0,
|
|
@@ -415,7 +416,7 @@ void poly_uniform_4x(poly *a0,
|
|
{
|
|
unsigned int ctr0, ctr1, ctr2, ctr3;
|
|
ALIGNED_UINT8(REJ_UNIFORM_BUFLEN+8) buf[4];
|
|
- keccakx4_state state;
|
|
+ shake128x4incctx state;
|
|
__m256i f;
|
|
|
|
f = _mm256_loadu_si256((__m256i *)seed);
|
|
@@ -433,6 +434,7 @@ void poly_uniform_4x(poly *a0,
|
|
buf[3].coeffs[SEEDBYTES+0] = nonce3;
|
|
buf[3].coeffs[SEEDBYTES+1] = nonce3 >> 8;
|
|
|
|
+ shake128x4_inc_init(&state);
|
|
shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2);
|
|
shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_NBLOCKS, &state);
|
|
|
|
@@ -449,6 +451,7 @@ void poly_uniform_4x(poly *a0,
|
|
ctr2 += rej_uniform(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE);
|
|
ctr3 += rej_uniform(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE);
|
|
}
|
|
+ shake128x4_inc_ctx_release(&state);
|
|
}
|
|
|
|
/*************************************************
|
|
@@ -530,6 +533,7 @@ void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
|
|
stream256_state state;
|
|
stream256_init(&state, seed, nonce);
|
|
poly_uniform_eta_preinit(a, &state);
|
|
+ stream256_release(&state);
|
|
}
|
|
|
|
void poly_uniform_eta_4x(poly *a0,
|
|
@@ -546,7 +550,7 @@ void poly_uniform_eta_4x(poly *a0,
|
|
ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf[4];
|
|
|
|
__m256i f;
|
|
- keccakx4_state state;
|
|
+ shake256x4incctx state;
|
|
|
|
f = _mm256_loadu_si256((__m256i *)&seed[0]);
|
|
_mm256_store_si256(&buf[0].vec[0],f);
|
|
@@ -568,6 +572,7 @@ void poly_uniform_eta_4x(poly *a0,
|
|
buf[3].coeffs[64] = nonce3;
|
|
buf[3].coeffs[65] = nonce3 >> 8;
|
|
|
|
+ shake256x4_inc_init(&state);
|
|
shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
|
|
shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
|
|
|
|
@@ -584,6 +589,7 @@ void poly_uniform_eta_4x(poly *a0,
|
|
ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE);
|
|
ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE);
|
|
}
|
|
+ shake256x4_inc_ctx_release(&state);
|
|
}
|
|
|
|
/*************************************************
|
|
@@ -611,6 +617,7 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
|
|
stream256_state state;
|
|
stream256_init(&state, seed, nonce);
|
|
poly_uniform_gamma1_preinit(a, &state);
|
|
+ stream256_release(&state);
|
|
}
|
|
|
|
void poly_uniform_gamma1_4x(poly *a0,
|
|
@@ -624,7 +631,7 @@ void poly_uniform_gamma1_4x(poly *a0,
|
|
uint16_t nonce3)
|
|
{
|
|
ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf[4];
|
|
- keccakx4_state state;
|
|
+ shake256x4incctx state;
|
|
__m256i f;
|
|
|
|
f = _mm256_loadu_si256((__m256i *)&seed[0]);
|
|
@@ -647,8 +654,10 @@ void poly_uniform_gamma1_4x(poly *a0,
|
|
buf[3].coeffs[64] = nonce3;
|
|
buf[3].coeffs[65] = nonce3 >> 8;
|
|
|
|
+ shake256x4_inc_init(&state);
|
|
shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
|
|
shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
|
|
+ shake256x4_inc_ctx_release(&state);
|
|
|
|
polyz_unpack(a0, buf[0].coeffs);
|
|
polyz_unpack(a1, buf[1].coeffs);
|
|
@@ -670,12 +679,12 @@ void poly_challenge(poly * restrict c, const uint8_t seed[CTILDEBYTES]) {
|
|
unsigned int i, b, pos;
|
|
uint64_t signs;
|
|
ALIGNED_UINT8(SHAKE256_RATE) buf;
|
|
- keccak_state state;
|
|
+ shake256incctx state;
|
|
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, seed, CTILDEBYTES);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeezeblocks(buf.coeffs, 1, &state);
|
|
+ shake256_inc_init(&state);
|
|
