sharpetronics/liboqs
1
0
Fork 0
mirror of https://github.com/open-quantum-safe/liboqs.git synced 2025-11-27 00:04:24 -05:00
Code Issues Projects Releases Wiki Activity
liboqs/scripts/copy_from_upstream/patches/pqcrystals-ml_kem.patch
Basil Hess dc4deaa4e1
Add ML-KEM / FIPS203 final (#1899) 
* Add ML-KEM
* Add ACVP vectors for ML-KEM
* Removes ML-KEM-ipd

---------
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
2024-08-27 18:57:04 +02:00

458 lines
20 KiB
Diff
Raw Blame History

diff --git a/Kyber1024_META.yml b/ML-KEM-1024_META.yml
similarity index 55%
rename from Kyber1024_META.yml
rename to ML-KEM-1024_META.yml
index baa5ca3..fdfc298 100644
--- a/Kyber1024_META.yml
+++ b/ML-KEM-1024_META.yml
@@ -1,4 +1,4 @@
-name: Kyber1024
+name: ML-KEM-1024
type: kem
claimed-nist-level: 5
claimed-security: IND-CCA2
@@ -6,8 +6,8 @@ length-public-key: 1568
length-ciphertext: 1568
length-secret-key: 3168
length-shared-secret: 32
-nistkat-sha256: 5afcf2a568ad32d49b55105b032af1850f03f3888ff9e2a72f4059c58e968f60
-testvectors-sha256: ff1a854b9b6761a70c65ccae85246fe0596a949e72eae0866a8a2a2d4ea54b10
+nistkat-sha256: f580d851e5fb27e6876e5e203fa18be4cdbfd49e05d48fec3d3992c8f43a13e6
+testvectors-sha256: 85ab251d6e749e6b27507a8a6ec473ba2e8419c1aef87d0cd5ec9903c1bb92df
principal-submitters:
- Peter Schwabe
auxiliary-submitters:
@@ -22,22 +22,20 @@ auxiliary-submitters:
- Damien Stehlé
implementations:
- name: ref
- version: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
+ version: https://github.com/pq-crystals/kyber/tree/standard
folder_name: ref
compile_opts: -DKYBER_K=4
- signature_keypair: pqcrystals_kyber1024_ref_keypair
- signature_enc: pqcrystals_kyber1024_ref_enc
- signature_dec: pqcrystals_kyber1024_ref_dec
- sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h fips202.h symmetric-shake.c
- common_dep: common_ref
+ signature_keypair: pqcrystals_ml_kem_1024_ref_keypair
+ signature_enc: pqcrystals_ml_kem_1024_ref_enc
+ signature_dec: pqcrystals_ml_kem_1024_ref_dec
+ sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h symmetric-shake.c
- name: avx2
- version: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
+ version: https://github.com/pq-crystals/kyber/tree/standard
compile_opts: -DKYBER_K=4
- signature_keypair: pqcrystals_kyber1024_avx2_keypair
- signature_enc: pqcrystals_kyber1024_avx2_enc
- signature_dec: pqcrystals_kyber1024_avx2_dec
- sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c fq.S shuffle.S ntt.S invntt.S basemul.S consts.c rejsample.c cbd.c verify.c align.h kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h fq.inc shuffle.inc ntt.h consts.h rejsample.h cbd.h verify.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
- common_dep: common_avx2 common_keccak4x_avx2
+ signature_keypair: pqcrystals_ml_kem_1024_avx2_keypair
+ signature_enc: pqcrystals_ml_kem_1024_avx2_enc
+ signature_dec: pqcrystals_ml_kem_1024_avx2_dec
+ sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c fq.S shuffle.S ntt.S invntt.S basemul.S consts.c rejsample.c cbd.c verify.c align.h kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h fq.inc shuffle.inc ntt.h consts.h rejsample.h cbd.h verify.h symmetric.h symmetric-shake.c
supported_platforms:
- architecture: x86_64
operating_systems:
diff --git a/Kyber512_META.yml b/ML-KEM-512_META.yml
similarity index 55%
rename from Kyber512_META.yml
rename to ML-KEM-512_META.yml
index b251701..40440a8 100644
--- a/Kyber512_META.yml
+++ b/ML-KEM-512_META.yml
@@ -1,4 +1,4 @@
-name: Kyber512
+name: ML-KEM-512
type: kem
claimed-nist-level: 1
claimed-security: IND-CCA2
