update frodo976shake accordingly

formosa-crypto · Jul 3, 2024 · 5ff8d90 · 5ff8d90
1 parent a51c1c6
commit 5ff8d90
Show file tree

Hide file tree

Showing 6 changed files with 256 additions and 245 deletions.
diff --git a/src/crypto_kem/frodo/common/amd64/ref/shake128_opt.jinc b/src/crypto_kem/frodo/common/amd64/ref/shake128_opt.jinc
@@ -268,7 +268,7 @@ fn __shake128_pkh_opt(
   return out;
 }
 
-fn __shake128_SE_k_opt2(
+fn __shake128_SE_k_opt(
   #spill_to_mmx reg ptr u8[BYTES_SEED_SE + BYTES_SEC] out,
   #spill_to_mmx reg const ptr u8[2 * BYTES_SEC + BYTES_SALT] in) 
 -> reg ptr u8[BYTES_SEED_SE + BYTES_SEC] {
@@ -319,58 +319,6 @@ fn __shake128_SE_k_opt2(
 }
 
 
-fn __shake128_SE_k_opt(
-  #spill_to_mmx reg ptr u8[1 + BYTES_SEED_SE + BYTES_SEC] out,
-  #spill_to_mmx reg const ptr u8[2 * BYTES_SEC + BYTES_SALT] in) 
--> reg ptr u8[1 + BYTES_SEED_SE + BYTES_SEC] {
-  #spill_to_mmx reg u64 i;
-
-  stack u64[25] s_state;
-  reg ptr u64[25] state;
-  reg u64 offset t0 zero;
-  inline int INLEN OUTLEN;
-
-  INLEN = 2 * BYTES_SEC + BYTES_SALT;
-  OUTLEN = BYTES_SEED_SE + BYTES_SEC;
-
-  state = s_state;
-
-  i = 0;
-  while (i < INLEN/8) {
-    t0 = in[u64 i];
-    state[i] = t0;
-
-    i += 1;
-  }
-  ?{}, zero = #set0();
-
-  i = INLEN/8;
-  while (i < 25) {
-    state[i] = zero;
-    i += 1;
-  }
-
-  state[u8 INLEN] = 0x1f;
-  state[u8 SHAKE128_RATE-1] = 0x80;
-
-  () = #spill(out);
-
-  state = __keccakf1600_ref1(state);
-
-  () = #unspill(out);
-
-  i = 0;
-  while (i < OUTLEN/8) {
-    t0 = state[u64 i];
-    offset = #LEA(1+8*i);
-    out.[u64 offset] = t0;
-
-    i += 1;
-  }
-
-  return out;
-}
-
 fn __shake128_encap_r_opt(
   #spill_to_mmx reg ptr u8[2 * (2 * NNBAR + NBAR * NBAR)] out,
   #spill_to_mmx reg const ptr u8[1 + BYTES_SEED_SE] in) 

diff --git a/src/crypto_kem/frodo/common/amd64/ref/shake256_opt.jinc b/src/crypto_kem/frodo/common/amd64/ref/shake256_opt.jinc
@@ -89,11 +89,11 @@ fn __shake256_r_opt(
 
   i = 0;
   while (i < OUTRND * SHAKE256_RATE/8) {
-    () = #spill(i, out);
+    () = #spill(i, j, out);
 
     state = __keccakf1600_ref1(state);
 
-    () = #unspill(i, out);
+    () = #unspill(i, j, out);
 
     j = 0;
     while (j < SHAKE256_RATE/8) {
@@ -107,11 +107,11 @@ fn __shake256_r_opt(
     i += SHAKE256_RATE/8;
   }
 
-  () = #spill(i, out);
+  () = #spill(i, j, out);
 
   state = __keccakf1600_ref1(state);
 
-  () = #unspill(i, out);
+  () = #unspill(i, j, out);
 
   i = 0;
   while (i < (OUTLEN % SHAKE256_RATE) / 8) {
@@ -196,14 +196,14 @@ fn __shake256_pkh_opt(
 }
 
 fn __shake256_SE_k_opt(
-  #spill_to_mmx reg ptr u8[1 + BYTES_SEED_SE + BYTES_SEC] out,
+  #spill_to_mmx reg ptr u8[BYTES_SEED_SE + BYTES_SEC] out,
   #spill_to_mmx reg const ptr u8[2 * BYTES_SEC + BYTES_SALT] in) 
--> reg ptr u8[1 + BYTES_SEED_SE + BYTES_SEC] {
+-> reg ptr u8[BYTES_SEED_SE + BYTES_SEC] {
   #spill_to_mmx reg u64 i;
 
   stack u64[25] s_state;
   reg ptr u64[25] state;
-  reg u64 offset t0 zero;
+  reg u64 t0 zero;
   inline int INLEN OUTLEN;
 