+ shake256_inc_absorb(&state, seed, CTILDEBYTES);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state);
|
|
|
|
memcpy(&signs, buf.coeffs, 8);
|
|
pos = 8;
|
|
@@ -695,6 +704,7 @@ void poly_challenge(poly * restrict c, const uint8_t seed[CTILDEBYTES]) {
|
|
c->coeffs[b] = 1 - 2*(signs & 1);
|
|
signs >>= 1;
|
|
}
|
|
+ shake256_inc_ctx_release(&state);
|
|
}
|
|
|
|
/*************************************************
|
|
diff --git a/avx2/shuffle.S b/avx2/shuffle.S
|
|
index 08c757c..133e051 100644
|
|
--- a/avx2/shuffle.S
|
|
+++ b/avx2/shuffle.S
|
|
@@ -50,5 +50,3 @@ call nttunpack128_avx
|
|
add $256,%rdi
|
|
call nttunpack128_avx
|
|
ret
|
|
-
|
|
-.section .note.GNU-stack,"",@progbits
|
|
diff --git a/avx2/sign.c b/avx2/sign.c
|
|
index efb6ea3..532e37c 100644
|
|
--- a/avx2/sign.c
|
|
+++ b/avx2/sign.c
|
|
@@ -168,7 +168,7 @@ int crypto_sign_signature_internal(uint8_t *sig, size_t *siglen, const uint8_t *
|
|
polyvecl y;
|
|
polyveck w0;
|
|
} tmpv;
|
|
- keccak_state state;
|
|
+ shake256incctx state;
|
|
|
|
rho = seedbuf;
|
|
tr = rho + SEEDBYTES;
|
|
@@ -178,20 +178,20 @@ int crypto_sign_signature_internal(uint8_t *sig, size_t *siglen, const uint8_t *
|
|
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
|
|
|
|
/* Compute mu = CRH(tr, pre, msg) */
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, tr, TRBYTES);
|
|
- shake256_absorb(&state, pre, prelen);
|
|
- shake256_absorb(&state, m, mlen);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(mu, CRHBYTES, &state);
|
|
+ shake256_inc_init(&state);
|
|
+ shake256_inc_absorb(&state, tr, TRBYTES);
|
|
+ shake256_inc_absorb(&state, pre, prelen);
|
|
+ shake256_inc_absorb(&state, m, mlen);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(mu, CRHBYTES, &state);
|
|
|
|
/* Compute rhoprime = CRH(key, rnd, mu) */
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, key, SEEDBYTES);
|
|
- shake256_absorb(&state, rnd, RNDBYTES);
|
|
- shake256_absorb(&state, mu, CRHBYTES);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(rhoprime, CRHBYTES, &state);
|
|
+ shake256_inc_ctx_reset(&state);
|
|
+ shake256_inc_absorb(&state, key, SEEDBYTES);
|
|
+ shake256_inc_absorb(&state, rnd, RNDBYTES);
|
|
+ shake256_inc_absorb(&state, mu, CRHBYTES);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(rhoprime, CRHBYTES, &state);
|
|
|
|
/* Expand matrix and transform vectors */
|
|
polyvec_matrix_expand(mat, rho);
|
|
@@ -231,11 +231,11 @@ rej:
|
|
polyveck_decompose(&w1, &tmpv.w0, &w1);
|
|
polyveck_pack_w1(sig, &w1);
|
|
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, mu, CRHBYTES);
|
|
- shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(sig, CTILDEBYTES, &state);
|
|
+ shake256_inc_ctx_reset(&state);
|
|
+ shake256_inc_absorb(&state, mu, CRHBYTES);
|
|
+ shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(sig, CTILDEBYTES, &state);
|
|
poly_challenge(&c, sig);
|
|
poly_ntt(&c);
|
|
|
|
@@ -280,6 +280,7 @@ rej:
|
|
hint[OMEGA + i] = pos = pos + n;
|
|
}
|
|
|
|
+ shake256_inc_ctx_release(&state);
|
|
/* Pack z into signature */
|
|
for(i = 0; i < L; i++)
|
|
polyz_pack(sig + CTILDEBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
|
|
@@ -384,19 +385,19 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen, const uint8_t
|
|
polyvecl *row = rowbuf;
|
|
polyvecl z;
|
|
poly c, w1, h;
|
|
- keccak_state state;
|
|
+ shake256incctx state;
|
|
|
|
if(siglen != CRYPTO_BYTES)
|
|
return -1;
|
|
|
|
/* Compute CRH(H(rho, t1), pre, msg) */
|
|
shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, mu, CRHBYTES);
