diff --git a/.CMake/alg_support.cmake b/.CMake/alg_support.cmake
index d89c7d6afa..70edd56fac 100644
--- a/.CMake/alg_support.cmake
+++ b/.CMake/alg_support.cmake
@@ -205,16 +205,6 @@ if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCT
endif()
endif()
-if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
-if((OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS)))
-if(((CMAKE_C_COMPILER_ID STREQUAL "GNU") AND (CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "9.4.0")) OR ((CMAKE_CXX_COMPILER_ID STREQUAL "GNU") AND (CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL "9.4.0")) OR ((NOT (CMAKE_C_COMPILER_ID STREQUAL "GNU")) AND (NOT (CMAKE_CXX_COMPILER_ID STREQUAL "GNU"))))
- cmake_dependent_option(OQS_ENABLE_KEM_kyber_512_aarch64 "" ON "OQS_ENABLE_KEM_kyber_512" OFF)
-else()
- message(WARNING " ARM optimizations are not fully supported on this compiler version.")
-endif()
-endif()
-endif()
-
cmake_dependent_option(OQS_ENABLE_KEM_kyber_768 "" ON "OQS_ENABLE_KEM_KYBER" OFF)
if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
@@ -222,16 +212,6 @@ if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCT
endif()
endif()
-if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
-if((OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS)))
-if(((CMAKE_C_COMPILER_ID STREQUAL "GNU") AND (CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "9.4.0")) OR ((CMAKE_CXX_COMPILER_ID STREQUAL "GNU") AND (CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL "9.4.0")) OR ((NOT (CMAKE_C_COMPILER_ID STREQUAL "GNU")) AND (NOT (CMAKE_CXX_COMPILER_ID STREQUAL "GNU"))))
- cmake_dependent_option(OQS_ENABLE_KEM_kyber_768_aarch64 "" ON "OQS_ENABLE_KEM_kyber_768" OFF)
-else()
- message(WARNING " ARM optimizations are not fully supported on this compiler version.")
-endif()
-endif()
-endif()
-
cmake_dependent_option(OQS_ENABLE_KEM_kyber_1024 "" ON "OQS_ENABLE_KEM_KYBER" OFF)
if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
@@ -239,16 +219,6 @@ if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCT
endif()
endif()
-if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
-if((OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS)))
-if(((CMAKE_C_COMPILER_ID STREQUAL "GNU") AND (CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "9.4.0")) OR ((CMAKE_CXX_COMPILER_ID STREQUAL "GNU") AND (CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL "9.4.0")) OR ((NOT (CMAKE_C_COMPILER_ID STREQUAL "GNU")) AND (NOT (CMAKE_CXX_COMPILER_ID STREQUAL "GNU"))))
- cmake_dependent_option(OQS_ENABLE_KEM_kyber_1024_aarch64 "" ON "OQS_ENABLE_KEM_kyber_1024" OFF)
-else()
- message(WARNING " ARM optimizations are not fully supported on this compiler version.")
-endif()
-endif()
-endif()
-
option(OQS_ENABLE_SIG_DILITHIUM "Enable dilithium algorithm family" ON)
cmake_dependent_option(OQS_ENABLE_SIG_dilithium_2 "" ON "OQS_ENABLE_SIG_DILITHIUM" OFF)
@@ -258,12 +228,6 @@ if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRU
endif()
endif()
-if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
-if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
- cmake_dependent_option(OQS_ENABLE_SIG_dilithium_2_aarch64 "" ON "OQS_ENABLE_SIG_dilithium_2" OFF)
-endif()
-endif()
-
cmake_dependent_option(OQS_ENABLE_SIG_dilithium_3 "" ON "OQS_ENABLE_SIG_DILITHIUM" OFF)
if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
@@ -271,12 +235,6 @@ if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRU
endif()
endif()
-if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
-if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
- cmake_dependent_option(OQS_ENABLE_SIG_dilithium_3_aarch64 "" ON "OQS_ENABLE_SIG_dilithium_3" OFF)
-endif()
-endif()
-
cmake_dependent_option(OQS_ENABLE_SIG_dilithium_5 "" ON "OQS_ENABLE_SIG_DILITHIUM" OFF)
if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
@@ -284,12 +242,6 @@ if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRU
endif()
endif()
-if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
-if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
- cmake_dependent_option(OQS_ENABLE_SIG_dilithium_5_aarch64 "" ON "OQS_ENABLE_SIG_dilithium_5" OFF)
-endif()
-endif()
-
option(OQS_ENABLE_SIG_FALCON "Enable falcon algorithm family" ON)
cmake_dependent_option(OQS_ENABLE_SIG_falcon_512 "" ON "OQS_ENABLE_SIG_FALCON" OFF)
diff --git a/docs/algorithms/kem/kyber.md b/docs/algorithms/kem/kyber.md
index 3f7d1b91ed..6b65fce5f1 100644
--- a/docs/algorithms/kem/kyber.md
+++ b/docs/algorithms/kem/kyber.md
@@ -5,14 +5,10 @@
- **Principal submitters**: Peter Schwabe.
- **Auxiliary submitters**: Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Gregor Seiler, Damien Stehlé.
- **Authors' website**: https://pq-crystals.org/
-- **Specification version**: NIST Round 3 submission.
+- **Specification version**: pq-crystals 20230726.
- **Primary Source**:
- - **Source**: https://github.com/pq-crystals/kyber/commit/518de2414a85052bb91349bcbcc347f391292d5b with copy_from_upstream patches
+ - **Source**: https://github.com/bhess/kyber/commit/0bf4adf5a0a93d7ff51b89fac228d0f65e148fea with copy_from_upstream patches
- **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
-- **Optimized Implementation sources**: https://github.com/pq-crystals/kyber/commit/518de2414a85052bb91349bcbcc347f391292d5b with copy_from_upstream patches
- - **pqclean-aarch64**:
- - **Source**: https://github.com/PQClean/PQClean/commit/c3abebf4ab1ff516ffa71e6337f06d898952c299 with copy_from_upstream patches
- - **Implementation license (SPDX-Identifier)**: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT) and MIT
## Parameter set summary
@@ -25,11 +21,10 @@
## Kyber512 implementation characteristics
-| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage?‡ |
-|:-----------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
-| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
-| [Primary Source](#primary-source) | avx2 | x86\_64 | Linux,Darwin | AVX2,BMI2,POPCNT | True | True | False |
-| [pqclean-aarch64](#pqclean-aarch64) | aarch64 | ARM64\_V8 | Linux,Darwin | None | True | False | False |
+| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage?‡ |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
+| [Primary Source](#primary-source) | avx2 | x86\_64 | Linux,Darwin | AVX2,BMI2,POPCNT | True | True | False |
Are implementations chosen based on runtime CPU feature detection? **Yes**.
@@ -37,21 +32,19 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
## Kyber768 implementation characteristics
-| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
-|:-----------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
-| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
-| [Primary Source](#primary-source) | avx2 | x86\_64 | Linux,Darwin | AVX2,BMI2,POPCNT | True | True | False |
-| [pqclean-aarch64](#pqclean-aarch64) | aarch64 | ARM64\_V8 | Linux,Darwin | None | True | False | False |
+| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
+| [Primary Source](#primary-source) | avx2 | x86\_64 | Linux,Darwin | AVX2,BMI2,POPCNT | True | True | False |
Are implementations chosen based on runtime CPU feature detection? **Yes**.
## Kyber1024 implementation characteristics
-| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
-|:-----------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
-| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
-| [Primary Source](#primary-source) | avx2 | x86\_64 | Linux,Darwin | AVX2,BMI2,POPCNT | True | True | False |
-| [pqclean-aarch64](#pqclean-aarch64) | aarch64 | ARM64\_V8 | Linux,Darwin | None | True | False | False |
+| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
+| [Primary Source](#primary-source) | avx2 | x86\_64 | Linux,Darwin | AVX2,BMI2,POPCNT | True | True | False |
Are implementations chosen based on runtime CPU feature detection? **Yes**.
diff --git a/docs/algorithms/kem/kyber.yml b/docs/algorithms/kem/kyber.yml
index f5edb82f97..5724cd2a3b 100644
--- a/docs/algorithms/kem/kyber.yml
+++ b/docs/algorithms/kem/kyber.yml
@@ -14,18 +14,12 @@ auxiliary-submitters:
- Damien Stehlé
crypto-assumption: Module LWE+R with base ring Z[x]/(3329, x^256+1)
website: https://pq-crystals.org/
-nist-round: 3
-spec-version: NIST Round 3 submission
+nist-round: standard draft
+spec-version: pq-crystals 20230726
primary-upstream:
- source: https://github.com/pq-crystals/kyber/commit/518de2414a85052bb91349bcbcc347f391292d5b
+ source: https://github.com/bhess/kyber/commit/0bf4adf5a0a93d7ff51b89fac228d0f65e148fea
with copy_from_upstream patches
spdx-license-identifier: CC0-1.0 or Apache-2.0
-optimized-upstreams:
- pqclean-aarch64:
- source: https://github.com/PQClean/PQClean/commit/c3abebf4ab1ff516ffa71e6337f06d898952c299
- with copy_from_upstream patches
- spdx-license-identifier: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT)
- and MIT
parameter-sets:
- name: Kyber512
claimed-nist-level: 1
@@ -60,18 +54,6 @@ parameter-sets:
no-secret-dependent-branching-claimed: true
no-secret-dependent-branching-checked-by-valgrind: true
large-stack-usage: false
- - upstream: pqclean-aarch64
- upstream-id: aarch64
- supported-platforms:
- - architecture: ARM64_V8
- operating_systems:
- - Linux
- - Darwin
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: false
- large-stack-usage: false
- name: Kyber768
claimed-nist-level: 3
claimed-security: IND-CCA2
@@ -105,18 +87,6 @@ parameter-sets:
no-secret-dependent-branching-claimed: true
no-secret-dependent-branching-checked-by-valgrind: true
large-stack-usage: false
- - upstream: pqclean-aarch64
- upstream-id: aarch64
- supported-platforms:
- - architecture: ARM64_V8
- operating_systems:
- - Linux
- - Darwin
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: false
- large-stack-usage: false
- name: Kyber1024
claimed-nist-level: 5
claimed-security: IND-CCA2
@@ -150,15 +120,3 @@ parameter-sets:
no-secret-dependent-branching-claimed: true
no-secret-dependent-branching-checked-by-valgrind: true
large-stack-usage: false
- - upstream: pqclean-aarch64
- upstream-id: aarch64
- supported-platforms:
- - architecture: ARM64_V8
- operating_systems:
- - Linux
- - Darwin
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: false
- large-stack-usage: false
diff --git a/docs/algorithms/sig/dilithium.md b/docs/algorithms/sig/dilithium.md
index 93e1d8524a..b736bbfc89 100644
--- a/docs/algorithms/sig/dilithium.md
+++ b/docs/algorithms/sig/dilithium.md
@@ -5,31 +5,26 @@
- **Principal submitters**: Vadim Lyubashevsky.
- **Auxiliary submitters**: Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Peter Schwabe, Gregor Seiler, Damien Stehlé.
- **Authors' website**: https://pq-crystals.org/dilithium/
-- **Specification version**: 3.1.
+- **Specification version**: pq-crystals 20230825.
- **Primary Source**:
- - **Source**: https://github.com/pq-crystals/dilithium/commit/3e9b9f1412f6c7435dbeb4e10692ea58f181ee51 with copy_from_upstream patches
+ - **Source**: https://github.com/bhess/dilithium/commit/588562ac2cc777dfa407e34532d945b5f06b8ffd with copy_from_upstream patches
- **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
-- **Optimized Implementation sources**: https://github.com/pq-crystals/dilithium/commit/3e9b9f1412f6c7435dbeb4e10692ea58f181ee51 with copy_from_upstream patches
- - **pqclean-aarch64**:
- - **Source**: https://github.com/PQClean/PQClean/commit/c3abebf4ab1ff516ffa71e6337f06d898952c299 with copy_from_upstream patches
- - **Implementation license (SPDX-Identifier)**: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT) and MIT
## Parameter set summary
| Parameter set | Security model | Claimed NIST Level | Public key size (bytes) | Secret key size (bytes) | Signature size (bytes) |
|:---------------:|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
-| Dilithium2 | EUF-CMA | 2 | 1312 | 2528 | 2420 |
-| Dilithium3 | EUF-CMA | 3 | 1952 | 4000 | 3293 |
-| Dilithium5 | EUF-CMA | 5 | 2592 | 4864 | 4595 |
+| Dilithium2 | EUF-CMA | 2 | 1312 | 2560 | 2420 |
+| Dilithium3 | EUF-CMA | 3 | 1952 | 4032 | 3309 |
+| Dilithium5 | EUF-CMA | 5 | 2592 | 4896 | 4627 |
## Dilithium2 implementation characteristics
-| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage?‡ |
-|:-----------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
-| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
-| [Primary Source](#primary-source) | avx2 | x86\_64 | Darwin,Linux | AVX2,POPCNT | True | True | False |
-| [pqclean-aarch64](#pqclean-aarch64) | aarch64 | ARM64\_V8 | Linux,Darwin | None | True | False | False |
+| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage?‡ |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
+| [Primary Source](#primary-source) | avx2 | x86\_64 | Darwin,Linux | AVX2,POPCNT | True | True | False |
Are implementations chosen based on runtime CPU feature detection? **Yes**.
@@ -37,21 +32,19 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
## Dilithium3 implementation characteristics
-| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
-|:-----------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
-| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
-| [Primary Source](#primary-source) | avx2 | x86\_64 | Darwin,Linux | AVX2,POPCNT | True | True | False |
-| [pqclean-aarch64](#pqclean-aarch64) | aarch64 | ARM64\_V8 | Linux,Darwin | None | True | False | False |
+| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
+| [Primary Source](#primary-source) | avx2 | x86\_64 | Darwin,Linux | AVX2,POPCNT | True | True | False |
Are implementations chosen based on runtime CPU feature detection? **Yes**.
## Dilithium5 implementation characteristics
-| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
-|:-----------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
-| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
-| [Primary Source](#primary-source) | avx2 | x86\_64 | Darwin,Linux | AVX2,POPCNT | True | True | False |
-| [pqclean-aarch64](#pqclean-aarch64) | aarch64 | ARM64\_V8 | Linux,Darwin | None | True | False | False |
+| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
+| [Primary Source](#primary-source) | avx2 | x86\_64 | Darwin,Linux | AVX2,POPCNT | True | True | False |
Are implementations chosen based on runtime CPU feature detection? **Yes**.
