From 76e3b53c827d32eb62aeca05f668d8fa58467b5f Mon Sep 17 00:00:00 2001 From: Tiago Oliveira Date: Fri, 9 Feb 2024 16:24:21 +0100 Subject: [PATCH] mlkem: update from https://github.com/formosa-crypto/hakyber/pull/22 --- src/crypto_kem/mlkem/mlkem768/amd64/avx2/poly.jinc | 4 ---- src/crypto_kem/mlkem/mlkem768/amd64/ref/fips202.jinc | 5 ----- src/crypto_kem/mlkem/mlkem768/amd64/ref/indcpa.jinc | 10 ++++------ src/crypto_kem/mlkem/mlkem768/amd64/ref/poly.jinc | 10 ---------- src/crypto_kem/mlkem/mlkem768/amd64/ref/polyvec.jinc | 2 -- src/crypto_kem/mlkem/mlkem768/amd64/ref/verify.jinc | 2 +- 6 files changed, 5 insertions(+), 28 deletions(-) diff --git a/src/crypto_kem/mlkem/mlkem768/amd64/avx2/poly.jinc b/src/crypto_kem/mlkem/mlkem768/amd64/avx2/poly.jinc index 68ffa7a5..6e902b8c 100644 --- a/src/crypto_kem/mlkem/mlkem768/amd64/avx2/poly.jinc +++ b/src/crypto_kem/mlkem/mlkem768/amd64/avx2/poly.jinc @@ -318,7 +318,6 @@ fn _poly_decompress(reg ptr u16[MLKEM_N] rp, reg u64 ap) -> stack u16[MLKEM_N] for i=0 to MLKEM_N/16 { - // was patched in the context of Kyber: check https://github.com/formosa-crypto/libjade/commit/d05492d5eab67c86733b5e841d910bc353f1b38d h = (128u)(u64)[ap + 8*i]; sh = h; f = #VPBROADCAST_2u128(sh); @@ -889,7 +888,6 @@ fn _poly_invntt(reg ptr u16[MLKEM_N] rp) -> reg ptr u16[MLKEM_N] { reg u256 zeta0 zeta1 zeta2 zeta3 r0 r1 r2 r3 r4 r5 r6 r7 qx16 vx16 flox16 fhix16; reg ptr u16[400] zetasp; - reg ptr u16[16] qx16p; inline int i; zetasp = jzetas_inv_exp; @@ -1087,8 +1085,6 @@ fn __butterfly64x(reg u256 rl0 rl1 rl2 rl3 rh0 rh1 rh2 rh3 zl0 zl1 zh0 zh1 qx16) fn _poly_ntt(reg ptr u16[MLKEM_N] rp) -> reg ptr u16[MLKEM_N] { reg u256 zeta0 zeta1 zeta2 zeta3 r0 r1 r2 r3 r4 r5 r6 r7 qx16 vx16; - reg u32 t; - reg u16 w; reg ptr u16[400] zetasp; inline int i; diff --git a/src/crypto_kem/mlkem/mlkem768/amd64/ref/fips202.jinc b/src/crypto_kem/mlkem/mlkem768/amd64/ref/fips202.jinc index 71a2adb4..0ca1e83a 100644 --- a/src/crypto_kem/mlkem/mlkem768/amd64/ref/fips202.jinc +++ b/src/crypto_kem/mlkem/mlkem768/amd64/ref/fips202.jinc @@ -3,10 +3,6 @@ param int SHAKE256_RATE = 136; param int SHA3_256_RATE = 136; param int SHA3_512_RATE = 72; -param int SHAKE128_RATE = 168; -param int SHAKE256_RATE = 136; -param int SHA3_512_RATE = 72; - inline fn __index(inline int x, inline int y) -> inline int { inline int r; @@ -148,7 +144,6 @@ u64[24] roundconstants = {0x0000000000000001, 0x0000000000008082, 0x800000000000 fn __keccakf1600_ref(reg ptr u64[25] state) -> reg ptr u64[25] { - inline int round; reg ptr u64[24] constptr; reg u64 rctr; diff --git a/src/crypto_kem/mlkem/mlkem768/amd64/ref/indcpa.jinc b/src/crypto_kem/mlkem/mlkem768/amd64/ref/indcpa.jinc index e90c3458..5e959a51 100644 --- a/src/crypto_kem/mlkem/mlkem768/amd64/ref/indcpa.jinc +++ b/src/crypto_kem/mlkem/mlkem768/amd64/ref/indcpa.jinc @@ -88,11 +88,10 @@ fn __indcpa_enc(stack u64 sctp, reg ptr u8[32] msgp, reg u64 pkp, reg ptr u8[MLK { stack u16[MLKEM_VECN] pkpv sp ep bp; stack u16[MLKEM_K*MLKEM_VECN] aat; - stack u16[MLKEM_N] k poly epp v poly0 poly1 poly2; + stack u16[MLKEM_N] k epp v; stack u8[MLKEM_SYMBYTES] publicseed; - reg u64 i j t64; + reg u64 i t64; reg u64 ctp; - reg u16 t; reg u8 nonce; pkpv = __polyvec_frombytes(pkp); @@ -156,10 +155,9 @@ fn __iindcpa_enc(reg ptr u8[MLKEM_CT_LEN] ctp, reg ptr u8[32] msgp, reg u64 pkp, { stack u16[MLKEM_VECN] pkpv sp ep bp; stack