|
|
- shake256_absorb(&state, pre, prelen);
|
|
- shake256_absorb(&state, m, mlen);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(mu, CRHBYTES, &state);
|
|
+ shake256_inc_init(&state);
|
|
+ shake256_inc_absorb(&state, mu, CRHBYTES);
|
|
+ shake256_inc_absorb(&state, pre, prelen);
|
|
+ shake256_inc_absorb(&state, m, mlen);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(mu, CRHBYTES, &state);
|
|
|
|
/* Expand challenge */
|
|
poly_challenge(&c, sig);
|
|
@@ -426,12 +427,17 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen, const uint8_t
|
|
|
|
/* Get hint polynomial and reconstruct w1 */
|
|
memset(h.vec, 0, sizeof(poly));
|
|
- if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA)
|
|
+ if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) {
|
|
+ shake256_inc_ctx_release(&state);
|
|
return -1;
|
|
+ }
|
|
|
|
for(j = pos; j < hint[OMEGA + i]; ++j) {
|
|
/* Coefficients are ordered for strong unforgeability */
|
|
- if(j > pos && hint[j] <= hint[j-1]) return -1;
|
|
+ if(j > pos && hint[j] <= hint[j-1]) {
|
|
+ shake256_inc_ctx_release(&state);
|
|
+ return -1;
|
|
+ }
|
|
h.coeffs[hint[j]] = 1;
|
|
}
|
|
pos = hint[OMEGA + i];
|
|
@@ -443,14 +449,18 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen, const uint8_t
|
|
|
|
/* Extra indices are zero for strong unforgeability */
|
|
for(j = pos; j < OMEGA; ++j)
|
|
- if(hint[j]) return -1;
|
|
+ if(hint[j]) {
|
|
+ shake256_inc_ctx_release(&state);
|
|
+ return -1;
|
|
+ }
|
|
|
|
/* Call random oracle and verify challenge */
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, mu, CRHBYTES);
|
|
- shake256_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(buf.coeffs, CTILDEBYTES, &state);
|
|
+ shake256_inc_ctx_reset(&state);
|
|
+ shake256_inc_absorb(&state, mu, CRHBYTES);
|
|
+ shake256_inc_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(buf.coeffs, CTILDEBYTES, &state);
|
|
+ shake256_inc_ctx_release(&state);
|
|
for(i = 0; i < CTILDEBYTES; ++i)
|
|
if(buf.coeffs[i] != sig[i])
|
|
return -1;
|
|
diff --git a/avx2/symmetric.h b/avx2/symmetric.h
|
|
index 8f3c3c5..fa49963 100644
|
|
--- a/avx2/symmetric.h
|
|
+++ b/avx2/symmetric.h
|
|
@@ -6,21 +6,23 @@
|
|
|
|
#include "fips202.h"
|
|
|
|
-typedef keccak_state stream128_state;
|
|
-typedef keccak_state stream256_state;
|
|
+typedef shake128incctx stream128_state;
|
|
+typedef shake256incctx stream256_state;
|
|
|
|
#define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
|
|
-void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
|
|
+void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
|
|
|
|
#define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
|
|
-void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
|
|
+void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
|
|
|
|
#define STREAM128_BLOCKBYTES SHAKE128_RATE
|
|
#define STREAM256_BLOCKBYTES SHAKE256_RATE
|
|
|
|
#define stream128_init(STATE, SEED, NONCE) dilithium_shake128_stream_init(STATE, SEED, NONCE)
|
|
#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
|
|
+#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
|
|
#define stream256_init(STATE, SEED, NONCE) dilithium_shake256_stream_init(STATE, SEED, NONCE)
|
|
#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
|
|
+#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
|
|
|
|
#endif
|
|
diff --git a/ref/config.h b/ref/config.h
|
|
index 98b8ccb..8008e11 100644
|
|
--- a/ref/config.h
|
|
+++ b/ref/config.h
|
|
@@ -11,17 +11,17 @@
|
|