diff --git a/docs/algorithms/sig/dilithium.yml b/docs/algorithms/sig/dilithium.yml
index 7cec2ffbbe..78b9ec884c 100644
--- a/docs/algorithms/sig/dilithium.yml
+++ b/docs/algorithms/sig/dilithium.yml
@@ -12,25 +12,19 @@ auxiliary-submitters:
- Damien Stehlé
crypto-assumption: hardness of lattice problems over module lattices
website: https://pq-crystals.org/dilithium/
-nist-round: 3
-spec-version: 3.1
+nist-round: standard draft
+spec-version: pq-crystals 20230825
primary-upstream:
- source: https://github.com/pq-crystals/dilithium/commit/3e9b9f1412f6c7435dbeb4e10692ea58f181ee51
+ source: https://github.com/bhess/dilithium/commit/588562ac2cc777dfa407e34532d945b5f06b8ffd
with copy_from_upstream patches
spdx-license-identifier: CC0-1.0 or Apache-2.0
-optimized-upstreams:
- pqclean-aarch64:
- source: https://github.com/PQClean/PQClean/commit/c3abebf4ab1ff516ffa71e6337f06d898952c299
- with copy_from_upstream patches
- spdx-license-identifier: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT)
- and MIT
parameter-sets:
- name: Dilithium2
oqs_alg: OQS_SIG_alg_dilithium_2
claimed-nist-level: 2
claimed-security: EUF-CMA
length-public-key: 1312
- length-secret-key: 2528
+ length-secret-key: 2560
length-signature: 2420
implementations-switch-on-runtime-cpu-features: true
implementations:
@@ -57,25 +51,13 @@ parameter-sets:
no-secret-dependent-branching-claimed: true
no-secret-dependent-branching-checked-by-valgrind: true
large-stack-usage: false
- - upstream: pqclean-aarch64
- upstream-id: aarch64
- supported-platforms:
- - architecture: ARM64_V8
- operating_systems:
- - Linux
- - Darwin
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: false
- large-stack-usage: false
- name: Dilithium3
oqs_alg: OQS_SIG_alg_dilithium_3
claimed-nist-level: 3
claimed-security: EUF-CMA
length-public-key: 1952
- length-secret-key: 4000
- length-signature: 3293
+ length-secret-key: 4032
+ length-signature: 3309
implementations-switch-on-runtime-cpu-features: true
implementations:
- upstream: primary-upstream
@@ -101,25 +83,13 @@ parameter-sets:
no-secret-dependent-branching-claimed: true
no-secret-dependent-branching-checked-by-valgrind: true
large-stack-usage: false
- - upstream: pqclean-aarch64
- upstream-id: aarch64
- supported-platforms:
- - architecture: ARM64_V8
- operating_systems:
- - Linux
- - Darwin
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: false
- large-stack-usage: false
- name: Dilithium5
oqs_alg: OQS_SIG_alg_dilithium_5
claimed-nist-level: 5
claimed-security: EUF-CMA
length-public-key: 2592
- length-secret-key: 4864
- length-signature: 4595
+ length-secret-key: 4896
+ length-signature: 4627
implementations-switch-on-runtime-cpu-features: true
implementations:
- upstream: primary-upstream
@@ -145,15 +115,3 @@ parameter-sets:
no-secret-dependent-branching-claimed: true
no-secret-dependent-branching-checked-by-valgrind: true
large-stack-usage: false
- - upstream: pqclean-aarch64
- upstream-id: aarch64
- supported-platforms:
- - architecture: ARM64_V8
- operating_systems:
- - Linux
- - Darwin
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: false
- large-stack-usage: false
diff --git a/docs/cbom.json b/docs/cbom.json
index c207414336..87632d2e6b 100644
--- a/docs/cbom.json
+++ b/docs/cbom.json
@@ -1,23 +1,23 @@
{
"bomFormat": "CBOM",
"specVersion": "1.4-cbom-1.0",
- "serialNumber": "urn:uuid:76fbea76-f6a8-441a-9ad0-4f3df1b91d3c",
+ "serialNumber": "urn:uuid:59cc5324-3dea-44e3-976b-b498462d97af",
"version": 1,
"metadata": {
- "timestamp": "2023-05-16T14:01:59.927404",
+ "timestamp": "2023-08-30T16:20:15.423429",
"component": {
"type": "library",
- "bom-ref": "pkg:github/open-quantum-safe/liboqs@3052cb8e01343126bb7eb1de0c9b90f9b9230ed4",
+ "bom-ref": "pkg:github/open-quantum-safe/liboqs@28f32db2bdfe7efe39d7750a6505f21fc305de6a",
"name": "liboqs",
- "version": "3052cb8e01343126bb7eb1de0c9b90f9b9230ed4"
+ "version": "28f32db2bdfe7efe39d7750a6505f21fc305de6a"
}
},
"components": [
{
"type": "library",
- "bom-ref": "pkg:github/open-quantum-safe/liboqs@3052cb8e01343126bb7eb1de0c9b90f9b9230ed4",
+ "bom-ref": "pkg:github/open-quantum-safe/liboqs@28f32db2bdfe7efe39d7750a6505f21fc305de6a",
"name": "liboqs",
- "version": "3052cb8e01343126bb7eb1de0c9b90f9b9230ed4"
+ "version": "28f32db2bdfe7efe39d7750a6505f21fc305de6a"
},
{
"type": "crypto-asset",
@@ -879,26 +879,6 @@
"nistQuantumSecurityLevel": 1
}
},
- {
- "type": "crypto-asset",
- "bom-ref": "alg:Kyber512:armv8-a",
- "name": "Kyber",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "variant": "Kyber512",
- "primitive": "kem",
- "implementationLevel": "softwarePlainRam",
- "cryptoFunctions": [
- "keygen",
- "encapsulate",
- "decapsulate"
- ],
- "implementationPlatform": "armv8-a"
- },
- "nistQuantumSecurityLevel": 1
- }
- },
{
"type": "crypto-asset",
"bom-ref": "alg:Kyber768:generic",
@@ -939,26 +919,6 @@
"nistQuantumSecurityLevel": 3
}
},
- {
- "type": "crypto-asset",
- "bom-ref": "alg:Kyber768:armv8-a",
- "name": "Kyber",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "variant": "Kyber768",
- "primitive": "kem",
- "implementationLevel": "softwarePlainRam",
- "cryptoFunctions": [
- "keygen",
- "encapsulate",
- "decapsulate"
- ],
- "implementationPlatform": "armv8-a"
- },
- "nistQuantumSecurityLevel": 3
- }
- },
{
"type": "crypto-asset",
"bom-ref": "alg:Kyber1024:generic",
@@ -999,26 +959,6 @@
"nistQuantumSecurityLevel": 5
}
},
- {
- "type": "crypto-asset",
- "bom-ref": "alg:Kyber1024:armv8-a",
- "name": "Kyber",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "variant": "Kyber1024",
- "primitive": "kem",
- "implementationLevel": "softwarePlainRam",
- "cryptoFunctions": [
- "keygen",
- "encapsulate",
- "decapsulate"
- ],
- "implementationPlatform": "armv8-a"
- },
- "nistQuantumSecurityLevel": 5
- }
- },
{
"type": "crypto-asset",
"bom-ref": "alg:sntrup761:generic",
@@ -1099,26 +1039,6 @@
"nistQuantumSecurityLevel": 2
}
},
- {
- "type": "crypto-asset",
- "bom-ref": "alg:Dilithium2:armv8-a",
- "name": "CRYSTALS-Dilithium",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "variant": "Dilithium2",
- "primitive": "signature",
- "implementationLevel": "softwarePlainRam",
- "cryptoFunctions": [
- "keygen",
- "sign",
- "verify"
- ],
- "implementationPlatform": "armv8-a"
- },
- "nistQuantumSecurityLevel": 2
- }
- },
{
"type": "crypto-asset",
"bom-ref": "alg:Dilithium3:generic",
@@ -1159,26 +1079,6 @@
"nistQuantumSecurityLevel": 3
}
},
- {
- "type": "crypto-asset",
- "bom-ref": "alg:Dilithium3:armv8-a",
- "name": "CRYSTALS-Dilithium",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "variant": "Dilithium3",
- "primitive": "signature",
- "implementationLevel": "softwarePlainRam",
- "cryptoFunctions": [
- "keygen",
- "sign",
- "verify"
- ],
- "implementationPlatform": "armv8-a"
- },
- "nistQuantumSecurityLevel": 3
- }
- },
{
"type": "crypto-asset",
"bom-ref": "alg:Dilithium5:generic",
@@ -1219,26 +1119,6 @@
"nistQuantumSecurityLevel": 5
}
},
- {
- "type": "crypto-asset",
- "bom-ref": "alg:Dilithium5:armv8-a",
- "name": "CRYSTALS-Dilithium",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "variant": "Dilithium5",
- "primitive": "signature",
- "implementationLevel": "softwarePlainRam",
- "cryptoFunctions": [
- "keygen",
- "sign",
- "verify"
- ],
- "implementationPlatform": "armv8-a"
- },
- "nistQuantumSecurityLevel": 5
- }
- },
{
"type": "crypto-asset",
"bom-ref": "alg:Falcon-512:generic",
@@ -1828,7 +1708,7 @@
],
"dependencies": [
{
- "ref": "pkg:github/open-quantum-safe/liboqs@3052cb8e01343126bb7eb1de0c9b90f9b9230ed4",
+ "ref": "pkg:github/open-quantum-safe/liboqs@28f32db2bdfe7efe39d7750a6505f21fc305de6a",
"dependsOn": [
"alg:BIKE-L1:x86_64",
"alg:BIKE-L3:x86_64",
@@ -1873,24 +1753,18 @@
"alg:HQC-256:x86_64",
"alg:Kyber512:generic",
"alg:Kyber512:x86_64",
- "alg:Kyber512:armv8-a",
"alg:Kyber768:generic",
"alg:Kyber768:x86_64",
- "alg:Kyber768:armv8-a",
"alg:Kyber1024:generic",
"alg:Kyber1024:x86_64",
- "alg:Kyber1024:armv8-a",
"alg:sntrup761:generic",
"alg:sntrup761:x86_64",
"alg:Dilithium2:generic",
"alg:Dilithium2:x86_64",
- "alg:Dilithium2:armv8-a",
"alg:Dilithium3:generic",
"alg:Dilithium3:x86_64",
- "alg:Dilithium3:armv8-a",
"alg:Dilithium5:generic",
"alg:Dilithium5:x86_64",
- "alg:Dilithium5:armv8-a",
"alg:Falcon-512:generic",
"alg:Falcon-512:x86_64",
"alg:Falcon-1024:generic",
@@ -2255,13 +2129,6 @@
],
"dependencyType": "uses"
},
- {
- "ref": "alg:Kyber512:armv8-a",
- "dependsOn": [
- "alg:sha3"
- ],
- "dependencyType": "uses"
- },
{
"ref": "alg:Kyber768:generic",
"dependsOn": [
@@ -2276,13 +2143,6 @@
],
"dependencyType": "uses"
},
- {
- "ref": "alg:Kyber768:armv8-a",
- "dependsOn": [
- "alg:sha3"
- ],
- "dependencyType": "uses"
- },
{
"ref": "alg:Kyber1024:generic",
"dependsOn": [
@@ -2297,13 +2157,6 @@
],
"dependencyType": "uses"
},
- {
- "ref": "alg:Kyber1024:armv8-a",
- "dependsOn": [
- "alg:sha3"
- ],
- "dependencyType": "uses"
- },
{
"ref": "alg:sntrup761:generic",
"dependsOn": [
@@ -2332,13 +2185,6 @@
],
"dependencyType": "uses"
},
- {
- "ref": "alg:Dilithium2:armv8-a",
- "dependsOn": [
- "alg:sha3"
- ],
- "dependencyType": "uses"
- },
{
"ref": "alg:Dilithium3:generic",
"dependsOn": [
@@ -2353,13 +2199,6 @@
],
"dependencyType": "uses"
},
- {
- "ref": "alg:Dilithium3:armv8-a",
- "dependsOn": [
- "alg:sha3"
- ],
- "dependencyType": "uses"
- },
{
"ref": "alg:Dilithium5:generic",
"dependsOn": [
@@ -2374,13 +2213,6 @@
],
"dependencyType": "uses"
},
- {
- "ref": "alg:Dilithium5:armv8-a",
- "dependsOn": [
- "alg:sha3"
- ],
- "dependencyType": "uses"
- },
{
"ref": "alg:Falcon-512:generic",
"dependsOn": [
diff --git a/scripts/copy_from_upstream/copy_from_upstream.yml b/scripts/copy_from_upstream/copy_from_upstream.yml
index d1e61f58ad..fb754ad7d1 100644
--- a/scripts/copy_from_upstream/copy_from_upstream.yml
+++ b/scripts/copy_from_upstream/copy_from_upstream.yml
@@ -8,24 +8,24 @@ upstreams:
sig_meta_path: 'crypto_sign/{pqclean_scheme}/META.yml'
kem_scheme_path: 'crypto_kem/{pqclean_scheme}'
sig_scheme_path: 'crypto_sign/{pqclean_scheme}'
- patches: [pqclean-sphincs.patch, pqclean-dilithium-arm-randomized-signing.patch, pqclean-dilithium-symbolnames.patch, pqclean-kyber-armneon-shake-fixes.patch, pqclean-kyber-armneon-768-1024-fixes.patch, pqclean-classicmceliece.patch]
+ patches: [pqclean-sphincs.patch, pqclean-classicmceliece.patch]
ignore: pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256f-simple_aarch64, pqclean_sphincs-shake-192s-simple_aarch64, pqclean_sphincs-shake-192f-simple_aarch64, pqclean_sphincs-shake-128s-simple_aarch64, pqclean_sphincs-shake-128f-simple_aarch64
-
name: pqcrystals-kyber
- git_url: https://github.com/pq-crystals/kyber.git
- git_branch: master
- git_commit: 518de2414a85052bb91349bcbcc347f391292d5b
+ git_url: https://github.com/bhess/kyber.git
+ git_branch: bhe-ymlupd
+ git_commit: 0bf4adf5a0a93d7ff51b89fac228d0f65e148fea
kem_meta_path: '{pretty_name_full}_META.yml'
kem_scheme_path: '.'
- patches: [pqcrystals-kyber-yml.patch, pqcrystals-kyber-ref-shake-aes.patch, pqcrystals-kyber-avx2-shake-aes.patch]
+ patches: [pqcrystals-kyber-yml.patch, pqcrystals-kyber-ref-shake.patch, pqcrystals-kyber-avx2-shake.patch]
-
name: pqcrystals-dilithium
- git_url: https://github.com/pq-crystals/dilithium.git
- git_branch: master
- git_commit: 3e9b9f1412f6c7435dbeb4e10692ea58f181ee51
+ git_url: https://github.com/bhess/dilithium.git
+ git_branch: bhe-standard-fixes
+ git_commit: 588562ac2cc777dfa407e34532d945b5f06b8ffd
sig_meta_path: '{pretty_name_full}_META.yml'
sig_scheme_path: '.'