   INLEN = 2 * BYTES_SEC + BYTES_SALT;
@@ -238,8 +238,7 @@ fn __shake256_SE_k_opt(
   i = 0;
   while (i < OUTLEN/8) {
     t0 = state[u64 i];
-    offset = #LEA(1+8*i);
-    out.[u64 offset] = t0;
+    out[u64 i] = t0;
 
     i += 1;
   }

diff --git a/src/crypto_kem/frodo/frodo640shake/amd64/ref/kem.jinc b/src/crypto_kem/frodo/frodo640shake/amd64/ref/kem.jinc
@@ -121,7 +121,7 @@ fn __frodo_amd64_ref_enc_derand(
     pkh_u_salt[0:BYTES_SEC] = __shake128_pkh_opt(pkh_u_salt[0:BYTES_SEC], pk);
 
     // seedSE || k
-    seedSE_k = __shake128_SE_k_opt2(seedSE_k, pkh_u_salt);
+    seedSE_k = __shake128_SE_k_opt(seedSE_k, pkh_u_salt);
 
     () = #unspill(coins);
     ct_k[0:BYTES_CT - BYTES_SALT] = __indcpa_enc_derand(ct_k[0:BYTES_CT - BYTES_SALT], coins[0:BYTES_SEC], pk, seedSE_k[0:BYTES_SEED_SE]);
@@ -217,7 +217,7 @@ fn _frodo_amd64_ref_dec(reg u64 ssp ctp skp) {
     pkh_u_salt[BYTES_SEC:BYTES_SEC] = __indcpa_dec(pkh_u_salt[BYTES_SEC:BYTES_SEC], ct_k[0:BYTES_CT - BYTES_SALT], ST);
 
     () = #spill(ssp);
-    seedSE_k = __shake128_SE_k_opt2(seedSE_k, pkh_u_salt);
+    seedSE_k = __shake128_SE_k_opt(seedSE_k, pkh_u_salt);
     ct2 = __indcpa_enc_derand(ct2, pkh_u_salt[BYTES_SEC:BYTES_SEC], pk, seedSE_k[0:BYTES_SEED_SE]);
 
     s1 = __ct_verify(ct_k[0:BYTES_CT - BYTES_SALT], ct2);

diff --git a/src/crypto_kem/frodo/frodo976shake/amd64/ref/indcpa.jinc b/src/crypto_kem/frodo/frodo976shake/amd64/ref/indcpa.jinc
@@ -0,0 +1,126 @@
+inline
+fn __indcpa_keypair_derand(
+  #spill_to_mmx reg ptr u8[BYTES_SEED_A + BYTES_SEED_SE] coins
+) -> stack u8[BYTES_PK], stack u8[2*NNBAR] {
+    stack u8[BYTES_PK] pk; // seedA || b
+    stack u8[2*NNBAR] sk; // S_T
+    stack u16[2 * NNBAR] SE;
+    stack u16[NNBAR] B;
+
+    reg u64 i t;
+
+    i = 0;
+    while (i < BYTES_SEED_A/8) {
+        t = coins[u64 i];
+        pk[u64 i] = t;
+        i += 1;
+    }
+
+    () = #spill(coins);
+    // gen S || E
+    SE = __shake256_r_opt(SE, coins[BYTES_SEED_A:BYTES_SEED_SE]);
+
+    SE = __sample_2NNBAR(SE);
+
+    // B = A*S+E
+    B = __AS_plus_E_opt(B, pk[0:BYTES_SEED_A], SE[0:NNBAR], SE[NNBAR:NNBAR]);
+
+    // pack
+    pk[BYTES_SEED_A:D * N] = __pack_B(pk[BYTES_SEED_A:D * N], B);
+
+    i = 0;
+    while (i < 2 * NNBAR / 8) {
+        t = SE[u64 i];
+        sk[u64 i] = t;
+        i += 1;
+    }
+
+    return pk, sk;
+}
+
+inline
+fn __indcpa_enc_derand(
+  #spill_to_mmx reg ptr u8[BYTES_CT - BYTES_SALT] ct,
+  #spill_to_mmx reg ptr u8[BYTES_SEC] u,
+  #spill_to_mmx reg ptr u8[BYTES_PK] pk,
+  #spill_to_mmx reg ptr u8[BYTES_SEED_SE] coins
+) -> reg ptr u8[BYTES_CT - BYTES_SALT] {
+    reg u64 i t;
+
+    // 0x96 || seed_SE
+    stack u8[1 + BYTES_SEED_SE] seedSE;
+    seedSE[0] = 0x96;
+
+    // S' || E' || E''
+    stack u16[2 * NNBAR + NBAR * NBAR] SEE;
+    stack u16[NNBAR] B;
+    reg ptr u16[NNBAR] Bp;
+    stack u16[NBAR * NBAR] C;
+    reg ptr u16[NBAR * NBAR] V;
+
+    // stack u8[BYTES_CT - BYTES_SALT] ct;
+
+    i = 0;
+    while (i < BYTES_SEED_SE/8) {
+        t = coins[u64 i];
+        seedSE.[u64 1 + 8*i] = t;
+        i += 1;
+    }
+
+    // B <- Unpack(b)
+    B = __unpack_B(B, pk[BYTES_SEED_A:D * N]);
+    C = __encode(C, u);
+
+    () = #spill(ct, u, pk, coins);
+
+    // gen input bit string for sampling S and E
+    SEE = __shake256_encap_r_opt(SEE, seedSE);
+
+    // S' || E'
+    SEE[0:2 * NNBAR] = __sample_2NNBAR(SEE[0:2 * NNBAR]);
+    // E''
+    SEE[NNBAR * 2:NBAR * NBAR] = __sample_NBAR2(SEE[NNBAR * 2:NBAR * NBAR]);
+
+    // B' = S'A + E''
+    Bp = SEE[NNBAR:NNBAR];
+
+    () = #unspill(pk);
+    Bp = __SA_plus_E_opt(Bp, pk[0:BYTES_SEED_A], SEE[0:NNBAR]);
+
+    // V = S'B + E''
+    V = SEE[NNBAR*2:NBAR*NBAR];
+    V = __SB_plus_E_opt(V, SEE[0:NNBAR], B);
+
+    // C = V + Encode(u)
+    C = __matrix_add(C, V);
+
+    // c1 <- Pack(B')
+    () = #unspill(ct);
+    ct[0:D * N] = __pack_B(ct[0:D * N], Bp);
+    // c2 <- Pack(C)
+    ct[D * N: D * NBAR] = __pack_C(ct[D * N: D * NBAR], C);
+
+    return ct;
+}
+
+inline
+fn __indcpa_dec(
+  #spill_to_mmx reg ptr u8[BYTES_SEC] pt,
+  #spill_to_mmx reg ptr u8[BYTES_CT - BYTES_SALT] ct,
+  #spill_to_mmx reg ptr u8[2*NNBAR] sk
+) -> reg ptr u8[BYTES_SEC] {
+    stack u16[NNBAR] Bp;
+    stack u16[NBAR * NBAR] M C;
+
+    // B' <- Unpack(c1)
+    Bp = __unpack_B(Bp, ct[0:D * N]);
+    // C <- Unpack(c2)
+    C = __unpack_C(C, ct[D * N:D * NBAR]);
+
+    // M = C - B'S
+    M = __mul_BS_opt(M, Bp, sk);
+    M = __matrix_sub(M, C);
+    pt = __decode(pt, M);
+
+    return pt;
+}
diff --git a/src/crypto_kem/frodo/frodo976shake/amd64/ref/kem.jazz b/src/crypto_kem/frodo/frodo976shake/amd64/ref/kem.jazz
@@ -1,36 +1,41 @@
 from Jade require "crypto_kem/frodo/common/frodo976_params.jinc"
 from Jade require "crypto_kem/frodo/frodo976shake/amd64/ref/kem.jinc"
 