@@ -6,8 +6,8 @@ length-public-key: 800
length-ciphertext: 768
length-secret-key: 1632
length-shared-secret: 32
-nistkat-sha256: bb0481d3325d828817900b709d23917cefbc10026fc857f098979451f67bb0ca
-testvectors-sha256: 6730bb552c22d9d2176ffb5568e48eb30952cf1f065073ec5f9724f6a3c6ea85
+nistkat-sha256: c70041a761e01cd6426fa60e9fd6a4412c2be817386c8d0f3334898082512782
+testvectors-sha256: e1ac6fb45e2511f4170a3527c0c50dcd61336f47113df7a299a61ef8394bd669
principal-submitters:
- Peter Schwabe
auxiliary-submitters:
@@ -22,22 +22,20 @@ auxiliary-submitters:
- Damien Stehlé
implementations:
- name: ref
- version: https://github.com/pq-crystals/kyber/commit/74cad307858b61e434490c75f812cb9b9ef7279b
+ version: https://github.com/pq-crystals/kyber/tree/standard
folder_name: ref
compile_opts: -DKYBER_K=2
- signature_keypair: pqcrystals_kyber512_ref_keypair
- signature_enc: pqcrystals_kyber512_ref_enc
- signature_dec: pqcrystals_kyber512_ref_dec
- sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h fips202.h symmetric-shake.c
- common_dep: common_ref
+ signature_keypair: pqcrystals_ml_kem_512_ref_keypair
+ signature_enc: pqcrystals_ml_kem_512_ref_enc
+ signature_dec: pqcrystals_ml_kem_512_ref_dec
+ sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h symmetric-shake.c
- name: avx2
- version: https://github.com/pq-crystals/kyber/commit/36414d64fc1890ed58d1ca8b1e0cab23635d1ac2
+ version: https://github.com/pq-crystals/kyber/tree/standard
compile_opts: -DKYBER_K=2
- signature_keypair: pqcrystals_kyber512_avx2_keypair
- signature_enc: pqcrystals_kyber512_avx2_enc
- signature_dec: pqcrystals_kyber512_avx2_dec
- sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c fq.S shuffle.S ntt.S invntt.S basemul.S consts.c rejsample.c cbd.c verify.c align.h kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h fq.inc shuffle.inc ntt.h consts.h rejsample.h cbd.h verify.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
- common_dep: common_avx2 common_keccak4x_avx2
+ signature_keypair: pqcrystals_ml_kem_512_avx2_keypair
+ signature_enc: pqcrystals_ml_kem_512_avx2_enc
+ signature_dec: pqcrystals_ml_kem_512_avx2_dec
+ sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c fq.S shuffle.S ntt.S invntt.S basemul.S consts.c rejsample.c cbd.c verify.c align.h kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h fq.inc shuffle.inc ntt.h consts.h rejsample.h cbd.h verify.h symmetric.h symmetric-shake.c
supported_platforms:
- architecture: x86_64
operating_systems:
diff --git a/Kyber768_META.yml b/ML-KEM-768_META.yml
similarity index 55%
rename from Kyber768_META.yml
rename to ML-KEM-768_META.yml
index 7a0cc3d..4277df3 100644
--- a/Kyber768_META.yml
+++ b/ML-KEM-768_META.yml
@@ -1,4 +1,4 @@
-name: Kyber768
+name: ML-KEM-768
type: kem
claimed-nist-level: 3
claimed-security: IND-CCA2
@@ -6,8 +6,8 @@ length-public-key: 1184
length-ciphertext: 1088
length-secret-key: 2400
length-shared-secret: 32
-nistkat-sha256: 89e82a5bf2d4ddb2c6444e10409e6d9ca65dafbca67d1a0db2c9b54920a29172
-testvectors-sha256: 667c8ca2ca93729c0df6ff24588460bad1bbdbfb64ece0fe8563852a7ff348c6
+nistkat-sha256: 5352539586b6c3df58be6158a6250aeff402bd73060b0a3de68850ac074c17c3
+testvectors-sha256: 2586721a714c439f6fef26e29ee1c4c67c6207186f810617f278e6ce3e67ea0d
principal-submitters:
- Peter Schwabe
auxiliary-submitters:
@@ -22,22 +22,20 @@ auxiliary-submitters:
- Damien Stehlé
implementations:
- name: ref
- version: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
+ version: https://github.com/pq-crystals/kyber/tree/standard
folder_name: ref
compile_opts: -DKYBER_K=3