- patches: [pqcrystals-dilithium-yml.patch, pqcrystals-dilithium-ref-shake-aes.patch, pqcrystals-dilithium-avx2-shake-aes.patch]
+ patches: [pqcrystals-dilithium-yml.patch, pqcrystals-dilithium-ref-shake.patch, pqcrystals-dilithium-avx2-shake.patch]
kems:
-
name: classic_mceliece
@@ -92,11 +92,7 @@ kems:
-
name: kyber
default_implementation: ref
- arch_specific_implementations:
- aarch64: aarch64
upstream_location: pqcrystals-kyber
- arch_specific_upstream_locations:
- aarch64: pqclean
schemes:
-
scheme: "512"
@@ -115,10 +111,6 @@ sigs:
name: dilithium
default_implementation: ref
upstream_location: pqcrystals-dilithium
- arch_specific_implementations:
- aarch64: aarch64
- arch_specific_upstream_locations:
- aarch64: pqclean
schemes:
-
scheme: "2"
diff --git a/scripts/copy_from_upstream/patches/pqcrystals-dilithium-avx2-shake-aes.patch b/scripts/copy_from_upstream/patches/pqcrystals-dilithium-avx2-shake.patch
similarity index 50%
rename from scripts/copy_from_upstream/patches/pqcrystals-dilithium-avx2-shake-aes.patch
rename to scripts/copy_from_upstream/patches/pqcrystals-dilithium-avx2-shake.patch
index ec5ab959d2..bb166e1a0f 100644
--- a/scripts/copy_from_upstream/patches/pqcrystals-dilithium-avx2-shake-aes.patch
+++ b/scripts/copy_from_upstream/patches/pqcrystals-dilithium-avx2-shake.patch
@@ -1,17 +1,16 @@
-3a2763b7448b2d9e2fd3ba7b5b96636806c3c96c
diff --git a/avx2/poly.c b/avx2/poly.c
-index 0e9e988..bb268fd 100644
+index c1b21c1..25d3682 100644
--- a/avx2/poly.c
+++ b/avx2/poly.c
-@@ -403,6 +403,7 @@ void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
+@@ -401,6 +401,7 @@ void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
stream128_state state;
stream128_init(&state, seed, nonce);
poly_uniform_preinit(a, &state);
+ stream128_release(&state);
}
- #ifndef DILITHIUM_USE_AES
-@@ -418,7 +419,7 @@ void poly_uniform_4x(poly *a0,
+ void poly_uniform_4x(poly *a0,
+@@ -415,7 +416,7 @@ void poly_uniform_4x(poly *a0,
{
unsigned int ctr0, ctr1, ctr2, ctr3;
ALIGNED_UINT8(REJ_UNIFORM_BUFLEN+8) buf[4];
@@ -20,7 +19,7 @@ index 0e9e988..bb268fd 100644
__m256i f;
f = _mm256_loadu_si256((__m256i *)seed);
-@@ -436,6 +437,7 @@ void poly_uniform_4x(poly *a0,
+@@ -433,6 +434,7 @@ void poly_uniform_4x(poly *a0,
buf[3].coeffs[SEEDBYTES+0] = nonce3;
buf[3].coeffs[SEEDBYTES+1] = nonce3 >> 8;
@@ -28,23 +27,23 @@ index 0e9e988..bb268fd 100644
shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2);
shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_NBLOCKS, &state);
-@@ -452,6 +454,7 @@ void poly_uniform_4x(poly *a0,
+@@ -449,6 +451,7 @@ void poly_uniform_4x(poly *a0,
ctr2 += rej_uniform(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE);
ctr3 += rej_uniform(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE);
}
+ shake128x4_inc_ctx_release(&state);
}
- #endif
-@@ -535,6 +538,7 @@ void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
+ /*************************************************
+@@ -530,6 +533,7 @@ void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
stream256_state state;
stream256_init(&state, seed, nonce);
poly_uniform_eta_preinit(a, &state);
+ stream256_release(&state);
}
- #ifndef DILITHIUM_USE_AES
-@@ -552,7 +556,7 @@ void poly_uniform_eta_4x(poly *a0,
+ void poly_uniform_eta_4x(poly *a0,
+@@ -546,7 +550,7 @@ void poly_uniform_eta_4x(poly *a0,
ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf[4];
__m256i f;
@@ -53,7 +52,7 @@ index 0e9e988..bb268fd 100644
f = _mm256_loadu_si256((__m256i *)&seed[0]);
_mm256_store_si256(&buf[0].vec[0],f);
-@@ -574,6 +578,7 @@ void poly_uniform_eta_4x(poly *a0,
+@@ -568,6 +572,7 @@ void poly_uniform_eta_4x(poly *a0,
buf[3].coeffs[64] = nonce3;
buf[3].coeffs[65] = nonce3 >> 8;
@@ -61,23 +60,23 @@ index 0e9e988..bb268fd 100644
shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
-@@ -590,6 +595,7 @@ void poly_uniform_eta_4x(poly *a0,
+@@ -584,6 +589,7 @@ void poly_uniform_eta_4x(poly *a0,
ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE);
ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE);
}
+ shake256x4_inc_ctx_release(&state);
}
- #endif
-@@ -618,6 +624,7 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
+ /*************************************************
+@@ -611,6 +617,7 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
stream256_state state;
stream256_init(&state, seed, nonce);
poly_uniform_gamma1_preinit(a, &state);
+ stream256_release(&state);
}
- #ifndef DILITHIUM_USE_AES
-@@ -632,7 +639,7 @@ void poly_uniform_gamma1_4x(poly *a0,
+ void poly_uniform_gamma1_4x(poly *a0,
+@@ -624,7 +631,7 @@ void poly_uniform_gamma1_4x(poly *a0,
uint16_t nonce3)
{
ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf[4];
@@ -86,7 +85,7 @@ index 0e9e988..bb268fd 100644
__m256i f;
f = _mm256_loadu_si256((__m256i *)&seed[0]);
-@@ -655,8 +662,10 @@ void poly_uniform_gamma1_4x(poly *a0,
+@@ -647,8 +654,10 @@ void poly_uniform_gamma1_4x(poly *a0,
buf[3].coeffs[64] = nonce3;
buf[3].coeffs[65] = nonce3 >> 8;
@@ -97,7 +96,7 @@ index 0e9e988..bb268fd 100644
polyz_unpack(a0, buf[0].coeffs);
polyz_unpack(a1, buf[1].coeffs);
-@@ -679,12 +688,12 @@ void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
+@@ -670,12 +679,12 @@ void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
unsigned int i, b, pos;
uint64_t signs;
ALIGNED_UINT8(SHAKE256_RATE) buf;
@@ -115,7 +114,7 @@ index 0e9e988..bb268fd 100644
memcpy(&signs, buf.coeffs, 8);
pos = 8;
-@@ -704,6 +713,7 @@ void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
+@@ -695,6 +704,7 @@ void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
c->coeffs[b] = 1 - 2*(signs & 1);
signs >>= 1;
}
@@ -124,61 +123,10 @@ index 0e9e988..bb268fd 100644
/*************************************************
diff --git a/avx2/sign.c b/avx2/sign.c
-index 3dee7a62..8c254f07 100644
+index c8f2398..70599a3 100644
--- a/avx2/sign.c
+++ b/avx2/sign.c
-@@ -97,17 +97,18 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
-
- /* Sample short vectors s1 and s2 */
- #ifdef DILITHIUM_USE_AES
-- aes256ctr_init(&aesctx, rhoprime, 0);
-+ aes256ctr_init_u64(&aesctx, rhoprime, 0);
- for(i = 0; i < L; ++i) {
- nonce = i;
-- aesctx.n = _mm_loadl_epi64((__m128i *)&nonce);
-+ aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s1.vec[i], &aesctx);
- }
- for(i = 0; i < K; ++i) {
- nonce = L + i;
-- aesctx.n = _mm_loadl_epi64((__m128i *)&nonce);
-+ aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s2.vec[i], &aesctx);
- }
-+ aes256_ctx_release(&aesctx);
- #elif K == 4 && L == 4
- poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
- poly_uniform_eta_4x(&s2.vec[0], &s2.vec[1], &s2.vec[2], &s2.vec[3], rhoprime, 4, 5, 6, 7);
-@@ -134,7 +135,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- polyvecl_ntt(&s1);
-
- #ifdef DILITHIUM_USE_AES
-- aes256ctr_init(&aesctx, rho, 0);
-+ aes256ctr_init_u64(&aesctx, rho, 0);
- #endif
-
- for(i = 0; i < K; i++) {
-@@ -142,7 +143,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- #ifdef DILITHIUM_USE_AES
- for(unsigned int j = 0; j < L; j++) {
- nonce = (i << 8) + j;
-- aesctx.n = _mm_loadl_epi64((__m128i *)&nonce);
-+ aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-@@ -164,6 +165,10 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- polyt0_pack(sk + 3*SEEDBYTES + (L+K)*POLYETA_PACKEDBYTES + i*POLYT0_PACKEDBYTES, &t0);
- }
-
-+#ifdef DILITHIUM_USE_AES
-+ aes256_ctx_release(&aesctx);
-+#endif
-+
- /* Compute H(rho, t1) and store in secret key */
- shake256(sk + 2*SEEDBYTES, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
-
-@@ -197,7 +202,7 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
+@@ -161,7 +161,7 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
polyvecl y;
polyveck w0;
} tmpv;
@@ -187,41 +135,24 @@ index 3dee7a62..8c254f07 100644
rho = seedbuf;
tr = rho + SEEDBYTES;
-@@ -207,11 +212,11 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
+@@ -172,11 +172,11 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
/* Compute CRH(tr, msg) */
- shake256_init(&state);
-- shake256_absorb(&state, tr, SEEDBYTES);
+- shake256_absorb(&state, tr, TRBYTES);
- shake256_absorb(&state, m, mlen);
- shake256_finalize(&state);
- shake256_squeeze(mu, CRHBYTES, &state);
+ shake256_inc_init(&state);
-+ shake256_inc_absorb(&state, tr, SEEDBYTES);
++ shake256_inc_absorb(&state, tr, TRBYTES);
+ shake256_inc_absorb(&state, m, mlen);
+ shake256_inc_finalize(&state);
+ shake256_inc_squeeze(mu, CRHBYTES, &state);
#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
-@@ -227,14 +232,14 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
-
- #ifdef DILITHIUM_USE_AES
- aes256ctr_ctx aesctx;
-- aes256ctr_init(&aesctx, rhoprime, 0);
-+ aes256ctr_init_u64(&aesctx, rhoprime, 0);
- #endif
-
- rej:
- /* Sample intermediate vector y */
- #ifdef DILITHIUM_USE_AES
- for(i = 0; i < L; ++i) {
-- aesctx.n = _mm_loadl_epi64((__m128i *)&nonce);
-+ aes256ctr_init_iv_u64(&aesctx, nonce);
- nonce++;
- poly_uniform_gamma1_preinit(&z.vec[i], &aesctx);
- }
-@@ -268,11 +273,11 @@ rej:
+ randombytes(rnd, RNDBYTES);
+@@ -223,11 +223,11 @@ rej:
polyveck_decompose(&w1, &tmpv.w0, &w1);
polyveck_pack_w1(sig, &w1);
@@ -229,28 +160,24 @@ index 3dee7a62..8c254f07 100644
- shake256_absorb(&state, mu, CRHBYTES);
- shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
- shake256_finalize(&state);
-- shake256_squeeze(sig, SEEDBYTES, &state);
+- shake256_squeeze(sig, CTILDEBYTES, &state);
+ shake256_inc_ctx_reset(&state);
+ shake256_inc_absorb(&state, mu, CRHBYTES);
+ shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
+ shake256_inc_finalize(&state);
-+ shake256_inc_squeeze(sig, SEEDBYTES, &state);
++ shake256_inc_squeeze(sig, CTILDEBYTES, &state);
poly_challenge(&c, sig);
poly_ntt(&c);
-@@ -317,6 +322,11 @@ rej:
+@@ -272,6 +272,7 @@ rej:
hint[OMEGA + i] = pos = pos + n;
}
-+#ifdef DILITHIUM_USE_AES
-+ aes256_ctx_release(&aesctx);
-+#endif
-+
+ shake256_inc_ctx_release(&state);
/* Pack z into signature */
for(i = 0; i < L; i++)
- polyz_pack(sig + SEEDBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
-@@ -380,18 +390,19 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
+ polyz_pack(sig + CTILDEBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
+@@ -329,18 +330,19 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
polyvecl *row = rowbuf;
polyvecl z;
poly c, w1, h;
@@ -261,14 +188,14 @@ index 3dee7a62..8c254f07 100644
return -1;
/* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- shake256_init(&state);
-- shake256_absorb(&state, mu, SEEDBYTES);
+- shake256_absorb(&state, mu, CRHBYTES);
- shake256_absorb(&state, m, mlen);
- shake256_finalize(&state);
- shake256_squeeze(mu, CRHBYTES, &state);
+ shake256_inc_init(&state);
-+ shake256_inc_absorb(&state, mu, SEEDBYTES);
++ shake256_inc_absorb(&state, mu, CRHBYTES);
+ shake256_inc_absorb(&state, m, mlen);
+ shake256_inc_finalize(&state);
+ shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -276,58 +203,7 @@ index 3dee7a62..8c254f07 100644
/* Expand challenge */
poly_challenge(&c, sig);
-@@ -404,7 +415,7 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
- }
-
- #ifdef DILITHIUM_USE_AES
-- aes256ctr_init(&aesctx, pk, 0);
-+ aes256ctr_init_u64(&aesctx, pk, 0);
- #endif
-
- for(i = 0; i < K; i++) {
-@@ -412,7 +423,7 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
- #ifdef DILITHIUM_USE_AES
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
-- aesctx.n = _mm_loadl_epi64((__m128i *)&nonce);
-+ aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-@@ -434,12 +445,21 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
-
- /* Get hint polynomial and reconstruct w1 */
- memset(h.vec, 0, sizeof(poly));
-- if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA)
-+ if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) {
-+#ifdef DILITHIUM_USE_AES
-+ aes256_ctx_release(&aesctx);
-+#endif
- return -1;
-+ }
-
- for(j = pos; j < hint[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
-- if(j > pos && hint[j] <= hint[j-1]) return -1;
-+ if(j > pos && hint[j] <= hint[j-1]) {
-+#ifdef DILITHIUM_USE_AES
-+ aes256_ctx_release(&aesctx);
-+#endif
-+ return -1;
-+ }
- h.coeffs[hint[j]] = 1;
- }
- pos = hint[OMEGA + i];
-@@ -449,16 +469,21 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
- polyw1_pack(buf.coeffs + i*POLYW1_PACKEDBYTES, &w1);
- }
-
-+#ifdef DILITHIUM_USE_AES
-+ aes256_ctx_release(&aesctx);
-+#endif
-+
- /* Extra indices are zero for strong unforgeability */
- for(j = pos; j < OMEGA; ++j)
+@@ -390,11 +392,12 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
if(hint[j]) return -1;
/* Call random oracle and verify challenge */
@@ -335,58 +211,21 @@ index 3dee7a62..8c254f07 100644
- shake256_absorb(&state, mu, CRHBYTES);
- shake256_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
- shake256_finalize(&state);
-- shake256_squeeze(buf.coeffs, SEEDBYTES, &state);
+- shake256_squeeze(buf.coeffs, CTILDEBYTES, &state);
+ shake256_inc_init(&state);
+ shake256_inc_absorb(&state, mu, CRHBYTES);
+ shake256_inc_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
+ shake256_inc_finalize(&state);
-+ shake256_inc_squeeze(buf.coeffs, SEEDBYTES, &state);
++ shake256_inc_squeeze(buf.coeffs, CTILDEBYTES, &state);
+ shake256_inc_ctx_release(&state);
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < CTILDEBYTES; ++i)
if(buf.coeffs[i] != sig[i])
return -1;
-diff --git a/avx2/polyvec.c b/avx2/polyvec.c
-index 1d9c2e70..5ce1d887 100644
---- a/avx2/polyvec.c
-+++ b/avx2/polyvec.c
-@@ -25,16 +25,17 @@ void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- uint64_t nonce;
- aes256ctr_ctx state;
-
-- aes256ctr_init(&state, rho, 0);
-+ aes256ctr_init_u64(&state, rho, 0);
-
- for(i = 0; i < K; i++) {
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
-- state.n = _mm_loadl_epi64((__m128i *)&nonce);
-+ aes256ctr_init_iv_u64(&state, nonce);
- poly_uniform_preinit(&mat[i].vec[j], &state);
- poly_nttunpack(&mat[i].vec[j]);
- }
- }
-+ aes256_ctx_release(&state);
- }
-
- #elif K == 4 && L == 4
diff --git a/avx2/symmetric.h b/avx2/symmetric.h
-index 7eb6f98..ed476d1 100644
+index 8f3c3c5..fa49963 100644
--- a/avx2/symmetric.h
+++ b/avx2/symmetric.h
-@@ -15,31 +15,35 @@ typedef aes256ctr_ctx stream256_state;
- #define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
- #define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
--#define stream128_init(STATE, SEED, NONCE) aes256ctr_init(STATE, SEED, NONCE)
-+#define stream128_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
- #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
--#define stream256_init(STATE, SEED, NONCE) aes256ctr_init(STATE, SEED, NONCE)
-+#define stream128_release(STATE) aes256_ctx_release(STATE)
-+#define stream256_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
- #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-+#define stream256_release(STATE) aes256_ctx_release(STATE)
-
- #else
+@@ -6,21 +6,23 @@
#include "fips202.h"
@@ -414,4 +253,3 @@ index 7eb6f98..ed476d1 100644
+#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
#endif
-
diff --git a/scripts/copy_from_upstream/patches/pqcrystals-dilithium-ref-shake-aes.patch b/scripts/copy_from_upstream/patches/pqcrystals-dilithium-ref-shake.patch
similarity index 79%
rename from scripts/copy_from_upstream/patches/pqcrystals-dilithium-ref-shake-aes.patch
rename to scripts/copy_from_upstream/patches/pqcrystals-dilithium-ref-shake.patch
index 1313878bc1..1e72966e87 100644
--- a/scripts/copy_from_upstream/patches/pqcrystals-dilithium-ref-shake-aes.patch
+++ b/scripts/copy_from_upstream/patches/pqcrystals-dilithium-ref-shake.patch
@@ -1,6 +1,5 @@
-88ad24c7c247d0f2f4c6b22a7e0a4696053b41d5
diff --git a/ref/poly.c b/ref/poly.c
-index a6ba074..006e83c 100644
+index 054ed98..d44063f 100644
--- a/ref/poly.c
+++ b/ref/poly.c
@@ -365,6 +365,7 @@ void poly_uniform(poly *a,
@@ -52,7 +51,7 @@ index a6ba074..006e83c 100644
/*************************************************
diff --git a/ref/sign.c b/ref/sign.c
-index 5d0455c..16333eb 100644
+index d25a399..5f57036 100644
--- a/ref/sign.c
+++ b/ref/sign.c
@@ -90,7 +90,7 @@ int crypto_sign_signature(uint8_t *sig,
@@ -64,24 +63,24 @@ index 5d0455c..16333eb 100644
rho = seedbuf;
tr = rho + SEEDBYTES;
-@@ -100,11 +100,11 @@ int crypto_sign_signature(uint8_t *sig,
- unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
+@@ -102,11 +102,11 @@ int crypto_sign_signature(uint8_t *sig,
- /* Compute CRH(tr, msg) */
+
+ /* Compute mu = CRH(tr, msg) */
- shake256_init(&state);
-- shake256_absorb(&state, tr, SEEDBYTES);
+- shake256_absorb(&state, tr, TRBYTES);
- shake256_absorb(&state, m, mlen);
- shake256_finalize(&state);
- shake256_squeeze(mu, CRHBYTES, &state);
+ shake256_inc_init(&state);
-+ shake256_inc_absorb(&state, tr, SEEDBYTES);
++ shake256_inc_absorb(&state, tr, TRBYTES);
+ shake256_inc_absorb(&state, m, mlen);
+ shake256_inc_finalize(&state);
+ shake256_inc_squeeze(mu, CRHBYTES, &state);
#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
-@@ -134,11 +134,11 @@ rej:
+ randombytes(rnd, RNDBYTES);
+@@ -138,11 +138,11 @@ rej:
polyveck_decompose(&w1, &w0, &w1);
polyveck_pack_w1(sig, &w1);
@@ -89,16 +88,16 @@ index 5d0455c..16333eb 100644
- shake256_absorb(&state, mu, CRHBYTES);
- shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
- shake256_finalize(&state);
-- shake256_squeeze(sig, SEEDBYTES, &state);
+- shake256_squeeze(sig, CTILDEBYTES, &state);
+ shake256_inc_ctx_reset(&state);
+ shake256_inc_absorb(&state, mu, CRHBYTES);
+ shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
+ shake256_inc_finalize(&state);
-+ shake256_inc_squeeze(sig, SEEDBYTES, &state);
- poly_challenge(&cp, sig);
++ shake256_inc_squeeze(sig, CTILDEBYTES, &state);
+ poly_challenge(&cp, sig); /* uses only the first SEEDBYTES bytes of sig */
poly_ntt(&cp);
-@@ -171,6 +171,8 @@ rej:
+@@ -175,6 +175,8 @@ rej:
if(n > OMEGA)
goto rej;
@@ -107,7 +106,7 @@ index 5d0455c..16333eb 100644
/* Write signature */
pack_sig(sig, sig, &z, &h);
*siglen = CRYPTO_BYTES;
-@@ -236,7 +238,7 @@ int crypto_sign_verify(const uint8_t *sig,
+@@ -240,7 +242,7 @@ int crypto_sign_verify(const uint8_t *sig,
poly cp;
polyvecl mat[K], z;
polyveck t1, w1, h;
@@ -116,24 +115,24 @@ index 5d0455c..16333eb 100644
if(siglen != CRYPTO_BYTES)
return -1;
-@@ -249,11 +251,11 @@ int crypto_sign_verify(const uint8_t *sig,
+@@ -253,11 +255,11 @@ int crypto_sign_verify(const uint8_t *sig,
/* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- shake256_init(&state);
-- shake256_absorb(&state, mu, SEEDBYTES);
+- shake256_absorb(&state, mu, CRHBYTES);
- shake256_absorb(&state, m, mlen);
- shake256_finalize(&state);
- shake256_squeeze(mu, CRHBYTES, &state);
+ shake256_inc_init(&state);
-+ shake256_inc_absorb(&state, mu, SEEDBYTES);
++ shake256_inc_absorb(&state, mu, CRHBYTES);
+ shake256_inc_absorb(&state, m, mlen);