#endif
|
|
|
|
#if DILITHIUM_MODE == 2
|
|
-#define CRYPTO_ALGNAME "Dilithium2"
|
|
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_ref
|
|
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_ref_##s
|
|
+#define CRYPTO_ALGNAME "ML-DSA-44"
|
|
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ref
|
|
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ref_##s
|
|
#elif DILITHIUM_MODE == 3
|
|
-#define CRYPTO_ALGNAME "Dilithium3"
|
|
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_ref
|
|
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_ref_##s
|
|
+#define CRYPTO_ALGNAME "ML-DSA-65"
|
|
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ref
|
|
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ref_##s
|
|
#elif DILITHIUM_MODE == 5
|
|
-#define CRYPTO_ALGNAME "Dilithium5"
|
|
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_ref
|
|
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_ref_##s
|
|
+#define CRYPTO_ALGNAME "ML-DSA-87"
|
|
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ref
|
|
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ref_##s
|
|
#endif
|
|
|
|
#endif
|
|
diff --git a/ref/poly.c b/ref/poly.c
|
|
index 0db4f42..691b5e8 100644
|
|
--- a/ref/poly.c
|
|
+++ b/ref/poly.c
|
|
@@ -365,6 +365,7 @@ void poly_uniform(poly *a,
|
|
buflen = STREAM128_BLOCKBYTES + off;
|
|
ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
|
|
}
|
|
+ stream128_release(&state);
|
|
}
|
|
|
|
/*************************************************
|
|
@@ -450,6 +451,7 @@ void poly_uniform_eta(poly *a,
|
|
stream256_squeezeblocks(buf, 1, &state);
|
|
ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
|
|
}
|
|
+ stream256_release(&state);
|
|
}
|
|
|
|
/*************************************************
|
|
@@ -473,6 +475,7 @@ void poly_uniform_gamma1(poly *a,
|
|
|
|
stream256_init(&state, seed, nonce);
|
|
stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
|
|
+ stream256_release(&state);
|
|
polyz_unpack(a, buf);
|
|
}
|
|
|
|
@@ -490,11 +493,11 @@ void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]) {
|
|
unsigned int i, b, pos;
|
|
uint64_t signs;
|
|
uint8_t buf[SHAKE256_RATE];
|
|
- keccak_state state;
|
|
+ shake256incctx state;
|
|
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, seed, CTILDEBYTES);
|
|
- shake256_finalize(&state);
|
|
+ shake256_inc_init(&state);
|
|
+ shake256_inc_absorb(&state, seed, CTILDEBYTES);
|
|
+ shake256_inc_finalize(&state);
|
|
shake256_squeezeblocks(buf, 1, &state);
|
|
|
|
signs = 0;
|
|
@@ -518,6 +521,7 @@ void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]) {
|
|
c->coeffs[b] = 1 - 2*(signs & 1);
|
|
signs >>= 1;
|
|
}
|
|
+ shake256_inc_ctx_release(&state);
|
|
}
|
|
|
|
/*************************************************
|
|
diff --git a/ref/sign.c b/ref/sign.c
|
|
index 7d3f882..abb033c 100644
|
|
--- a/ref/sign.c
|
|
+++ b/ref/sign.c
|
|
@@ -98,7 +98,7 @@ int crypto_sign_signature_internal(uint8_t *sig,
|
|
polyvecl mat[K], s1, y, z;
|
|
polyveck t0, s2, w1, w0, h;
|
|
poly cp;
|
|
- keccak_state state;
|
|
+ shake256incctx state;
|
|
|
|
rho = seedbuf;
|
|
tr = rho + SEEDBYTES;
|
|
@@ -108,20 +108,20 @@ int crypto_sign_signature_internal(uint8_t *sig,
|
|
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
|
|
|
|
/* Compute mu = CRH(tr, pre, msg) */
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, tr, TRBYTES);
|
|
- shake256_absorb(&state, pre, prelen);
|
|
- shake256_absorb(&state, m, mlen);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(mu, CRHBYTES, &state);