- signature_keypair: pqcrystals_kyber768_ref_keypair
- signature_enc: pqcrystals_kyber768_ref_enc
- signature_dec: pqcrystals_kyber768_ref_dec
- sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h fips202.h symmetric-shake.c
- common_dep: common_ref
+ signature_keypair: pqcrystals_ml_kem_768_ref_keypair
+ signature_enc: pqcrystals_ml_kem_768_ref_enc
+ signature_dec: pqcrystals_ml_kem_768_ref_dec
+ sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h symmetric-shake.c
- name: avx2
- version: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
+ version: https://github.com/pq-crystals/kyber/tree/standard
compile_opts: -DKYBER_K=3
- signature_keypair: pqcrystals_kyber768_avx2_keypair
- signature_enc: pqcrystals_kyber768_avx2_enc
- signature_dec: pqcrystals_kyber768_avx2_dec
- sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c fq.S shuffle.S ntt.S invntt.S basemul.S consts.c rejsample.c cbd.c verify.c align.h kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h fq.inc shuffle.inc ntt.h consts.h rejsample.h cbd.h verify.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
- common_dep: common_avx2 common_keccak4x_avx2
+ signature_keypair: pqcrystals_ml_kem_768_avx2_keypair
+ signature_enc: pqcrystals_ml_kem_768_avx2_enc
+ signature_dec: pqcrystals_ml_kem_768_avx2_dec
+ sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c fq.S shuffle.S ntt.S invntt.S basemul.S consts.c rejsample.c cbd.c verify.c align.h kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h fq.inc shuffle.inc ntt.h consts.h rejsample.h cbd.h verify.h symmetric.h symmetric-shake.c
supported_platforms:
- architecture: x86_64
operating_systems:
diff --git a/avx2/indcpa.c b/avx2/indcpa.c
index 18b9d08..c4b2b3a 100644
--- a/avx2/indcpa.c
+++ b/avx2/indcpa.c
@@ -175,7 +175,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
unsigned int ctr0, ctr1, ctr2, ctr3;
ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*SHAKE128_RATE) buf[4];
__m256i f;
- keccakx4_state state;
+ shake128x4incctx state;
f = _mm256_loadu_si256((__m256i *)seed);
_mm256_store_si256(buf[0].vec, f);
@@ -204,6 +204,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
buf[3].coeffs[33] = 1;
}
+ shake128x4_inc_init(&state);
shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
@@ -225,6 +226,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
poly_nttunpack(&a[0].vec[1]);
poly_nttunpack(&a[1].vec[0]);
poly_nttunpack(&a[1].vec[1]);
+ shake128x4_inc_ctx_release(&state);
}
#elif KYBER_K == 3
void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
@@ -232,8 +234,8 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
unsigned int ctr0, ctr1, ctr2, ctr3;
ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*SHAKE128_RATE) buf[4];
__m256i f;
- keccakx4_state state;
- keccak_state state1x;
+ shake128x4incctx state;
+ shake128incctx state1x;
f = _mm256_loadu_si256((__m256i *)seed);
_mm256_store_si256(buf[0].vec, f);
@@ -262,6 +264,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
buf[3].coeffs[33] = 1;
}
+ shake128x4_inc_init(&state);
shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
@@ -327,6 +330,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
ctr2 += rej_uniform(a[2].vec[0].coeffs + ctr2, KYBER_N - ctr2, buf[2].coeffs, SHAKE128_RATE);
ctr3 += rej_uniform(a[2].vec[1].coeffs + ctr3, KYBER_N - ctr3, buf[3].coeffs, SHAKE128_RATE);
}
+ shake128x4_inc_ctx_release(&state);
poly_nttunpack(&a[1].vec[1]);
poly_nttunpack(&a[1].vec[2]);
@@ -337,6 +341,8 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
_mm256_store_si256(buf[0].vec, f);
buf[0].coeffs[32] = 2;