+ shake256_inc_finalize(&state);
+ shake256_inc_squeeze(mu, CRHBYTES, &state);
/* Matrix-vector multiplication; compute Az - c2^dt1 */
- poly_challenge(&cp, c);
-@@ -277,11 +279,12 @@ int crypto_sign_verify(const uint8_t *sig,
+ poly_challenge(&cp, c); /* uses only the first SEEDBYTES bytes of c */
+@@ -281,11 +283,12 @@ int crypto_sign_verify(const uint8_t *sig,
polyveck_pack_w1(buf, &w1);
/* Call random oracle and verify challenge */
@@ -141,14 +140,14 @@ index 5d0455c..16333eb 100644
- shake256_absorb(&state, mu, CRHBYTES);
- shake256_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
- shake256_finalize(&state);
-- shake256_squeeze(c2, SEEDBYTES, &state);
+- shake256_squeeze(c2, CTILDEBYTES, &state);
+ shake256_inc_ctx_reset(&state);
+ shake256_inc_absorb(&state, mu, CRHBYTES);
+ shake256_inc_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
+ shake256_inc_finalize(&state);
-+ shake256_inc_squeeze(c2, SEEDBYTES, &state);
++ shake256_inc_squeeze(c2, CTILDEBYTES, &state);
+ shake256_inc_ctx_release(&state);
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < CTILDEBYTES; ++i)
if(c[i] != c2[i])
return -1;
diff --git a/ref/symmetric-shake.c b/ref/symmetric-shake.c
@@ -193,23 +192,10 @@ index 11ec09c..963f649 100644
+ shake256_inc_finalize(state);
}
diff --git a/ref/symmetric.h b/ref/symmetric.h
-index 0b34fb6..13c88da 100644
+index cba12d1..211de3b 100644
--- a/ref/symmetric.h
+++ b/ref/symmetric.h
-@@ -24,25 +24,29 @@ void dilithium_aes256ctr_init(aes256ctr_ctx *state,
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
- #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-+#define stream128_release(STATE) \
-+ aes256_ctx_release(STATE)
- #define stream256_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
- #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-+#define stream256_release(STATE) \
-+ aes256_ctx_release(STATE)
-
- #else
+@@ -6,16 +6,16 @@
#include "fips202.h"
@@ -230,7 +216,7 @@ index 0b34fb6..13c88da 100644
const uint8_t seed[CRHBYTES],
uint16_t nonce);
-@@ -53,10 +57,12 @@ void dilithium_shake256_stream_init(keccak_state *state,
+@@ -26,9 +26,11 @@ void dilithium_shake256_stream_init(keccak_state *state,
dilithium_shake128_stream_init(STATE, SEED, NONCE)
#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
@@ -242,4 +228,3 @@ index 0b34fb6..13c88da 100644
+#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
#endif
-
diff --git a/scripts/copy_from_upstream/patches/pqcrystals-dilithium-yml.patch b/scripts/copy_from_upstream/patches/pqcrystals-dilithium-yml.patch
index e16539645c..6f9ed598dc 100644
--- a/scripts/copy_from_upstream/patches/pqcrystals-dilithium-yml.patch
+++ b/scripts/copy_from_upstream/patches/pqcrystals-dilithium-yml.patch
@@ -1,5 +1,5 @@
diff --git a/Dilithium2_META.yml b/Dilithium2_META.yml
-index 0e2e6fc..f4b7e8f 100644
+index 78a3b82..1e37507 100644
--- a/Dilithium2_META.yml
+++ b/Dilithium2_META.yml
@@ -24,16 +24,14 @@ implementations:
@@ -10,8 +10,8 @@ index 0e2e6fc..f4b7e8f 100644
- common_dep: common_ref
+ sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
- name: avx2
- version: https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409
- compile_opts: -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING
+ version: https://github.com/pq-crystals/dilithium/tree/standard
+ compile_opts: -DDILITHIUM_MODE=2
signature_keypair: pqcrystals_dilithium2_avx2_keypair
signature_signature: pqcrystals_dilithium2_avx2_signature
signature_verify: pqcrystals_dilithium2_avx2_verify
@@ -22,7 +22,7 @@ index 0e2e6fc..f4b7e8f 100644
- architecture: x86_64
operating_systems:
diff --git a/Dilithium3_META.yml b/Dilithium3_META.yml
-index d1bca64..f45c859 100644
+index d9b76e2..dbd3677 100644
--- a/Dilithium3_META.yml
+++ b/Dilithium3_META.yml
@@ -24,16 +24,14 @@ implementations:
@@ -33,8 +33,8 @@ index d1bca64..f45c859 100644
- common_dep: common_ref
+ sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
- name: avx2
- version: https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409
- compile_opts: -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING
+ version: https://github.com/pq-crystals/dilithium/tree/standard
+ compile_opts: -DDILITHIUM_MODE=3
signature_keypair: pqcrystals_dilithium3_avx2_keypair
signature_signature: pqcrystals_dilithium3_avx2_signature
signature_verify: pqcrystals_dilithium3_avx2_verify
@@ -45,7 +45,7 @@ index d1bca64..f45c859 100644
- architecture: x86_64
operating_systems:
diff --git a/Dilithium5_META.yml b/Dilithium5_META.yml
-index a4dbdbf..618b617 100644
+index c2ea5f0..3eb4bf5 100644
--- a/Dilithium5_META.yml
+++ b/Dilithium5_META.yml
@@ -24,16 +24,14 @@ implementations:
@@ -56,8 +56,8 @@ index a4dbdbf..618b617 100644
- common_dep: common_ref
+ sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
- name: avx2
- version: https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409
- compile_opts: -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING
+ version: https://github.com/pq-crystals/dilithium/tree/standard
+ compile_opts: -DDILITHIUM_MODE=5
signature_keypair: pqcrystals_dilithium5_avx2_keypair
signature_signature: pqcrystals_dilithium5_avx2_signature
signature_verify: pqcrystals_dilithium5_avx2_verify
diff --git a/scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake-aes.patch b/scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake.patch
similarity index 54%
rename from scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake-aes.patch
rename to scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake.patch
index 1763b53678..d4a7eaca81 100644
--- a/scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake-aes.patch
+++ b/scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake.patch
@@ -1,35 +1,8 @@
-c6a44a0dbb6735caf40ad4856063282feab56d98
diff --git a/avx2/indcpa.c b/avx2/indcpa.c
-index 926f6e87..b8840863 100644
+index 4f3b782..572ce49 100644
--- a/avx2/indcpa.c
+++ b/avx2/indcpa.c
-@@ -178,7 +178,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
- ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*AES256CTR_BLOCKBYTES) buf;
- aes256ctr_ctx state;
-
-- aes256ctr_init(&state, seed, 0);
-+ aes256ctr_init_key(&state, seed);
-
- for(i=0;i)
endif()
-if(OQS_ENABLE_KEM_kyber_512_aarch64)
- add_library(kyber_512_aarch64 OBJECT pqclean_kyber512_aarch64/__asm_base_mul.S pqclean_kyber512_aarch64/__asm_iNTT.S pqclean_kyber512_aarch64/__asm_NTT.S pqclean_kyber512_aarch64/__asm_poly.S pqclean_kyber512_aarch64/cbd.c pqclean_kyber512_aarch64/feat.S pqclean_kyber512_aarch64/fips202x2.c pqclean_kyber512_aarch64/indcpa.c pqclean_kyber512_aarch64/kem.c pqclean_kyber512_aarch64/neon_poly.c pqclean_kyber512_aarch64/neon_polyvec.c pqclean_kyber512_aarch64/neon_symmetric-shake.c pqclean_kyber512_aarch64/ntt.c pqclean_kyber512_aarch64/poly.c pqclean_kyber512_aarch64/polyvec.c pqclean_kyber512_aarch64/reduce.c pqclean_kyber512_aarch64/rejsample.c pqclean_kyber512_aarch64/symmetric-shake.c pqclean_kyber512_aarch64/verify.c)
- target_include_directories(kyber_512_aarch64 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqclean_kyber512_aarch64)
- target_include_directories(kyber_512_aarch64 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- if (CMAKE_SYSTEM_NAME STREQUAL "Darwin")
- target_compile_definitions(kyber_512_aarch64 PRIVATE old_gas_syntax)
- endif()
- set(_KYBER_OBJS ${_KYBER_OBJS} $)
-endif()
-
if(OQS_ENABLE_KEM_kyber_768)
add_library(kyber_768_ref OBJECT kem_kyber_768.c pqcrystals-kyber_kyber768_ref/cbd.c pqcrystals-kyber_kyber768_ref/indcpa.c pqcrystals-kyber_kyber768_ref/kem.c pqcrystals-kyber_kyber768_ref/ntt.c pqcrystals-kyber_kyber768_ref/poly.c pqcrystals-kyber_kyber768_ref/polyvec.c pqcrystals-kyber_kyber768_ref/reduce.c pqcrystals-kyber_kyber768_ref/symmetric-shake.c pqcrystals-kyber_kyber768_ref/verify.c)
target_compile_options(kyber_768_ref PUBLIC -DKYBER_K=3)
@@ -51,16 +41,6 @@ if(OQS_ENABLE_KEM_kyber_768_avx2)
set(_KYBER_OBJS ${_KYBER_OBJS} $)
endif()
-if(OQS_ENABLE_KEM_kyber_768_aarch64)
- add_library(kyber_768_aarch64 OBJECT pqclean_kyber768_aarch64/__asm_base_mul.S pqclean_kyber768_aarch64/__asm_iNTT.S pqclean_kyber768_aarch64/__asm_NTT.S pqclean_kyber768_aarch64/__asm_poly.S pqclean_kyber768_aarch64/cbd.c pqclean_kyber768_aarch64/feat.S pqclean_kyber768_aarch64/fips202x2.c pqclean_kyber768_aarch64/indcpa.c pqclean_kyber768_aarch64/kem.c pqclean_kyber768_aarch64/neon_poly.c pqclean_kyber768_aarch64/neon_polyvec.c pqclean_kyber768_aarch64/neon_symmetric-shake.c pqclean_kyber768_aarch64/ntt.c pqclean_kyber768_aarch64/poly.c pqclean_kyber768_aarch64/polyvec.c pqclean_kyber768_aarch64/reduce.c pqclean_kyber768_aarch64/rejsample.c pqclean_kyber768_aarch64/symmetric-shake.c pqclean_kyber768_aarch64/verify.c)
- target_include_directories(kyber_768_aarch64 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqclean_kyber768_aarch64)
- target_include_directories(kyber_768_aarch64 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- if (CMAKE_SYSTEM_NAME STREQUAL "Darwin")
- target_compile_definitions(kyber_768_aarch64 PRIVATE old_gas_syntax)
- endif()
- set(_KYBER_OBJS ${_KYBER_OBJS} $)
-endif()
-
if(OQS_ENABLE_KEM_kyber_1024)
add_library(kyber_1024_ref OBJECT kem_kyber_1024.c pqcrystals-kyber_kyber1024_ref/cbd.c pqcrystals-kyber_kyber1024_ref/indcpa.c pqcrystals-kyber_kyber1024_ref/kem.c pqcrystals-kyber_kyber1024_ref/ntt.c pqcrystals-kyber_kyber1024_ref/poly.c pqcrystals-kyber_kyber1024_ref/polyvec.c pqcrystals-kyber_kyber1024_ref/reduce.c pqcrystals-kyber_kyber1024_ref/symmetric-shake.c pqcrystals-kyber_kyber1024_ref/verify.c)
target_compile_options(kyber_1024_ref PUBLIC -DKYBER_K=4)
@@ -79,14 +59,4 @@ if(OQS_ENABLE_KEM_kyber_1024_avx2)
set(_KYBER_OBJS ${_KYBER_OBJS} $)
endif()
-if(OQS_ENABLE_KEM_kyber_1024_aarch64)
- add_library(kyber_1024_aarch64 OBJECT pqclean_kyber1024_aarch64/__asm_base_mul.S pqclean_kyber1024_aarch64/__asm_iNTT.S pqclean_kyber1024_aarch64/__asm_NTT.S pqclean_kyber1024_aarch64/__asm_poly.S pqclean_kyber1024_aarch64/cbd.c pqclean_kyber1024_aarch64/feat.S pqclean_kyber1024_aarch64/fips202x2.c pqclean_kyber1024_aarch64/indcpa.c pqclean_kyber1024_aarch64/kem.c pqclean_kyber1024_aarch64/neon_poly.c pqclean_kyber1024_aarch64/neon_polyvec.c pqclean_kyber1024_aarch64/neon_symmetric-shake.c pqclean_kyber1024_aarch64/ntt.c pqclean_kyber1024_aarch64/poly.c pqclean_kyber1024_aarch64/polyvec.c pqclean_kyber1024_aarch64/reduce.c pqclean_kyber1024_aarch64/rejsample.c pqclean_kyber1024_aarch64/symmetric-shake.c pqclean_kyber1024_aarch64/verify.c)
- target_include_directories(kyber_1024_aarch64 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqclean_kyber1024_aarch64)
- target_include_directories(kyber_1024_aarch64 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- if (CMAKE_SYSTEM_NAME STREQUAL "Darwin")
- target_compile_definitions(kyber_1024_aarch64 PRIVATE old_gas_syntax)
- endif()
- set(_KYBER_OBJS ${_KYBER_OBJS} $)
-endif()
-
set(KYBER_OBJS ${_KYBER_OBJS} PARENT_SCOPE)
diff --git a/src/kem/kyber/kem_kyber_1024.c b/src/kem/kyber/kem_kyber_1024.c
index db72b23cd5..8909938950 100644
--- a/src/kem/kyber/kem_kyber_1024.c
+++ b/src/kem/kyber/kem_kyber_1024.c
@@ -13,7 +13,7 @@ OQS_KEM *OQS_KEM_kyber_1024_new(void) {
return NULL;
}
kem->method_name = OQS_KEM_alg_kyber_1024;
- kem->alg_version = "https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff";
+ kem->alg_version = "https://github.com/pq-crystals/kyber/tree/standard";
kem->claimed_nist_level = 5;
kem->ind_cca = true;
@@ -40,12 +40,6 @@ extern int pqcrystals_kyber1024_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t
extern int pqcrystals_kyber1024_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
#endif
-#if defined(OQS_ENABLE_KEM_kyber_1024_aarch64)
-extern int PQCLEAN_KYBER1024_AARCH64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
-extern int PQCLEAN_KYBER1024_AARCH64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-extern int PQCLEAN_KYBER1024_AARCH64_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#endif
-
OQS_API OQS_STATUS OQS_KEM_kyber_1024_keypair(uint8_t *public_key, uint8_t *secret_key) {
#if defined(OQS_ENABLE_KEM_kyber_1024_avx2)
#if defined(OQS_DIST_BUILD)
@@ -57,16 +51,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_1024_keypair(uint8_t *public_key, uint8_t *secr
return (OQS_STATUS) pqcrystals_kyber1024_ref_keypair(public_key, secret_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_1024_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_KYBER1024_AARCH64_crypto_kem_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_kyber1024_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_kyber1024_ref_keypair(public_key, secret_key);
#endif
@@ -83,16 +67,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_1024_encaps(uint8_t *ciphertext, uint8_t *share
return (OQS_STATUS) pqcrystals_kyber1024_ref_enc(ciphertext, shared_secret, public_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_1024_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_KYBER1024_AARCH64_crypto_kem_enc(ciphertext, shared_secret, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_kyber1024_ref_enc(ciphertext, shared_secret, public_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_kyber1024_ref_enc(ciphertext, shared_secret, public_key);
#endif
@@ -109,16 +83,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_1024_decaps(uint8_t *shared_secret, const uint8
return (OQS_STATUS) pqcrystals_kyber1024_ref_dec(shared_secret, ciphertext, secret_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_1024_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_KYBER1024_AARCH64_crypto_kem_dec(shared_secret, ciphertext, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_kyber1024_ref_dec(shared_secret, ciphertext, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_kyber1024_ref_dec(shared_secret, ciphertext, secret_key);
#endif
diff --git a/src/kem/kyber/kem_kyber_512.c b/src/kem/kyber/kem_kyber_512.c
index a226787f65..244729e3fe 100644
--- a/src/kem/kyber/kem_kyber_512.c
+++ b/src/kem/kyber/kem_kyber_512.c
@@ -13,7 +13,7 @@ OQS_KEM *OQS_KEM_kyber_512_new(void) {
return NULL;
}
kem->method_name = OQS_KEM_alg_kyber_512;
- kem->alg_version = "https://github.com/pq-crystals/kyber/commit/74cad307858b61e434490c75f812cb9b9ef7279b";
+ kem->alg_version = "https://github.com/pq-crystals/kyber/tree/standard";
kem->claimed_nist_level = 1;
kem->ind_cca = true;
@@ -40,12 +40,6 @@ extern int pqcrystals_kyber512_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t
extern int pqcrystals_kyber512_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
#endif
-#if defined(OQS_ENABLE_KEM_kyber_512_aarch64)
-extern int PQCLEAN_KYBER512_AARCH64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
-extern int PQCLEAN_KYBER512_AARCH64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-extern int PQCLEAN_KYBER512_AARCH64_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#endif
-
OQS_API OQS_STATUS OQS_KEM_kyber_512_keypair(uint8_t *public_key, uint8_t *secret_key) {
#if defined(OQS_ENABLE_KEM_kyber_512_avx2)
#if defined(OQS_DIST_BUILD)
@@ -57,16 +51,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_512_keypair(uint8_t *public_key, uint8_t *secre
return (OQS_STATUS) pqcrystals_kyber512_ref_keypair(public_key, secret_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_512_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_KYBER512_AARCH64_crypto_kem_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_kyber512_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_kyber512_ref_keypair(public_key, secret_key);
#endif
@@ -83,16 +67,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_512_encaps(uint8_t *ciphertext, uint8_t *shared
return (OQS_STATUS) pqcrystals_kyber512_ref_enc(ciphertext, shared_secret, public_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_512_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_KYBER512_AARCH64_crypto_kem_enc(ciphertext, shared_secret, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_kyber512_ref_enc(ciphertext, shared_secret, public_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_kyber512_ref_enc(ciphertext, shared_secret, public_key);
#endif
@@ -109,16 +83,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_512_decaps(uint8_t *shared_secret, const uint8_
return (OQS_STATUS) pqcrystals_kyber512_ref_dec(shared_secret, ciphertext, secret_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_512_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_KYBER512_AARCH64_crypto_kem_dec(shared_secret, ciphertext, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_kyber512_ref_dec(shared_secret, ciphertext, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_kyber512_ref_dec(shared_secret, ciphertext, secret_key);
#endif
diff --git a/src/kem/kyber/kem_kyber_768.c b/src/kem/kyber/kem_kyber_768.c
index bc21b00380..d36e60fb25 100644
--- a/src/kem/kyber/kem_kyber_768.c
+++ b/src/kem/kyber/kem_kyber_768.c
@@ -13,7 +13,7 @@ OQS_KEM *OQS_KEM_kyber_768_new(void) {
return NULL;
}
kem->method_name = OQS_KEM_alg_kyber_768;
- kem->alg_version = "https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff";
+ kem->alg_version = "https://github.com/pq-crystals/kyber/tree/standard";
kem->claimed_nist_level = 3;
kem->ind_cca = true;
@@ -40,12 +40,6 @@ extern int pqcrystals_kyber768_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t
extern int pqcrystals_kyber768_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
#endif
-#if defined(OQS_ENABLE_KEM_kyber_768_aarch64)
-extern int PQCLEAN_KYBER768_AARCH64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
-extern int PQCLEAN_KYBER768_AARCH64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-extern int PQCLEAN_KYBER768_AARCH64_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#endif
-
OQS_API OQS_STATUS OQS_KEM_kyber_768_keypair(uint8_t *public_key, uint8_t *secret_key) {
#if defined(OQS_ENABLE_KEM_kyber_768_avx2)
#if defined(OQS_DIST_BUILD)
@@ -57,16 +51,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_768_keypair(uint8_t *public_key, uint8_t *secre
return (OQS_STATUS) pqcrystals_kyber768_ref_keypair(public_key, secret_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_768_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_KYBER768_AARCH64_crypto_kem_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_kyber768_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_kyber768_ref_keypair(public_key, secret_key);
#endif
@@ -83,16 +67,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_768_encaps(uint8_t *ciphertext, uint8_t *shared
return (OQS_STATUS) pqcrystals_kyber768_ref_enc(ciphertext, shared_secret, public_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_768_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_KYBER768_AARCH64_crypto_kem_enc(ciphertext, shared_secret, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_kyber768_ref_enc(ciphertext, shared_secret, public_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_kyber768_ref_enc(ciphertext, shared_secret, public_key);