-export fn jade_kem_frodo_frodo976shake_amd64_ref_keypair_derand(#public reg u64 pkp skp coinsp) -> #public reg u64 {
+export fn jade_kem_frodo_frodo976shake_amd64_ref_keypair_derand(reg u64 pkp skp coinsp) -> reg u64 {
     reg u64 r;
+    _ = #init_msf();
     _frodo_amd64_ref_keypair_derand(pkp, skp, coinsp);
     ?{}, r = #set0();
     return r;
 }
 
-export fn jade_kem_frodo_frodo976shake_amd64_ref_keypair(#public reg u64 pkp skp) -> #public reg u64 {
+export fn jade_kem_frodo_frodo976shake_amd64_ref_keypair(reg u64 pkp skp) -> reg u64 {
     reg u64 r;
+    _ = #init_msf();
     _frodo_amd64_ref_keypair(pkp, skp);
     ?{}, r = #set0();
     return r;
 }
 
-export fn jade_kem_frodo_frodo976shake_amd64_ref_enc_derand(#public reg u64 ctp ssp pkp coinsp) -> #public reg u64 {
+export fn jade_kem_frodo_frodo976shake_amd64_ref_enc_derand(reg u64 ctp ssp pkp coinsp) -> reg u64 {
     reg u64 r;
+    _ = #init_msf();
     _frodo_amd64_ref_enc_derand(ctp, ssp, pkp, coinsp);
     ?{}, r = #set0();
     return r;
 }
 
-export fn jade_kem_frodo_frodo976shake_amd64_ref_enc(#public reg u64 ctp ssp pkp) -> #public reg u64 {
+export fn jade_kem_frodo_frodo976shake_amd64_ref_enc(reg u64 ctp ssp pkp) -> reg u64 {
     reg u64 r;
+    _ = #init_msf();
     _frodo_amd64_ref_enc(ctp, ssp, pkp);
     ?{}, r = #set0();
     return r;
 }
 
-export fn jade_kem_frodo_frodo976shake_amd64_ref_dec(#public reg u64 ssp ctp skp) -> #public reg u64 {
+export fn jade_kem_frodo_frodo976shake_amd64_ref_dec(reg u64 ssp ctp skp) -> reg u64 {
     reg u64 r;
+    _ = #init_msf();
     _frodo_amd64_ref_dec(ssp, ctp, skp);
     ?{}, r = #set0();
     return r;