buf[0].coeffs[33] = 2;
+
+ shake128_inc_init(&state1x);
shake128_absorb_once(&state1x, buf[0].coeffs, 34);
shake128_squeezeblocks(buf[0].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state1x);
ctr0 = rej_uniform_avx(a[2].vec[2].coeffs, buf[0].coeffs);
@@ -344,6 +350,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
shake128_squeezeblocks(buf[0].coeffs, 1, &state1x);
ctr0 += rej_uniform(a[2].vec[2].coeffs + ctr0, KYBER_N - ctr0, buf[0].coeffs, SHAKE128_RATE);
}
+ shake128_inc_ctx_release(&state1x);
poly_nttunpack(&a[2].vec[2]);
}
@@ -353,7 +360,8 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
unsigned int i, ctr0, ctr1, ctr2, ctr3;
ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*SHAKE128_RATE) buf[4];
__m256i f;
- keccakx4_state state;
+ shake128x4incctx state;
+ shake128x4_inc_init(&state);
for(i=0;i<4;i++) {
f = _mm256_loadu_si256((__m256i *)seed);
@@ -405,6 +413,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
poly_nttunpack(&a[i].vec[2]);
poly_nttunpack(&a[i].vec[3]);
}
+ shake128x4_inc_ctx_release(&state);
}
#endif
diff --git a/avx2/params.h b/avx2/params.h
index bc70ebf..fdc688e 100644
--- a/avx2/params.h
+++ b/avx2/params.h
@@ -12,19 +12,19 @@
#ifdef KYBER_90S
#define KYBER_NAMESPACE(s) pqcrystals_kyber512_90s_avx2_##s
#else
-#define KYBER_NAMESPACE(s) pqcrystals_kyber512_avx2_##s
+#define KYBER_NAMESPACE(s) pqcrystals_ml_kem_512_avx2_##s
#endif
#elif (KYBER_K == 3)
#ifdef KYBER_90S
#define KYBER_NAMESPACE(s) pqcrystals_kyber768_90s_avx2_##s
#else
-#define KYBER_NAMESPACE(s) pqcrystals_kyber768_avx2_##s
+#define KYBER_NAMESPACE(s) pqcrystals_ml_kem_768_avx2_##s
#endif
#elif (KYBER_K == 4)
#ifdef KYBER_90S
#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_90s_avx2_##s
#else
-#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_avx2_##s
+#define KYBER_NAMESPACE(s) pqcrystals_ml_kem_1024_avx2_##s
#endif
#else
#error "KYBER_K must be in {2,3,4}"
diff --git a/avx2/poly.c b/avx2/poly.c
index 56a5e1e..681fd6d 100644
--- a/avx2/poly.c
+++ b/avx2/poly.c
@@ -2,6 +2,7 @@
#include <immintrin.h>
#include <string.h>
#include "align.h"
+#include "fips202x4.h"
#include "params.h"
#include "poly.h"
#include "ntt.h"
@@ -325,7 +326,7 @@ void poly_getnoise_eta1_4x(poly *r0,
{
ALIGNED_UINT8(NOISE_NBLOCKS*SHAKE256_RATE) buf[4];
__m256i f;
- keccakx4_state state;
+ shake256x4incctx state;
f = _mm256_loadu_si256((__m256i *)seed);
_mm256_store_si256(buf[0].vec, f);
@@ -338,8 +339,10 @@ void poly_getnoise_eta1_4x(poly *r0,
buf[2].coeffs[32] = nonce2;
buf[3].coeffs[32] = nonce3;
+ shake256x4_inc_init(&state);
shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 33);
shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, NOISE_NBLOCKS, &state);
+ shake256x4_inc_ctx_release(&state);
poly_cbd_eta1(r0, buf[0].vec);
poly_cbd_eta1(r1, buf[1].vec);
@@ -360,7 +363,7 @@ void poly_getnoise_eta1122_4x(poly *r0,
{
ALIGNED_UINT8(NOISE_NBLOCKS*SHAKE256_RATE) buf[4];
__m256i f;
- keccakx4_state state;
+ shake256x4incctx state;
f = _mm256_loadu_si256((__m256i *)seed);
_mm256_store_si256(buf[0].vec, f);
@@ -373,8 +376,10 @@ void poly_getnoise_eta1122_4x(poly *r0,
buf[2].coeffs[32] = nonce2;
buf[3].coeffs[32] = nonce3;
+ shake256x4_inc_init(&state);
shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 33);
shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, NOISE_NBLOCKS, &state);
+ shake256x4_inc_ctx_release(&state);
poly_cbd_eta1(r0, buf[0].vec);
poly_cbd_eta1(r1, buf[1].vec);
diff --git a/avx2/symmetric.h b/avx2/symmetric.h
index 627b891..e4941f7 100644
--- a/avx2/symmetric.h