#endif
@@ -109,16 +83,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_768_decaps(uint8_t *shared_secret, const uint8_
return (OQS_STATUS) pqcrystals_kyber768_ref_dec(shared_secret, ciphertext, secret_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_768_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_KYBER768_AARCH64_crypto_kem_dec(shared_secret, ciphertext, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_kyber768_ref_dec(shared_secret, ciphertext, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_kyber768_ref_dec(shared_secret, ciphertext, secret_key);
#endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/api.h b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/api.h
index 4ae94cbab7..a154e80f1d 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/api.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/api.h
@@ -6,70 +6,61 @@
#define pqcrystals_kyber512_SECRETKEYBYTES 1632
#define pqcrystals_kyber512_PUBLICKEYBYTES 800
#define pqcrystals_kyber512_CIPHERTEXTBYTES 768
+#define pqcrystals_kyber512_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber512_ENCCOINBYTES 32
#define pqcrystals_kyber512_BYTES 32
#define pqcrystals_kyber512_avx2_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
#define pqcrystals_kyber512_avx2_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
#define pqcrystals_kyber512_avx2_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
+#define pqcrystals_kyber512_avx2_KEYPAIRCOINBYTES pqcrystals_kyber512_KEYPAIRCOINBYTES
+#define pqcrystals_kyber512_avx2_ENCCOINBYTES pqcrystals_kyber512_ENCCOINBYTES
#define pqcrystals_kyber512_avx2_BYTES pqcrystals_kyber512_BYTES
+int pqcrystals_kyber512_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber512_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber512_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber512_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber512_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber512_90s_avx2_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
-#define pqcrystals_kyber512_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
-#define pqcrystals_kyber512_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
-#define pqcrystals_kyber512_90s_avx2_BYTES pqcrystals_kyber512_BYTES
-
-int pqcrystals_kyber512_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber512_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber512_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#define pqcrystals_kyber768_SECRETKEYBYTES 2400
#define pqcrystals_kyber768_PUBLICKEYBYTES 1184
#define pqcrystals_kyber768_CIPHERTEXTBYTES 1088
+#define pqcrystals_kyber768_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber768_ENCCOINBYTES 32
#define pqcrystals_kyber768_BYTES 32
#define pqcrystals_kyber768_avx2_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
#define pqcrystals_kyber768_avx2_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
#define pqcrystals_kyber768_avx2_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
+#define pqcrystals_kyber768_avx2_KEYPAIRCOINBYTES pqcrystals_kyber768_KEYPAIRCOINBYTES
+#define pqcrystals_kyber768_avx2_ENCCOINBYTES pqcrystals_kyber768_ENCCOINBYTES
#define pqcrystals_kyber768_avx2_BYTES pqcrystals_kyber768_BYTES
+int pqcrystals_kyber768_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber768_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber768_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber768_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber768_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber768_90s_avx2_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
-#define pqcrystals_kyber768_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
-#define pqcrystals_kyber768_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
-#define pqcrystals_kyber768_90s_avx2_BYTES pqcrystals_kyber768_BYTES
-
-int pqcrystals_kyber768_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber768_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber768_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#define pqcrystals_kyber1024_SECRETKEYBYTES 3168
#define pqcrystals_kyber1024_PUBLICKEYBYTES 1568
#define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568
+#define pqcrystals_kyber1024_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber1024_ENCCOINBYTES 32
#define pqcrystals_kyber1024_BYTES 32
#define pqcrystals_kyber1024_avx2_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
#define pqcrystals_kyber1024_avx2_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
#define pqcrystals_kyber1024_avx2_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
+#define pqcrystals_kyber1024_avx2_KEYPAIRCOINBYTES pqcrystals_kyber1024_KEYPAIRCOINBYTES
+#define pqcrystals_kyber1024_avx2_ENCCOINBYTES pqcrystals_kyber1024_ENCCOINBYTES
#define pqcrystals_kyber1024_avx2_BYTES pqcrystals_kyber1024_BYTES
+int pqcrystals_kyber1024_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber1024_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber1024_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber1024_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber1024_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber1024_90s_avx2_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
-#define pqcrystals_kyber1024_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
-#define pqcrystals_kyber1024_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
-#define pqcrystals_kyber1024_90s_avx2_BYTES pqcrystals_kyber1024_BYTES
-
-int pqcrystals_kyber1024_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber1024_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber1024_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.c b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.c
index b88408631b..572ce49007 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.c
@@ -169,44 +169,6 @@ static unsigned int rej_uniform(int16_t *r,
* - const uint8_t *seed: pointer to input seed
* - int transposed: boolean deciding whether A or A^T is generated
**************************************************/
-#ifdef KYBER_90S
-void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
-{
- unsigned int ctr, i, j, k;
- unsigned int buflen, off;
- uint64_t nonce = 0;
- ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*AES256CTR_BLOCKBYTES) buf;
- aes256ctr_ctx state;
-
- aes256ctr_init_key(&state, seed);
-
- for(i=0;i> 24) & 0xFF);
}
- while(ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 12) {
+ while(ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 16) {
f = _mm_loadu_si128((__m128i *)&buf[pos]);
f = _mm_shuffle_epi8(f, _mm256_castsi256_si128(idx8));
t = _mm_srli_epi16(f, 4);
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric-shake.c b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric-shake.c
index 2317c06276..20f451882e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric-shake.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric-shake.c
@@ -49,3 +49,26 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
shake256(out, outlen, extkey, sizeof(extkey));
}
+
+/*************************************************
+* Name: kyber_shake256_prf
+*
+* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
+* and then generates outlen bytes of SHAKE256 output
+*
+* Arguments: - uint8_t *out: pointer to output
+* - size_t outlen: number of requested output bytes
+* - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
+* - uint8_t nonce: single-byte nonce (public PRF input)
+**************************************************/
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES])
+{
+ shake256incctx s;
+
+ shake256_inc_init(&s);
+ shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
+ shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
+ shake256_inc_finalize(&s);
+ shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
+ shake256_inc_ctx_release(&s);
+}
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric.h b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric.h
index 483eabc494..e4941f7a86 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric.h
@@ -5,31 +5,6 @@
#include
#include "params.h"
-#ifdef KYBER_90S
-
-#include "sha2.h"
-#include "aes256ctr.h"
-
-#if (KYBER_SSBYTES != 32)
-#error "90s variant of Kyber can only generate keys of length 256 bits"
-#endif
-
-typedef aes256ctr_ctx xof_state;
-
-#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
-#define xof_absorb(STATE, SEED, X, Y) \
- aes256ctr_init(STATE, SEED, (X) | ((uint16_t)(Y) << 8))
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) \
- aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-
-#else
-
#include "fips202.h"
#include "fips202x4.h"
@@ -42,22 +17,18 @@ void kyber_shake128_absorb(shake128incctx *s,
uint8_t y);
#define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf)
-void kyber_shake256_prf(uint8_t *out,
- size_t outlen,
- const uint8_t key[KYBER_SYMBYTES],
- uint8_t nonce);
+void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
+
+#define kyber_shake256_rkprf KYBER_NAMESPACE(kyber_shake256_rkprf)
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
#define XOF_BLOCKBYTES SHAKE128_RATE
#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
#define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y)
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) \
- kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
-
-#endif /* KYBER_90S */
+#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
+#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
+#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
#endif /* SYMMETRIC_H */
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/api.h b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/api.h
index b34eab9705..70d40f3f3e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/api.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/api.h
@@ -6,70 +6,61 @@
#define pqcrystals_kyber512_SECRETKEYBYTES 1632
#define pqcrystals_kyber512_PUBLICKEYBYTES 800
#define pqcrystals_kyber512_CIPHERTEXTBYTES 768
+#define pqcrystals_kyber512_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber512_ENCCOINBYTES 32
#define pqcrystals_kyber512_BYTES 32
#define pqcrystals_kyber512_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
#define pqcrystals_kyber512_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
#define pqcrystals_kyber512_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
+#define pqcrystals_kyber512_ref_KEYPAIRCOINBYTES pqcrystals_kyber512_KEYPAIRCOINBYTES
+#define pqcrystals_kyber512_ref_ENCCOINBYTES pqcrystals_kyber512_ENCCOINBYTES
#define pqcrystals_kyber512_ref_BYTES pqcrystals_kyber512_BYTES
+int pqcrystals_kyber512_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber512_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber512_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber512_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber512_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber512_90s_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
-#define pqcrystals_kyber512_90s_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
-#define pqcrystals_kyber512_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
-#define pqcrystals_kyber512_90s_ref_BYTES pqcrystals_kyber512_BYTES
-
-int pqcrystals_kyber512_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber512_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber512_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#define pqcrystals_kyber768_SECRETKEYBYTES 2400
#define pqcrystals_kyber768_PUBLICKEYBYTES 1184
#define pqcrystals_kyber768_CIPHERTEXTBYTES 1088
+#define pqcrystals_kyber768_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber768_ENCCOINBYTES 32
#define pqcrystals_kyber768_BYTES 32
#define pqcrystals_kyber768_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
#define pqcrystals_kyber768_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
#define pqcrystals_kyber768_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
+#define pqcrystals_kyber768_ref_KEYPAIRCOINBYTES pqcrystals_kyber768_KEYPAIRCOINBYTES
+#define pqcrystals_kyber768_ref_ENCCOINBYTES pqcrystals_kyber768_ENCCOINBYTES
#define pqcrystals_kyber768_ref_BYTES pqcrystals_kyber768_BYTES
+int pqcrystals_kyber768_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber768_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber768_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber768_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber768_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber768_90s_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
-#define pqcrystals_kyber768_90s_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
-#define pqcrystals_kyber768_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
-#define pqcrystals_kyber768_90s_ref_BYTES pqcrystals_kyber768_BYTES
-
-int pqcrystals_kyber768_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber768_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber768_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#define pqcrystals_kyber1024_SECRETKEYBYTES 3168
#define pqcrystals_kyber1024_PUBLICKEYBYTES 1568
#define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568
+#define pqcrystals_kyber1024_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber1024_ENCCOINBYTES 32
#define pqcrystals_kyber1024_BYTES 32
#define pqcrystals_kyber1024_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
#define pqcrystals_kyber1024_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
#define pqcrystals_kyber1024_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
+#define pqcrystals_kyber1024_ref_KEYPAIRCOINBYTES pqcrystals_kyber1024_KEYPAIRCOINBYTES
+#define pqcrystals_kyber1024_ref_ENCCOINBYTES pqcrystals_kyber1024_ENCCOINBYTES
#define pqcrystals_kyber1024_ref_BYTES pqcrystals_kyber1024_BYTES
+int pqcrystals_kyber1024_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber1024_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber1024_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber1024_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber1024_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber1024_90s_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
-#define pqcrystals_kyber1024_90s_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
-#define pqcrystals_kyber1024_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
-#define pqcrystals_kyber1024_90s_ref_BYTES pqcrystals_kyber1024_BYTES
-
-int pqcrystals_kyber1024_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber1024_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber1024_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.c b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.c
index f0129aa046..4a8b4c894f 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.c
@@ -1,5 +1,6 @@
#include
#include
+#include
#include "params.h"
#include "indcpa.h"
#include "polyvec.h"
@@ -23,10 +24,8 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES],
polyvec *pk,
const uint8_t seed[KYBER_SYMBYTES])
{
- size_t i;
polyvec_tobytes(r, pk);
- for(i=0;i
#include
+#include
#include "params.h"
#include "kem.h"
#include "indcpa.h"
#include "verify.h"
#include "symmetric.h"
#include "randombytes.h"
+/*************************************************
+* Name: crypto_kem_keypair_derand
+*
+* Description: Generates public and private key
+* for CCA-secure Kyber key encapsulation mechanism
+*
+* Arguments: - uint8_t *pk: pointer to output public key
+* (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+* - uint8_t *sk: pointer to output private key
+* (an already allocated array of KYBER_SECRETKEYBYTES bytes)
+* - uint8_t *coins: pointer to input randomness
+* (an already allocated array filled with 2*KYBER_SYMBYTES random bytes)
+**
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_keypair_derand(uint8_t *pk,
+ uint8_t *sk,
+ const uint8_t *coins)
+{
+ indcpa_keypair_derand(pk, sk, coins);
+ memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES);
+ hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
+ /* Value z for pseudo-random output on reject */
+ memcpy(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, coins+KYBER_SYMBYTES, KYBER_SYMBYTES);
+ return 0;
+}
/*************************************************
* Name: crypto_kem_keypair
@@ -23,18 +50,14 @@
int crypto_kem_keypair(uint8_t *pk,
uint8_t *sk)
{
- size_t i;
- indcpa_keypair(pk, sk);
- for(i=0;i
#include "params.h"
-#ifdef KYBER_90S
-
-#include "aes256ctr.h"
-#include "sha2.h"
-
-#if (KYBER_SSBYTES != 32)
-#error "90s variant of Kyber can only generate keys of length 256 bits"
-#endif
-
-typedef aes256ctr_ctx xof_state;
-
-#define kyber_aes256xof_absorb KYBER_NAMESPACE(kyber_aes256xof_absorb)
-void kyber_aes256xof_absorb(aes256ctr_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y);
-
-#define kyber_aes256ctr_prf KYBER_NAMESPACE(kyber_aes256ctr_prf)
-void kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce);
-
-#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
-#define xof_init(STATE, SEED) aes256ctr_init_key(STATE, SEED)
-#define xof_absorb(STATE, SEED, X, Y) kyber_aes256xof_absorb(STATE, SEED, X, Y)
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_release(STATE) aes256_ctx_release(STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-
-#else
-
#include "fips202.h"
typedef shake128incctx xof_state;
@@ -48,6 +18,9 @@ void kyber_shake128_absorb(shake128incctx *s,
#define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf)
void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
+#define kyber_shake256_rkprf KYBER_NAMESPACE(kyber_shake256_rkprf)
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
+
#define XOF_BLOCKBYTES SHAKE128_RATE
#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
@@ -57,8 +30,6 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define xof_release(STATE) shake128_inc_ctx_release(STATE)
#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
-
-#endif /* KYBER_90S */
+#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
#endif /* SYMMETRIC_H */
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/api.h b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/api.h
index 4ae94cbab7..a154e80f1d 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/api.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/api.h
@@ -6,70 +6,61 @@
#define pqcrystals_kyber512_SECRETKEYBYTES 1632
#define pqcrystals_kyber512_PUBLICKEYBYTES 800
#define pqcrystals_kyber512_CIPHERTEXTBYTES 768