|
|
+ shake256_inc_init(&state);
|
|
+ shake256_inc_absorb(&state, tr, TRBYTES);
|
|
+ shake256_inc_absorb(&state, pre, prelen);
|
|
+ shake256_inc_absorb(&state, m, mlen);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(mu, CRHBYTES, &state);
|
|
|
|
/* Compute rhoprime = CRH(key, rnd, mu) */
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, key, SEEDBYTES);
|
|
- shake256_absorb(&state, rnd, RNDBYTES);
|
|
- shake256_absorb(&state, mu, CRHBYTES);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(rhoprime, CRHBYTES, &state);
|
|
+ shake256_inc_ctx_reset(&state);
|
|
+ shake256_inc_absorb(&state, key, SEEDBYTES);
|
|
+ shake256_inc_absorb(&state, rnd, RNDBYTES);
|
|
+ shake256_inc_absorb(&state, mu, CRHBYTES);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(rhoprime, CRHBYTES, &state);
|
|
|
|
/* Expand matrix and transform vectors */
|
|
polyvec_matrix_expand(mat, rho);
|
|
@@ -145,11 +145,11 @@ rej:
|
|
polyveck_decompose(&w1, &w0, &w1);
|
|
polyveck_pack_w1(sig, &w1);
|
|
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, mu, CRHBYTES);
|
|
- shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(sig, CTILDEBYTES, &state);
|
|
+ shake256_inc_ctx_reset(&state);
|
|
+ shake256_inc_absorb(&state, mu, CRHBYTES);
|
|
+ shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(sig, CTILDEBYTES, &state);
|
|
poly_challenge(&cp, sig);
|
|
poly_ntt(&cp);
|
|
|
|
@@ -182,6 +182,8 @@ rej:
|
|
if(n > OMEGA)
|
|
goto rej;
|
|
|
|
+ shake256_inc_ctx_release(&state);
|
|
+
|
|
/* Write signature */
|
|
pack_sig(sig, sig, &z, &h);
|
|
*siglen = CRYPTO_BYTES;
|
|
@@ -303,7 +305,7 @@ int crypto_sign_verify_internal(const uint8_t *sig,
|
|
poly cp;
|
|
polyvecl mat[K], z;
|
|
polyveck t1, w1, h;
|
|
- keccak_state state;
|
|
+ shake256incctx state;
|
|
|
|
if(siglen != CRYPTO_BYTES)
|
|
return -1;
|
|
@@ -316,12 +318,12 @@ int crypto_sign_verify_internal(const uint8_t *sig,
|
|
|
|
/* Compute CRH(H(rho, t1), pre, msg) */
|
|
shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, mu, TRBYTES);
|
|
- shake256_absorb(&state, pre, prelen);
|
|
- shake256_absorb(&state, m, mlen);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(mu, CRHBYTES, &state);
|
|
+ shake256_inc_init(&state);
|
|
+ shake256_inc_absorb(&state, mu, TRBYTES);
|
|
+ shake256_inc_absorb(&state, pre, prelen);
|
|
+ shake256_inc_absorb(&state, m, mlen);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(mu, CRHBYTES, &state);
|
|
|
|
/* Matrix-vector multiplication; compute Az - c2^dt1 */
|
|
poly_challenge(&cp, c);
|
|
@@ -345,11 +347,12 @@ int crypto_sign_verify_internal(const uint8_t *sig,
|
|
polyveck_pack_w1(buf, &w1);
|
|
|
|
/* Call random oracle and verify challenge */
|
|
- shake256_init(&state);
|
|
- shake256_absorb(&state, mu, CRHBYTES);
|
|
- shake256_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
|
|
- shake256_finalize(&state);
|
|
- shake256_squeeze(c2, CTILDEBYTES, &state);
|
|
+ shake256_inc_ctx_reset(&state);
|
|
+ shake256_inc_absorb(&state, mu, CRHBYTES);
|
|
+ shake256_inc_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
|
|
+ shake256_inc_finalize(&state);
|
|
+ shake256_inc_squeeze(c2, CTILDEBYTES, &state);
|
|
+ shake256_inc_ctx_release(&state);
|
|
for(i = 0; i < CTILDEBYTES; ++i)
|
|
if(c[i] != c2[i])
|
|
return -1;
|
|
diff --git a/ref/sign.h b/ref/sign.h
|
|
index 2741e8f..0b5f74a 100644
|
|
--- a/ref/sign.h
|
|
+++ b/ref/sign.h
|
|
@@ -1,6 +1,8 @@
|
|
#ifndef SIGN_H
|
|
#define SIGN_H
|
|
|
|
+#include <oqs/oqs.h>