+++ b/avx2/symmetric.h
@@ -8,10 +8,10 @@
#include "fips202.h"
#include "fips202x4.h"
-typedef keccak_state xof_state;
+typedef shake128incctx xof_state;
#define kyber_shake128_absorb KYBER_NAMESPACE(kyber_shake128_absorb)
-void kyber_shake128_absorb(keccak_state *s,
+void kyber_shake128_absorb(shake128incctx *s,
const uint8_t seed[KYBER_SYMBYTES],
uint8_t x,
uint8_t y);
diff --git a/ref/indcpa.c b/ref/indcpa.c
index 9a78c09..726cfa9 100644
--- a/ref/indcpa.c
+++ b/ref/indcpa.c
@@ -168,6 +168,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
unsigned int buflen;
uint8_t buf[GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES];
xof_state state;
+ xof_init(&state, seed);
for(i=0;i<KYBER_K;i++) {
for(j=0;j<KYBER_K;j++) {
@@ -187,6 +188,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
}
}
}
+ xof_release(&state);
}
/*************************************************
diff --git a/ref/params.h b/ref/params.h
index 0802c74..36b2b98 100644
--- a/ref/params.h
+++ b/ref/params.h
@@ -8,11 +8,11 @@
/* Don't change parameters below this line */
#if (KYBER_K == 2)
-#define KYBER_NAMESPACE(s) pqcrystals_kyber512_ref_##s
+#define KYBER_NAMESPACE(s) pqcrystals_ml_kem_512_ref_##s
#elif (KYBER_K == 3)
-#define KYBER_NAMESPACE(s) pqcrystals_kyber768_ref_##s
+#define KYBER_NAMESPACE(s) pqcrystals_ml_kem_768_ref_##s
#elif (KYBER_K == 4)
-#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_ref_##s
+#define KYBER_NAMESPACE(s) pqcrystals_ml_kem_1024_ref_##s
#else
#error "KYBER_K must be in {2,3,4}"
#endif
diff --git a/ref/symmetric-shake.c b/ref/symmetric-shake.c
index 6a99071..20f4518 100644
--- a/ref/symmetric-shake.c
+++ b/ref/symmetric-shake.c
@@ -15,7 +15,7 @@
* - uint8_t i: additional byte of input
* - uint8_t j: additional byte of input
**************************************************/
-void kyber_shake128_absorb(keccak_state *state,
+void kyber_shake128_absorb(shake128incctx *state,
const uint8_t seed[KYBER_SYMBYTES],
uint8_t x,
uint8_t y)
@@ -63,11 +63,12 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
**************************************************/
void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES])
{
- keccak_state s;
+ shake256incctx s;
- shake256_init(&s);
- shake256_absorb(&s, key, KYBER_SYMBYTES);
- shake256_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
- shake256_finalize(&s);
- shake256_squeeze(out, KYBER_SSBYTES, &s);
+ shake256_inc_init(&s);
+ shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
+ shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
+ shake256_inc_finalize(&s);
+ shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
+ shake256_inc_ctx_release(&s);
}
diff --git a/ref/symmetric.h b/ref/symmetric.h
index 58e6ece..2acc66f 100644
--- a/ref/symmetric.h
+++ b/ref/symmetric.h
@@ -7,10 +7,10 @@
#include "fips202.h"
-typedef keccak_state xof_state;
+typedef shake128incctx xof_state;
#define kyber_shake128_absorb KYBER_NAMESPACE(kyber_shake128_absorb)
-void kyber_shake128_absorb(keccak_state *s,
+void kyber_shake128_absorb(shake128incctx *s,
const uint8_t seed[KYBER_SYMBYTES],
uint8_t x,
uint8_t y);
@@ -25,8 +25,10 @@ void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SY
#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
+#define xof_init(STATE, SEED) shake128_inc_init(STATE)
#define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y)
#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
+#define xof_release(STATE) shake128_inc_ctx_release(STATE)
#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
Reference in New Issue View Git Blame Copy Permalink