+#define pqcrystals_kyber512_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber512_ENCCOINBYTES 32
#define pqcrystals_kyber512_BYTES 32
#define pqcrystals_kyber512_avx2_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
#define pqcrystals_kyber512_avx2_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
#define pqcrystals_kyber512_avx2_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
+#define pqcrystals_kyber512_avx2_KEYPAIRCOINBYTES pqcrystals_kyber512_KEYPAIRCOINBYTES
+#define pqcrystals_kyber512_avx2_ENCCOINBYTES pqcrystals_kyber512_ENCCOINBYTES
#define pqcrystals_kyber512_avx2_BYTES pqcrystals_kyber512_BYTES
+int pqcrystals_kyber512_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber512_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber512_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber512_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber512_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber512_90s_avx2_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
-#define pqcrystals_kyber512_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
-#define pqcrystals_kyber512_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
-#define pqcrystals_kyber512_90s_avx2_BYTES pqcrystals_kyber512_BYTES
-
-int pqcrystals_kyber512_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber512_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber512_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#define pqcrystals_kyber768_SECRETKEYBYTES 2400
#define pqcrystals_kyber768_PUBLICKEYBYTES 1184
#define pqcrystals_kyber768_CIPHERTEXTBYTES 1088
+#define pqcrystals_kyber768_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber768_ENCCOINBYTES 32
#define pqcrystals_kyber768_BYTES 32
#define pqcrystals_kyber768_avx2_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
#define pqcrystals_kyber768_avx2_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
#define pqcrystals_kyber768_avx2_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
+#define pqcrystals_kyber768_avx2_KEYPAIRCOINBYTES pqcrystals_kyber768_KEYPAIRCOINBYTES
+#define pqcrystals_kyber768_avx2_ENCCOINBYTES pqcrystals_kyber768_ENCCOINBYTES
#define pqcrystals_kyber768_avx2_BYTES pqcrystals_kyber768_BYTES
+int pqcrystals_kyber768_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber768_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber768_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber768_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber768_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber768_90s_avx2_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
-#define pqcrystals_kyber768_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
-#define pqcrystals_kyber768_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
-#define pqcrystals_kyber768_90s_avx2_BYTES pqcrystals_kyber768_BYTES
-
-int pqcrystals_kyber768_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber768_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber768_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#define pqcrystals_kyber1024_SECRETKEYBYTES 3168
#define pqcrystals_kyber1024_PUBLICKEYBYTES 1568
#define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568
+#define pqcrystals_kyber1024_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber1024_ENCCOINBYTES 32
#define pqcrystals_kyber1024_BYTES 32
#define pqcrystals_kyber1024_avx2_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
#define pqcrystals_kyber1024_avx2_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
#define pqcrystals_kyber1024_avx2_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
+#define pqcrystals_kyber1024_avx2_KEYPAIRCOINBYTES pqcrystals_kyber1024_KEYPAIRCOINBYTES
+#define pqcrystals_kyber1024_avx2_ENCCOINBYTES pqcrystals_kyber1024_ENCCOINBYTES
#define pqcrystals_kyber1024_avx2_BYTES pqcrystals_kyber1024_BYTES
+int pqcrystals_kyber1024_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber1024_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber1024_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber1024_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber1024_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber1024_90s_avx2_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
-#define pqcrystals_kyber1024_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
-#define pqcrystals_kyber1024_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
-#define pqcrystals_kyber1024_90s_avx2_BYTES pqcrystals_kyber1024_BYTES
-
-int pqcrystals_kyber1024_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber1024_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber1024_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.c b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.c
index b88408631b..572ce49007 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.c
@@ -169,44 +169,6 @@ static unsigned int rej_uniform(int16_t *r,
* - const uint8_t *seed: pointer to input seed
* - int transposed: boolean deciding whether A or A^T is generated
**************************************************/
-#ifdef KYBER_90S
-void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
-{
- unsigned int ctr, i, j, k;
- unsigned int buflen, off;
- uint64_t nonce = 0;
- ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*AES256CTR_BLOCKBYTES) buf;
- aes256ctr_ctx state;
-
- aes256ctr_init_key(&state, seed);
-
- for(i=0;i> 24) & 0xFF);
}
- while(ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 12) {
+ while(ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 16) {
f = _mm_loadu_si128((__m128i *)&buf[pos]);
f = _mm_shuffle_epi8(f, _mm256_castsi256_si128(idx8));
t = _mm_srli_epi16(f, 4);
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric-shake.c b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric-shake.c
index 2317c06276..20f451882e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric-shake.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric-shake.c
@@ -49,3 +49,26 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
shake256(out, outlen, extkey, sizeof(extkey));
}
+
+/*************************************************
+* Name: kyber_shake256_prf
+*
+* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
+* and then generates outlen bytes of SHAKE256 output
+*
+* Arguments: - uint8_t *out: pointer to output
+* - size_t outlen: number of requested output bytes
+* - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
+* - uint8_t nonce: single-byte nonce (public PRF input)
+**************************************************/
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES])
+{
+ shake256incctx s;
+
+ shake256_inc_init(&s);
+ shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
+ shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
+ shake256_inc_finalize(&s);
+ shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
+ shake256_inc_ctx_release(&s);
+}
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric.h b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric.h
index 483eabc494..e4941f7a86 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric.h
@@ -5,31 +5,6 @@
#include
#include "params.h"
-#ifdef KYBER_90S
-
-#include "sha2.h"
-#include "aes256ctr.h"
-
-#if (KYBER_SSBYTES != 32)
-#error "90s variant of Kyber can only generate keys of length 256 bits"
-#endif
-
-typedef aes256ctr_ctx xof_state;
-
-#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
-#define xof_absorb(STATE, SEED, X, Y) \
- aes256ctr_init(STATE, SEED, (X) | ((uint16_t)(Y) << 8))
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) \
- aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-
-#else
-
#include "fips202.h"
#include "fips202x4.h"
@@ -42,22 +17,18 @@ void kyber_shake128_absorb(shake128incctx *s,
uint8_t y);
#define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf)
-void kyber_shake256_prf(uint8_t *out,
- size_t outlen,
- const uint8_t key[KYBER_SYMBYTES],
- uint8_t nonce);
+void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
+
+#define kyber_shake256_rkprf KYBER_NAMESPACE(kyber_shake256_rkprf)
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
#define XOF_BLOCKBYTES SHAKE128_RATE
#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
#define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y)
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) \
- kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
-
-#endif /* KYBER_90S */
+#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
+#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
+#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
#endif /* SYMMETRIC_H */
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/api.h b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/api.h
index b34eab9705..70d40f3f3e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/api.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/api.h
@@ -6,70 +6,61 @@
#define pqcrystals_kyber512_SECRETKEYBYTES 1632
#define pqcrystals_kyber512_PUBLICKEYBYTES 800
#define pqcrystals_kyber512_CIPHERTEXTBYTES 768
+#define pqcrystals_kyber512_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber512_ENCCOINBYTES 32
#define pqcrystals_kyber512_BYTES 32
#define pqcrystals_kyber512_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
#define pqcrystals_kyber512_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
#define pqcrystals_kyber512_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
+#define pqcrystals_kyber512_ref_KEYPAIRCOINBYTES pqcrystals_kyber512_KEYPAIRCOINBYTES
+#define pqcrystals_kyber512_ref_ENCCOINBYTES pqcrystals_kyber512_ENCCOINBYTES
#define pqcrystals_kyber512_ref_BYTES pqcrystals_kyber512_BYTES
+int pqcrystals_kyber512_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber512_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber512_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber512_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber512_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber512_90s_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
-#define pqcrystals_kyber512_90s_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
-#define pqcrystals_kyber512_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
-#define pqcrystals_kyber512_90s_ref_BYTES pqcrystals_kyber512_BYTES
-
-int pqcrystals_kyber512_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber512_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber512_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#define pqcrystals_kyber768_SECRETKEYBYTES 2400
#define pqcrystals_kyber768_PUBLICKEYBYTES 1184
#define pqcrystals_kyber768_CIPHERTEXTBYTES 1088
+#define pqcrystals_kyber768_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber768_ENCCOINBYTES 32
#define pqcrystals_kyber768_BYTES 32
#define pqcrystals_kyber768_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
#define pqcrystals_kyber768_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
#define pqcrystals_kyber768_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
+#define pqcrystals_kyber768_ref_KEYPAIRCOINBYTES pqcrystals_kyber768_KEYPAIRCOINBYTES
+#define pqcrystals_kyber768_ref_ENCCOINBYTES pqcrystals_kyber768_ENCCOINBYTES
#define pqcrystals_kyber768_ref_BYTES pqcrystals_kyber768_BYTES
+int pqcrystals_kyber768_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber768_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber768_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber768_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber768_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber768_90s_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
-#define pqcrystals_kyber768_90s_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
-#define pqcrystals_kyber768_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
-#define pqcrystals_kyber768_90s_ref_BYTES pqcrystals_kyber768_BYTES
-
-int pqcrystals_kyber768_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber768_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber768_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#define pqcrystals_kyber1024_SECRETKEYBYTES 3168
#define pqcrystals_kyber1024_PUBLICKEYBYTES 1568
#define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568
+#define pqcrystals_kyber1024_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber1024_ENCCOINBYTES 32
#define pqcrystals_kyber1024_BYTES 32
#define pqcrystals_kyber1024_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
#define pqcrystals_kyber1024_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
#define pqcrystals_kyber1024_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
+#define pqcrystals_kyber1024_ref_KEYPAIRCOINBYTES pqcrystals_kyber1024_KEYPAIRCOINBYTES
+#define pqcrystals_kyber1024_ref_ENCCOINBYTES pqcrystals_kyber1024_ENCCOINBYTES
#define pqcrystals_kyber1024_ref_BYTES pqcrystals_kyber1024_BYTES
+int pqcrystals_kyber1024_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber1024_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber1024_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber1024_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber1024_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber1024_90s_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
-#define pqcrystals_kyber1024_90s_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
-#define pqcrystals_kyber1024_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
-#define pqcrystals_kyber1024_90s_ref_BYTES pqcrystals_kyber1024_BYTES
-
-int pqcrystals_kyber1024_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber1024_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber1024_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.c b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.c
index f0129aa046..4a8b4c894f 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.c
@@ -1,5 +1,6 @@
#include
#include
+#include
#include "params.h"
#include "indcpa.h"
#include "polyvec.h"
@@ -23,10 +24,8 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES],
polyvec *pk,
const uint8_t seed[KYBER_SYMBYTES])
{
- size_t i;
polyvec_tobytes(r, pk);
- for(i=0;i
#include
+#include
#include "params.h"
#include "kem.h"
#include "indcpa.h"
#include "verify.h"
#include "symmetric.h"
#include "randombytes.h"
+/*************************************************
+* Name: crypto_kem_keypair_derand
+*
+* Description: Generates public and private key
+* for CCA-secure Kyber key encapsulation mechanism
+*
+* Arguments: - uint8_t *pk: pointer to output public key
+* (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+* - uint8_t *sk: pointer to output private key
+* (an already allocated array of KYBER_SECRETKEYBYTES bytes)
+* - uint8_t *coins: pointer to input randomness
+* (an already allocated array filled with 2*KYBER_SYMBYTES random bytes)
+**
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_keypair_derand(uint8_t *pk,
+ uint8_t *sk,
+ const uint8_t *coins)
+{
+ indcpa_keypair_derand(pk, sk, coins);
+ memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES);
+ hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
+ /* Value z for pseudo-random output on reject */
+ memcpy(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, coins+KYBER_SYMBYTES, KYBER_SYMBYTES);
+ return 0;
+}
/*************************************************
* Name: crypto_kem_keypair
@@ -23,18 +50,14 @@
int crypto_kem_keypair(uint8_t *pk,
uint8_t *sk)
{
- size_t i;
- indcpa_keypair(pk, sk);
- for(i=0;i
#include "params.h"
-#ifdef KYBER_90S
-
-#include "aes256ctr.h"
-#include "sha2.h"
-
-#if (KYBER_SSBYTES != 32)
-#error "90s variant of Kyber can only generate keys of length 256 bits"
-#endif
-
-typedef aes256ctr_ctx xof_state;
-
-#define kyber_aes256xof_absorb KYBER_NAMESPACE(kyber_aes256xof_absorb)
-void kyber_aes256xof_absorb(aes256ctr_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y);
-
-#define kyber_aes256ctr_prf KYBER_NAMESPACE(kyber_aes256ctr_prf)
-void kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce);
-
-#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
-#define xof_init(STATE, SEED) aes256ctr_init_key(STATE, SEED)
-#define xof_absorb(STATE, SEED, X, Y) kyber_aes256xof_absorb(STATE, SEED, X, Y)
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_release(STATE) aes256_ctx_release(STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-
-#else
-
#include "fips202.h"
typedef shake128incctx xof_state;
@@ -48,6 +18,9 @@ void kyber_shake128_absorb(shake128incctx *s,
#define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf)
void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
+#define kyber_shake256_rkprf KYBER_NAMESPACE(kyber_shake256_rkprf)
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
+
#define XOF_BLOCKBYTES SHAKE128_RATE
#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
@@ -57,8 +30,6 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define xof_release(STATE) shake128_inc_ctx_release(STATE)
#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
-
-#endif /* KYBER_90S */
+#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
#endif /* SYMMETRIC_H */
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/api.h b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/api.h
index 4ae94cbab7..a154e80f1d 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/api.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/api.h
@@ -6,70 +6,61 @@
#define pqcrystals_kyber512_SECRETKEYBYTES 1632
#define pqcrystals_kyber512_PUBLICKEYBYTES 800
#define pqcrystals_kyber512_CIPHERTEXTBYTES 768
+#define pqcrystals_kyber512_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber512_ENCCOINBYTES 32
#define pqcrystals_kyber512_BYTES 32
#define pqcrystals_kyber512_avx2_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
#define pqcrystals_kyber512_avx2_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
#define pqcrystals_kyber512_avx2_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
+#define pqcrystals_kyber512_avx2_KEYPAIRCOINBYTES pqcrystals_kyber512_KEYPAIRCOINBYTES
+#define pqcrystals_kyber512_avx2_ENCCOINBYTES pqcrystals_kyber512_ENCCOINBYTES
#define pqcrystals_kyber512_avx2_BYTES pqcrystals_kyber512_BYTES
+int pqcrystals_kyber512_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber512_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber512_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber512_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber512_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber512_90s_avx2_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
-#define pqcrystals_kyber512_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
-#define pqcrystals_kyber512_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
-#define pqcrystals_kyber512_90s_avx2_BYTES pqcrystals_kyber512_BYTES