|
|
+
|
|
#include <stddef.h>
|
|
#include <stdint.h>
|
|
#include "params.h"
|
|
@@ -11,7 +13,7 @@
|
|
int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
|
|
|
|
#define crypto_sign_signature_internal DILITHIUM_NAMESPACE(signature_internal)
|
|
-int crypto_sign_signature_internal(uint8_t *sig,
|
|
+OQS_API int crypto_sign_signature_internal(uint8_t *sig,
|
|
size_t *siglen,
|
|
const uint8_t *m,
|
|
size_t mlen,
|
|
@@ -33,7 +35,7 @@ int crypto_sign(uint8_t *sm, size_t *smlen,
|
|
const uint8_t *sk);
|
|
|
|
#define crypto_sign_verify_internal DILITHIUM_NAMESPACE(verify_internal)
|
|
-int crypto_sign_verify_internal(const uint8_t *sig,
|
|
+OQS_API int crypto_sign_verify_internal(const uint8_t *sig,
|
|
size_t siglen,
|
|
const uint8_t *m,
|
|
size_t mlen,
|
|
diff --git a/ref/symmetric-shake.c b/ref/symmetric-shake.c
|
|
index 11ec09c..963f649 100644
|
|
--- a/ref/symmetric-shake.c
|
|
+++ b/ref/symmetric-shake.c
|
|
@@ -3,26 +3,26 @@
|
|
#include "symmetric.h"
|
|
#include "fips202.h"
|
|
|
|
-void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
|
|
+void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
|
|
{
|
|
uint8_t t[2];
|
|
t[0] = nonce;
|
|
t[1] = nonce >> 8;
|
|
|
|
- shake128_init(state);
|
|
- shake128_absorb(state, seed, SEEDBYTES);
|
|
- shake128_absorb(state, t, 2);
|
|
- shake128_finalize(state);
|
|
+ shake128_inc_init(state);
|
|
+ shake128_inc_absorb(state, seed, SEEDBYTES);
|
|
+ shake128_inc_absorb(state, t, 2);
|
|
+ shake128_inc_finalize(state);
|
|
}
|
|
|
|
-void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
|
|
+void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
|
|
{
|
|
uint8_t t[2];
|
|
t[0] = nonce;
|
|
t[1] = nonce >> 8;
|
|
|
|
- shake256_init(state);
|
|
- shake256_absorb(state, seed, CRHBYTES);
|
|
- shake256_absorb(state, t, 2);
|
|
- shake256_finalize(state);
|
|
+ shake256_inc_init(state);
|
|
+ shake256_inc_absorb(state, seed, CRHBYTES);
|
|
+ shake256_inc_absorb(state, t, 2);
|
|
+ shake256_inc_finalize(state);
|
|
}
|
|
diff --git a/ref/symmetric.h b/ref/symmetric.h
|
|
index cba12d1..211de3b 100644
|
|
--- a/ref/symmetric.h
|
|
+++ b/ref/symmetric.h
|
|
@@ -6,16 +6,16 @@
|
|
|
|
#include "fips202.h"
|
|
|
|
-typedef keccak_state stream128_state;
|
|
-typedef keccak_state stream256_state;
|
|
+typedef shake128incctx stream128_state;
|
|
+typedef shake256incctx stream256_state;
|
|
|
|
#define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
|
|
-void dilithium_shake128_stream_init(keccak_state *state,
|
|
+void dilithium_shake128_stream_init(shake128incctx *state,
|
|
const uint8_t seed[SEEDBYTES],
|
|
uint16_t nonce);
|
|
|
|
#define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
|
|
-void dilithium_shake256_stream_init(keccak_state *state,
|
|
+void dilithium_shake256_stream_init(shake256incctx *state,
|
|
const uint8_t seed[CRHBYTES],
|
|
uint16_t nonce);
|
|
|
|
@@ -26,9 +26,11 @@ void dilithium_shake256_stream_init(keccak_state *state,
|
|
dilithium_shake128_stream_init(STATE, SEED, NONCE)
|
|
#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
|
|
shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
|
|
+#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
|
|
#define stream256_init(STATE, SEED, NONCE) \
|
|
dilithium_shake256_stream_init(STATE, SEED, NONCE)
|
|
#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
|
|
shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
|
|
+#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
|
|
|
|
#endif
|