u16[MLKEM_K*MLKEM_VECN] aat; - stack u16[MLKEM_N] k poly epp v poly0 poly1 poly2; + stack u16[MLKEM_N] k epp v; stack u8[MLKEM_SYMBYTES] publicseed; - reg u64 i j t64; - reg u16 t; + reg u64 i t64; reg u8 nonce; stack ptr u8[MLKEM_CT_LEN] sctp; diff --git a/src/crypto_kem/mlkem/mlkem768/amd64/ref/poly.jinc b/src/crypto_kem/mlkem/mlkem768/amd64/ref/poly.jinc index cd22db7c..dacf0a5b 100644 --- a/src/crypto_kem/mlkem/mlkem768/amd64/ref/poly.jinc +++ b/src/crypto_kem/mlkem/mlkem768/amd64/ref/poly.jinc @@ -45,7 +45,6 @@ fn _poly_csubq(reg ptr u16[MLKEM_N] rp) -> reg ptr u16[MLKEM_N] fn _poly_basemul(reg ptr u16[MLKEM_N] rp, reg const ptr u16[MLKEM_N] ap bp) -> reg ptr u16[MLKEM_N] { - reg u64 offset; reg u16 zeta; reg u16 r0; reg u16 r1; @@ -293,7 +292,6 @@ fn _poly_frommsg(reg ptr u16[MLKEM_N] rp, reg u64 ap) -> stack u16[MLKEM_N] reg u8 c; reg u16 t; inline int i; - inline int j; for i = 0 to 32 { @@ -356,7 +354,6 @@ fn _i_poly_frommsg(reg ptr u16[MLKEM_N] rp, reg ptr u8[32] ap) -> stack u16[MLKE reg u8 c; reg u16 t; inline int i; - inline int j; for i = 0 to 32 { @@ -417,7 +414,6 @@ fn _poly_getnoise(reg ptr u16[MLKEM_N] rp, reg ptr u8[MLKEM_SYMBYTES] seed, reg { stack u8[33] extseed; /* 33 = MLKEM_SYMBYTES +1 */ stack u8[128] buf; /* 128 = MLKEM_ETA*MLKEM_N/4 */ - reg u64 outlen; reg u8 c,a,b; reg u16 t; reg u64 i; @@ -499,11 +495,9 @@ fn _poly_invntt(reg ptr u16[MLKEM_N] rp) -> reg ptr u16[MLKEM_N] zetasctr += 1; j = start; - //cmp = #LEA(start + len); cmp = start; cmp += len; while (j < cmp) { - //offset = #LEA(j + len); offset = j; offset += len; s = rp[(int)offset]; t = rp[(int)j]; @@ -515,7 +509,6 @@ fn _poly_invntt(reg ptr u16[MLKEM_N] rp) -> reg ptr u16[MLKEM_N] rp[(int)offset] = t; j += 1; } - //start = #LEA(j + len); start = j; start += len; } len <<= 1; @@ -560,11 +553,9 @@ fn _poly_ntt(reg ptr u16[MLKEM_N] rp) -> reg ptr u16[MLKEM_N] zetasctr += 1; zeta = zetasp[(int)zetasctr]; j = start; - // cmp = #LEA(start + len); cmp = start; cmp += len; while (j < cmp) { - //offset = #LEA(j + len); offset = j; offset += len; t = rp[(int)offset]; t = __fqmul(t, zeta); @@ -576,7 +567,6 @@ fn _poly_ntt(reg ptr u16[MLKEM_N] rp) -> reg ptr u16[MLKEM_N] rp[(int)j] = t; j += 1; } - //start = #LEA(j + len); start = j; start += len; } len >>= 1; diff --git a/src/crypto_kem/mlkem/mlkem768/amd64/ref/polyvec.jinc b/src/crypto_kem/mlkem/mlkem768/amd64/ref/polyvec.jinc index 493d388a..a7fdef52 100644 --- a/src/crypto_kem/mlkem/mlkem768/amd64/ref/polyvec.jinc +++ b/src/crypto_kem/mlkem/mlkem768/amd64/ref/polyvec.jinc @@ -26,7 +26,6 @@ fn __polyvec_compress(reg u64 rp, stack u16[MLKEM_VECN] a) { stack u16[MLKEM_VECN] aa; reg u16 c, b; - reg u16 d; reg u64[4] t; reg u64 i j; inline int k; @@ -90,7 +89,6 @@ fn __i_polyvec_compress(reg ptr u8[MLKEM_POLYVECCOMPRESSEDBYTES] rp, stack u16[M { stack u16[MLKEM_VECN] aa; reg u16 c, b; - reg u16 d; reg u64[4] t; reg u64 i j; inline int k; diff --git a/src/crypto_kem/mlkem/mlkem768/amd64/ref/verify.jinc b/src/crypto_kem/mlkem/mlkem768/amd64/ref/verify.jinc index b0ad64f5..b15b14ed 100644 --- a/src/crypto_kem/mlkem/mlkem768/amd64/ref/verify.jinc +++ b/src/crypto_kem/mlkem/mlkem768/amd64/ref/verify.jinc @@ -27,7 +27,7 @@ fn __verify(reg u64 ctp, reg ptr u8[MLKEM_CT_LEN] ctpc) -> reg u64 inline fn __cmov(reg u64 dst, reg ptr u8[MLKEM_SYMBYTES] src, reg u64 cnd) { - reg u8 t1 t2 bcond; + reg u8 t1 t2; inline int i; cnd = -cnd;