-
-int pqcrystals_kyber512_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber512_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber512_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#define pqcrystals_kyber768_SECRETKEYBYTES 2400
#define pqcrystals_kyber768_PUBLICKEYBYTES 1184
#define pqcrystals_kyber768_CIPHERTEXTBYTES 1088
+#define pqcrystals_kyber768_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber768_ENCCOINBYTES 32
#define pqcrystals_kyber768_BYTES 32
#define pqcrystals_kyber768_avx2_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
#define pqcrystals_kyber768_avx2_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
#define pqcrystals_kyber768_avx2_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
+#define pqcrystals_kyber768_avx2_KEYPAIRCOINBYTES pqcrystals_kyber768_KEYPAIRCOINBYTES
+#define pqcrystals_kyber768_avx2_ENCCOINBYTES pqcrystals_kyber768_ENCCOINBYTES
#define pqcrystals_kyber768_avx2_BYTES pqcrystals_kyber768_BYTES
+int pqcrystals_kyber768_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber768_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber768_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber768_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber768_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber768_90s_avx2_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
-#define pqcrystals_kyber768_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
-#define pqcrystals_kyber768_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
-#define pqcrystals_kyber768_90s_avx2_BYTES pqcrystals_kyber768_BYTES
-
-int pqcrystals_kyber768_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber768_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber768_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#define pqcrystals_kyber1024_SECRETKEYBYTES 3168
#define pqcrystals_kyber1024_PUBLICKEYBYTES 1568
#define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568
+#define pqcrystals_kyber1024_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber1024_ENCCOINBYTES 32
#define pqcrystals_kyber1024_BYTES 32
#define pqcrystals_kyber1024_avx2_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
#define pqcrystals_kyber1024_avx2_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
#define pqcrystals_kyber1024_avx2_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
+#define pqcrystals_kyber1024_avx2_KEYPAIRCOINBYTES pqcrystals_kyber1024_KEYPAIRCOINBYTES
+#define pqcrystals_kyber1024_avx2_ENCCOINBYTES pqcrystals_kyber1024_ENCCOINBYTES
#define pqcrystals_kyber1024_avx2_BYTES pqcrystals_kyber1024_BYTES
+int pqcrystals_kyber1024_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber1024_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber1024_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber1024_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber1024_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber1024_90s_avx2_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
-#define pqcrystals_kyber1024_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
-#define pqcrystals_kyber1024_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
-#define pqcrystals_kyber1024_90s_avx2_BYTES pqcrystals_kyber1024_BYTES
-
-int pqcrystals_kyber1024_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber1024_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber1024_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.c b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.c
index b88408631b..572ce49007 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.c
@@ -169,44 +169,6 @@ static unsigned int rej_uniform(int16_t *r,
* - const uint8_t *seed: pointer to input seed
* - int transposed: boolean deciding whether A or A^T is generated
**************************************************/
-#ifdef KYBER_90S
-void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
-{
- unsigned int ctr, i, j, k;
- unsigned int buflen, off;
- uint64_t nonce = 0;
- ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*AES256CTR_BLOCKBYTES) buf;
- aes256ctr_ctx state;
-
- aes256ctr_init_key(&state, seed);
-
- for(i=0;i> 24) & 0xFF);
}
- while(ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 12) {
+ while(ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 16) {
f = _mm_loadu_si128((__m128i *)&buf[pos]);
f = _mm_shuffle_epi8(f, _mm256_castsi256_si128(idx8));
t = _mm_srli_epi16(f, 4);
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric-shake.c b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric-shake.c
index 2317c06276..20f451882e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric-shake.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric-shake.c
@@ -49,3 +49,26 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
shake256(out, outlen, extkey, sizeof(extkey));
}
+
+/*************************************************
+* Name: kyber_shake256_prf
+*
+* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
+* and then generates outlen bytes of SHAKE256 output
+*
+* Arguments: - uint8_t *out: pointer to output
+* - size_t outlen: number of requested output bytes
+* - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
+* - uint8_t nonce: single-byte nonce (public PRF input)
+**************************************************/
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES])
+{
+ shake256incctx s;
+
+ shake256_inc_init(&s);
+ shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
+ shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
+ shake256_inc_finalize(&s);
+ shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
+ shake256_inc_ctx_release(&s);
+}
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric.h b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric.h
index 483eabc494..e4941f7a86 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric.h
@@ -5,31 +5,6 @@
#include
#include "params.h"
-#ifdef KYBER_90S
-
-#include "sha2.h"
-#include "aes256ctr.h"
-
-#if (KYBER_SSBYTES != 32)
-#error "90s variant of Kyber can only generate keys of length 256 bits"
-#endif
-
-typedef aes256ctr_ctx xof_state;
-
-#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
-#define xof_absorb(STATE, SEED, X, Y) \
- aes256ctr_init(STATE, SEED, (X) | ((uint16_t)(Y) << 8))
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) \
- aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-
-#else
-
#include "fips202.h"
#include "fips202x4.h"
@@ -42,22 +17,18 @@ void kyber_shake128_absorb(shake128incctx *s,
uint8_t y);
#define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf)
-void kyber_shake256_prf(uint8_t *out,
- size_t outlen,
- const uint8_t key[KYBER_SYMBYTES],
- uint8_t nonce);
+void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
+
+#define kyber_shake256_rkprf KYBER_NAMESPACE(kyber_shake256_rkprf)
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
#define XOF_BLOCKBYTES SHAKE128_RATE
#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
#define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y)
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) \
- kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
-
-#endif /* KYBER_90S */
+#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
+#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
+#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
#endif /* SYMMETRIC_H */
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/api.h b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/api.h
index b34eab9705..70d40f3f3e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/api.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/api.h
@@ -6,70 +6,61 @@
#define pqcrystals_kyber512_SECRETKEYBYTES 1632
#define pqcrystals_kyber512_PUBLICKEYBYTES 800
#define pqcrystals_kyber512_CIPHERTEXTBYTES 768
+#define pqcrystals_kyber512_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber512_ENCCOINBYTES 32
#define pqcrystals_kyber512_BYTES 32
#define pqcrystals_kyber512_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
#define pqcrystals_kyber512_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
#define pqcrystals_kyber512_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
+#define pqcrystals_kyber512_ref_KEYPAIRCOINBYTES pqcrystals_kyber512_KEYPAIRCOINBYTES
+#define pqcrystals_kyber512_ref_ENCCOINBYTES pqcrystals_kyber512_ENCCOINBYTES
#define pqcrystals_kyber512_ref_BYTES pqcrystals_kyber512_BYTES
+int pqcrystals_kyber512_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber512_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber512_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber512_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber512_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber512_90s_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
-#define pqcrystals_kyber512_90s_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
-#define pqcrystals_kyber512_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
-#define pqcrystals_kyber512_90s_ref_BYTES pqcrystals_kyber512_BYTES
-
-int pqcrystals_kyber512_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber512_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber512_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#define pqcrystals_kyber768_SECRETKEYBYTES 2400
#define pqcrystals_kyber768_PUBLICKEYBYTES 1184
#define pqcrystals_kyber768_CIPHERTEXTBYTES 1088
+#define pqcrystals_kyber768_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber768_ENCCOINBYTES 32
#define pqcrystals_kyber768_BYTES 32
#define pqcrystals_kyber768_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
#define pqcrystals_kyber768_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
#define pqcrystals_kyber768_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
+#define pqcrystals_kyber768_ref_KEYPAIRCOINBYTES pqcrystals_kyber768_KEYPAIRCOINBYTES
+#define pqcrystals_kyber768_ref_ENCCOINBYTES pqcrystals_kyber768_ENCCOINBYTES
#define pqcrystals_kyber768_ref_BYTES pqcrystals_kyber768_BYTES
+int pqcrystals_kyber768_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber768_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber768_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber768_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber768_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber768_90s_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
-#define pqcrystals_kyber768_90s_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
-#define pqcrystals_kyber768_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
-#define pqcrystals_kyber768_90s_ref_BYTES pqcrystals_kyber768_BYTES
-
-int pqcrystals_kyber768_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber768_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber768_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#define pqcrystals_kyber1024_SECRETKEYBYTES 3168
#define pqcrystals_kyber1024_PUBLICKEYBYTES 1568
#define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568
+#define pqcrystals_kyber1024_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber1024_ENCCOINBYTES 32
#define pqcrystals_kyber1024_BYTES 32
#define pqcrystals_kyber1024_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
#define pqcrystals_kyber1024_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
#define pqcrystals_kyber1024_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
+#define pqcrystals_kyber1024_ref_KEYPAIRCOINBYTES pqcrystals_kyber1024_KEYPAIRCOINBYTES
+#define pqcrystals_kyber1024_ref_ENCCOINBYTES pqcrystals_kyber1024_ENCCOINBYTES
#define pqcrystals_kyber1024_ref_BYTES pqcrystals_kyber1024_BYTES
+int pqcrystals_kyber1024_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
int pqcrystals_kyber1024_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber1024_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
int pqcrystals_kyber1024_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
int pqcrystals_kyber1024_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#define pqcrystals_kyber1024_90s_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
-#define pqcrystals_kyber1024_90s_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
-#define pqcrystals_kyber1024_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
-#define pqcrystals_kyber1024_90s_ref_BYTES pqcrystals_kyber1024_BYTES
-
-int pqcrystals_kyber1024_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber1024_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber1024_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
#endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.c b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.c
index f0129aa046..4a8b4c894f 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.c
@@ -1,5 +1,6 @@
#include
#include
+#include
#include "params.h"
#include "indcpa.h"
#include "polyvec.h"
@@ -23,10 +24,8 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES],
polyvec *pk,
const uint8_t seed[KYBER_SYMBYTES])
{
- size_t i;
polyvec_tobytes(r, pk);
- for(i=0;i
#include
+#include
#include "params.h"
#include "kem.h"
#include "indcpa.h"
#include "verify.h"
#include "symmetric.h"
#include "randombytes.h"
+/*************************************************
+* Name: crypto_kem_keypair_derand
+*
+* Description: Generates public and private key
+* for CCA-secure Kyber key encapsulation mechanism
+*
+* Arguments: - uint8_t *pk: pointer to output public key
+* (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+* - uint8_t *sk: pointer to output private key
+* (an already allocated array of KYBER_SECRETKEYBYTES bytes)
+* - uint8_t *coins: pointer to input randomness
+* (an already allocated array filled with 2*KYBER_SYMBYTES random bytes)
+**
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_keypair_derand(uint8_t *pk,
+ uint8_t *sk,
+ const uint8_t *coins)
+{
+ indcpa_keypair_derand(pk, sk, coins);
+ memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES);
+ hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
+ /* Value z for pseudo-random output on reject */
+ memcpy(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, coins+KYBER_SYMBYTES, KYBER_SYMBYTES);
+ return 0;
+}
/*************************************************
* Name: crypto_kem_keypair
@@ -23,18 +50,14 @@
int crypto_kem_keypair(uint8_t *pk,
uint8_t *sk)
{
- size_t i;
- indcpa_keypair(pk, sk);
- for(i=0;i
#include "params.h"
-#ifdef KYBER_90S
-
-#include "aes256ctr.h"
-#include "sha2.h"
-
-#if (KYBER_SSBYTES != 32)
-#error "90s variant of Kyber can only generate keys of length 256 bits"
-#endif
-
-typedef aes256ctr_ctx xof_state;
-
-#define kyber_aes256xof_absorb KYBER_NAMESPACE(kyber_aes256xof_absorb)
-void kyber_aes256xof_absorb(aes256ctr_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y);
-
-#define kyber_aes256ctr_prf KYBER_NAMESPACE(kyber_aes256ctr_prf)
-void kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce);
-
-#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
-#define xof_init(STATE, SEED) aes256ctr_init_key(STATE, SEED)
-#define xof_absorb(STATE, SEED, X, Y) kyber_aes256xof_absorb(STATE, SEED, X, Y)
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_release(STATE) aes256_ctx_release(STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-
-#else
-
#include "fips202.h"
typedef shake128incctx xof_state;
@@ -48,6 +18,9 @@ void kyber_shake128_absorb(shake128incctx *s,
#define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf)
void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
+#define kyber_shake256_rkprf KYBER_NAMESPACE(kyber_shake256_rkprf)
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
+
#define XOF_BLOCKBYTES SHAKE128_RATE
#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
@@ -57,8 +30,6 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define xof_release(STATE) shake128_inc_ctx_release(STATE)
#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
-
-#endif /* KYBER_90S */
+#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
#endif /* SYMMETRIC_H */
diff --git a/src/oqsconfig.h.cmake b/src/oqsconfig.h.cmake
index cb1aff0633..7165e0725c 100644
--- a/src/oqsconfig.h.cmake
+++ b/src/oqsconfig.h.cmake
@@ -102,24 +102,18 @@
#cmakedefine OQS_ENABLE_KEM_KYBER 1
#cmakedefine OQS_ENABLE_KEM_kyber_512 1
#cmakedefine OQS_ENABLE_KEM_kyber_512_avx2 1
-#cmakedefine OQS_ENABLE_KEM_kyber_512_aarch64 1
#cmakedefine OQS_ENABLE_KEM_kyber_768 1
#cmakedefine OQS_ENABLE_KEM_kyber_768_avx2 1
-#cmakedefine OQS_ENABLE_KEM_kyber_768_aarch64 1
#cmakedefine OQS_ENABLE_KEM_kyber_1024 1
#cmakedefine OQS_ENABLE_KEM_kyber_1024_avx2 1
-#cmakedefine OQS_ENABLE_KEM_kyber_1024_aarch64 1
#cmakedefine OQS_ENABLE_SIG_DILITHIUM 1
#cmakedefine OQS_ENABLE_SIG_dilithium_2 1
#cmakedefine OQS_ENABLE_SIG_dilithium_2_avx2 1
-#cmakedefine OQS_ENABLE_SIG_dilithium_2_aarch64 1
#cmakedefine OQS_ENABLE_SIG_dilithium_3 1
#cmakedefine OQS_ENABLE_SIG_dilithium_3_avx2 1
-#cmakedefine OQS_ENABLE_SIG_dilithium_3_aarch64 1
#cmakedefine OQS_ENABLE_SIG_dilithium_5 1
#cmakedefine OQS_ENABLE_SIG_dilithium_5_avx2 1
-#cmakedefine OQS_ENABLE_SIG_dilithium_5_aarch64 1
#cmakedefine OQS_ENABLE_SIG_FALCON 1
#cmakedefine OQS_ENABLE_SIG_falcon_512 1
diff --git a/src/sig/dilithium/CMakeLists.txt b/src/sig/dilithium/CMakeLists.txt
index 2dff86f523..180d41650a 100644
--- a/src/sig/dilithium/CMakeLists.txt
+++ b/src/sig/dilithium/CMakeLists.txt
@@ -7,10 +7,10 @@ set(_DILITHIUM_OBJS "")
if(OQS_ENABLE_SIG_dilithium_2)
add_library(dilithium_2_ref OBJECT sig_dilithium_2.c pqcrystals-dilithium_dilithium2_ref/ntt.c pqcrystals-dilithium_dilithium2_ref/packing.c pqcrystals-dilithium_dilithium2_ref/poly.c pqcrystals-dilithium_dilithium2_ref/polyvec.c pqcrystals-dilithium_dilithium2_ref/reduce.c pqcrystals-dilithium_dilithium2_ref/rounding.c pqcrystals-dilithium_dilithium2_ref/sign.c pqcrystals-dilithium_dilithium2_ref/symmetric-shake.c)
- target_compile_options(dilithium_2_ref PUBLIC -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING)
+ target_compile_options(dilithium_2_ref PUBLIC -DDILITHIUM_MODE=2)
target_include_directories(dilithium_2_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium_dilithium2_ref)
target_include_directories(dilithium_2_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_2_ref PUBLIC -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING)
+ target_compile_options(dilithium_2_ref PUBLIC -DDILITHIUM_MODE=2)
set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $)
endif()
@@ -19,24 +19,16 @@ if(OQS_ENABLE_SIG_dilithium_2_avx2)
target_include_directories(dilithium_2_avx2 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium_dilithium2_avx2)
target_include_directories(dilithium_2_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
target_compile_options(dilithium_2_avx2 PRIVATE -mavx2 -mpopcnt)
- target_compile_options(dilithium_2_avx2 PUBLIC -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING)
+ target_compile_options(dilithium_2_avx2 PUBLIC -DDILITHIUM_MODE=2)
set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $)
endif()
-if(OQS_ENABLE_SIG_dilithium_2_aarch64)
- add_library(dilithium_2_aarch64 OBJECT pqclean_dilithium2_aarch64/__asm_iNTT.S pqclean_dilithium2_aarch64/__asm_NTT.S pqclean_dilithium2_aarch64/__asm_poly.S pqclean_dilithium2_aarch64/feat.S pqclean_dilithium2_aarch64/fips202x2.c pqclean_dilithium2_aarch64/ntt.c pqclean_dilithium2_aarch64/packing.c pqclean_dilithium2_aarch64/poly.c pqclean_dilithium2_aarch64/polyvec.c pqclean_dilithium2_aarch64/reduce.c pqclean_dilithium2_aarch64/rounding.c pqclean_dilithium2_aarch64/sign.c pqclean_dilithium2_aarch64/symmetric-shake.c)
- target_include_directories(dilithium_2_aarch64 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqclean_dilithium2_aarch64)
- target_include_directories(dilithium_2_aarch64 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_2_aarch64 PRIVATE)
- set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $)
-endif()
-
if(OQS_ENABLE_SIG_dilithium_3)
add_library(dilithium_3_ref OBJECT sig_dilithium_3.c pqcrystals-dilithium_dilithium3_ref/ntt.c pqcrystals-dilithium_dilithium3_ref/packing.c pqcrystals-dilithium_dilithium3_ref/poly.c pqcrystals-dilithium_dilithium3_ref/polyvec.c pqcrystals-dilithium_dilithium3_ref/reduce.c pqcrystals-dilithium_dilithium3_ref/rounding.c pqcrystals-dilithium_dilithium3_ref/sign.c pqcrystals-dilithium_dilithium3_ref/symmetric-shake.c)
- target_compile_options(dilithium_3_ref PUBLIC -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING)
+ target_compile_options(dilithium_3_ref PUBLIC -DDILITHIUM_MODE=3)
target_include_directories(dilithium_3_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium_dilithium3_ref)
target_include_directories(dilithium_3_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_3_ref PUBLIC -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING)
+ target_compile_options(dilithium_3_ref PUBLIC -DDILITHIUM_MODE=3)
set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $)
endif()
@@ -45,24 +37,16 @@ if(OQS_ENABLE_SIG_dilithium_3_avx2)
target_include_directories(dilithium_3_avx2 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium_dilithium3_avx2)
target_include_directories(dilithium_3_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
target_compile_options(dilithium_3_avx2 PRIVATE -mavx2 -mpopcnt)
- target_compile_options(dilithium_3_avx2 PUBLIC -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING)
+ target_compile_options(dilithium_3_avx2 PUBLIC -DDILITHIUM_MODE=3)
set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $)
endif()
-if(OQS_ENABLE_SIG_dilithium_3_aarch64)
- add_library(dilithium_3_aarch64 OBJECT pqclean_dilithium3_aarch64/__asm_iNTT.S pqclean_dilithium3_aarch64/__asm_NTT.S pqclean_dilithium3_aarch64/__asm_poly.S pqclean_dilithium3_aarch64/feat.S pqclean_dilithium3_aarch64/fips202x2.c pqclean_dilithium3_aarch64/ntt.c pqclean_dilithium3_aarch64/packing.c pqclean_dilithium3_aarch64/poly.c pqclean_dilithium3_aarch64/polyvec.c pqclean_dilithium3_aarch64/reduce.c pqclean_dilithium3_aarch64/rounding.c pqclean_dilithium3_aarch64/sign.c pqclean_dilithium3_aarch64/symmetric-shake.c)
- target_include_directories(dilithium_3_aarch64 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqclean_dilithium3_aarch64)
- target_include_directories(dilithium_3_aarch64 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_3_aarch64 PRIVATE)
- set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $)
-endif()
-
if(OQS_ENABLE_SIG_dilithium_5)
add_library(dilithium_5_ref OBJECT sig_dilithium_5.c pqcrystals-dilithium_dilithium5_ref/ntt.c pqcrystals-dilithium_dilithium5_ref/packing.c pqcrystals-dilithium_dilithium5_ref/poly.c pqcrystals-dilithium_dilithium5_ref/polyvec.c pqcrystals-dilithium_dilithium5_ref/reduce.c pqcrystals-dilithium_dilithium5_ref/rounding.c pqcrystals-dilithium_dilithium5_ref/sign.c pqcrystals-dilithium_dilithium5_ref/symmetric-shake.c)
- target_compile_options(dilithium_5_ref PUBLIC -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING)
+ target_compile_options(dilithium_5_ref PUBLIC -DDILITHIUM_MODE=5)
target_include_directories(dilithium_5_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium_dilithium5_ref)
target_include_directories(dilithium_5_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_5_ref PUBLIC -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING)
+ target_compile_options(dilithium_5_ref PUBLIC -DDILITHIUM_MODE=5)
set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $)
endif()
@@ -71,16 +55,8 @@ if(OQS_ENABLE_SIG_dilithium_5_avx2)
target_include_directories(dilithium_5_avx2 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium_dilithium5_avx2)
target_include_directories(dilithium_5_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
target_compile_options(dilithium_5_avx2 PRIVATE -mavx2 -mpopcnt)
- target_compile_options(dilithium_5_avx2 PUBLIC -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING)
+ target_compile_options(dilithium_5_avx2 PUBLIC -DDILITHIUM_MODE=5)
set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $)
endif()
-if(OQS_ENABLE_SIG_dilithium_5_aarch64)
- add_library(dilithium_5_aarch64 OBJECT pqclean_dilithium5_aarch64/__asm_iNTT.S pqclean_dilithium5_aarch64/__asm_NTT.S pqclean_dilithium5_aarch64/__asm_poly.S pqclean_dilithium5_aarch64/feat.S pqclean_dilithium5_aarch64/fips202x2.c pqclean_dilithium5_aarch64/ntt.c pqclean_dilithium5_aarch64/packing.c pqclean_dilithium5_aarch64/poly.c pqclean_dilithium5_aarch64/polyvec.c pqclean_dilithium5_aarch64/reduce.c pqclean_dilithium5_aarch64/rounding.c pqclean_dilithium5_aarch64/sign.c pqclean_dilithium5_aarch64/symmetric-shake.c)
- target_include_directories(dilithium_5_aarch64 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqclean_dilithium5_aarch64)
- target_include_directories(dilithium_5_aarch64 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_5_aarch64 PRIVATE)
- set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $)
-endif()
-
set(DILITHIUM_OBJS ${_DILITHIUM_OBJS} PARENT_SCOPE)
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/api.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/api.h
index d64709d676..55b637669d 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/api.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/api.h
@@ -5,7 +5,7 @@
#include
#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
+#define pqcrystals_dilithium2_SECRETKEYBYTES 2560
#define pqcrystals_dilithium2_BYTES 2420
#define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
@@ -30,31 +30,10 @@ int pqcrystals_dilithium2_avx2_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium2aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2aes_avx2_SECRETKEYBYTES pqcrystals_dilithium2_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium2aes_avx2_BYTES pqcrystals_dilithium2_avx2_BYTES
-
-int pqcrystals_dilithium2aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
-#define pqcrystals_dilithium3_BYTES 3293
+#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
+#define pqcrystals_dilithium3_BYTES 3309
#define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
#define pqcrystals_dilithium3_avx2_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
@@ -78,31 +57,10 @@ int pqcrystals_dilithium3_avx2_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium3aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium3aes_avx2_SECRETKEYBYTES pqcrystals_dilithium3_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium3aes_avx2_BYTES pqcrystals_dilithium3_avx2_BYTES
-
-int pqcrystals_dilithium3aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
-#define pqcrystals_dilithium5_BYTES 4595
+#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
+#define pqcrystals_dilithium5_BYTES 4627
#define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
#define pqcrystals_dilithium5_avx2_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
@@ -126,27 +84,5 @@ int pqcrystals_dilithium5_avx2_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium5aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium5aes_avx2_SECRETKEYBYTES pqcrystals_dilithium5_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium5aes_avx2_BYTES pqcrystals_dilithium5_avx2_BYTES
-
-int pqcrystals_dilithium5aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/config.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/config.h
index d4a511cea5..a9facc0038 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/config.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/config.h
@@ -2,8 +2,7 @@
#define CONFIG_H
//#define DILITHIUM_MODE 2
-//#define DILITHIUM_USE_AES
-//#define DILITHIUM_RANDOMIZED_SIGNING
+#define DILITHIUM_RANDOMIZED_SIGNING
//#define USE_RDPMC
//#define DBENCH
@@ -11,21 +10,6 @@
#define DILITHIUM_MODE 2
#endif
-#ifdef DILITHIUM_USE_AES
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2aes_avx2_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3aes_avx2_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5aes_avx2_##s
-#endif
-#else
#if DILITHIUM_MODE == 2
#define CRYPTO_ALGNAME "Dilithium2"
#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_avx2
@@ -39,6 +23,5 @@
#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_avx2
#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_avx2_##s
#endif
-#endif
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/packing.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/packing.c
index 9de5826cde..039a686da3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/packing.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/packing.c
@@ -64,7 +64,7 @@ void unpack_pk(uint8_t rho[SEEDBYTES],
**************************************************/
void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
+ const uint8_t tr[TRBYTES],
const uint8_t key[SEEDBYTES],
const polyveck *t0,
const polyvecl *s1,
@@ -80,9 +80,9 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
sk[i] = key[i];
sk += SEEDBYTES;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < TRBYTES; ++i)
sk[i] = tr[i];
- sk += SEEDBYTES;
+ sk += TRBYTES;
for(i = 0; i < L; ++i)
polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -110,7 +110,7 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
* - uint8_t sk[]: byte array containing bit-packed sk
**************************************************/
void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
+ uint8_t tr[TRBYTES],
uint8_t key[SEEDBYTES],
polyveck *t0,
polyvecl *s1,
@@ -127,9 +127,9 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
key[i] = sk[i];
sk += SEEDBYTES;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < TRBYTES; ++i)
tr[i] = sk[i];
- sk += SEEDBYTES;
+ sk += TRBYTES;
for(i=0; i < L; ++i)
polyeta_unpack(&s1->vec[i], sk + i*POLYETA_PACKEDBYTES);
@@ -154,15 +154,15 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
* - const polyveck *h: pointer to hint vector h
**************************************************/
void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
+ const uint8_t c[CTILDEBYTES],
const polyvecl *z,
const polyveck *h)
{
unsigned int i, j, k;
- for(i=0; i < SEEDBYTES; ++i)
+ for(i=0; i < CTILDEBYTES; ++i)
sig[i] = c[i];
- sig += SEEDBYTES;
+ sig += CTILDEBYTES;
for(i = 0; i < L; ++i)
polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]);
@@ -195,16 +195,16 @@ void pack_sig(uint8_t sig[CRYPTO_BYTES],
*
* Returns 1 in case of malformed signature; otherwise 0.
**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
+int unpack_sig(uint8_t c[CTILDEBYTES],
polyvecl *z,
polyveck *h,
const uint8_t sig[CRYPTO_BYTES])
{
unsigned int i, j, k;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < CTILDEBYTES; ++i)
c[i] = sig[i];
- sig += SEEDBYTES;
+ sig += CTILDEBYTES;
for(i = 0; i < L; ++i)
polyz_unpack(&z->vec[i], sig + i*POLYZ_PACKEDBYTES);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/packing.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/packing.h
index 7c7cb6f4c2..8e47728ce3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/packing.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/packing.h
@@ -11,21 +11,21 @@ void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], co
#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
+ const uint8_t tr[TRBYTES],
const uint8_t key[SEEDBYTES],
const polyveck *t0,
const polyvecl *s1,
const polyveck *s2);
#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
+void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[CTILDEBYTES], const polyvecl *z, const polyveck *h);
#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
+ uint8_t tr[TRBYTES],
uint8_t key[SEEDBYTES],
polyveck *t0,
polyvecl *s1,
@@ -33,6 +33,6 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
+int unpack_sig(uint8_t c[CTILDEBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/params.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/params.h
index 63b02e2db4..1e8a7b505b 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/params.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/params.h
@@ -5,6 +5,8 @@
#define SEEDBYTES 32
#define CRHBYTES 64
+#define TRBYTES 64
+#define RNDBYTES 32
#define N 256
#define Q 8380417
#define D 13
@@ -19,6 +21,7 @@
#define GAMMA1 (1 << 17)
#define GAMMA2 ((Q-1)/88)
#define OMEGA 80
+#define CTILDEBYTES 32
#elif DILITHIUM_MODE == 3
#define K 6
@@ -29,6 +32,7 @@
#define GAMMA1 (1 << 19)
#define GAMMA2 ((Q-1)/32)
#define OMEGA 55
+#define CTILDEBYTES 48
#elif DILITHIUM_MODE == 5
#define K 8
@@ -39,6 +43,7 @@
#define GAMMA1 (1 << 19)
#define GAMMA2 ((Q-1)/32)
#define OMEGA 75
+#define CTILDEBYTES 64
#endif
@@ -65,10 +70,11 @@
#endif
#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
+#define CRYPTO_SECRETKEYBYTES (2*SEEDBYTES \
+ + TRBYTES \
+ L*POLYETA_PACKEDBYTES \
+ K*POLYETA_PACKEDBYTES \
+ K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
+#define CRYPTO_BYTES (CTILDEBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/poly.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/poly.c
index f1e28e985e..25d36828ad 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/poly.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/poly.c
@@ -9,9 +9,7 @@
#include "rejsample.h"
#include "consts.h"
#include "symmetric.h"
-#ifndef DILITHIUM_USE_AES
#include "fips202x4.h"
-#endif
#ifdef DBENCH
#include "test/cpucycles.h"
@@ -376,7 +374,7 @@ static unsigned int rej_uniform(int32_t *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* output stream of SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
@@ -406,7 +404,6 @@ void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
stream128_release(&state);
}
-#ifndef DILITHIUM_USE_AES
void poly_uniform_4x(poly *a0,
poly *a1,
poly *a2,
@@ -456,7 +453,6 @@ void poly_uniform_4x(poly *a0,
}
shake128x4_inc_ctx_release(&state);
}
-#endif
/*************************************************
* Name: rej_eta
@@ -513,7 +509,6 @@ static unsigned int rej_eta(int32_t *a,
* Description: Sample polynomial with uniformly random coefficients
* in [-ETA,ETA] by performing rejection sampling using the
* output stream of SHAKE256(seed|nonce)
-* or AES256CTR(seed,nonce).
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
@@ -541,7 +536,6 @@ void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
stream256_release(&state);
}
-#ifndef DILITHIUM_USE_AES
void poly_uniform_eta_4x(poly *a0,
poly *a1,
poly *a2,
@@ -597,14 +591,13 @@ void poly_uniform_eta_4x(poly *a0,
}
shake256x4_inc_ctx_release(&state);
}
-#endif
/*************************************************
* Name: poly_uniform_gamma1
*
* Description: Sample polynomial with uniformly random coefficients
* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* of SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
@@ -627,7 +620,6 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
stream256_release(&state);
}
-#ifndef DILITHIUM_USE_AES
void poly_uniform_gamma1_4x(poly *a0,
poly *a1,
poly *a2,
@@ -672,7 +664,6 @@ void poly_uniform_gamma1_4x(poly *a0,
polyz_unpack(a2, buf[2].coeffs);
polyz_unpack(a3, buf[3].coeffs);
}
-#endif
/*************************************************
* Name: challenge
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/poly.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/poly.h
index ce22726d92..7bcd8e5e03 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/poly.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/poly.h
@@ -55,7 +55,6 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-#ifndef DILITHIUM_USE_AES
#define poly_uniform_4x DILITHIUM_NAMESPACE(poly_uniform_4x)
void poly_uniform_4x(poly *a0,
poly *a1,
@@ -86,7 +85,6 @@ void poly_uniform_gamma1_4x(poly *a0,
uint16_t nonce1,
uint16_t nonce2,
uint16_t nonce3);
-#endif
#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
void polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly *a);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/polyvec.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/polyvec.c
index ba3639d938..6e2302168e 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/polyvec.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/polyvec.c
@@ -4,9 +4,6 @@
#include "poly.h"
#include "ntt.h"
#include "consts.h"
-#ifdef DILITHIUM_USE_AES
-#include "aes256ctr.h"
-#endif
/*************************************************
* Name: expand_mat
@@ -14,31 +11,12 @@
* Description: Implementation of ExpandA. Generates matrix A with uniformly
* random coefficients a_{i,j} by performing rejection
* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
*
* Arguments: - polyvecl mat[K]: output matrix
* - const uint8_t rho[]: byte array containing seed rho
**************************************************/
-#ifdef DILITHIUM_USE_AES
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- unsigned int i, j;
- uint64_t nonce;
- aes256ctr_ctx state;
-
- aes256ctr_init_u64(&state, rho, 0);
-
- for(i = 0; i < K; i++) {
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&state, nonce);
- poly_uniform_preinit(&mat[i].vec[j], &state);
- poly_nttunpack(&mat[i].vec[j]);
- }
- }
- aes256_ctx_release(&state);
-}
-#elif K == 4 && L == 4
+#if K == 4 && L == 4
void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
polyvec_matrix_expand_row0(&mat[0], NULL, rho);
polyvec_matrix_expand_row1(&mat[1], NULL, rho);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/polyvec.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/polyvec.h
index 845b46afe3..1b6dc87ac6 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/polyvec.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/polyvec.h
@@ -82,7 +82,6 @@ void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1);
#define polyvec_matrix_expand DILITHIUM_NAMESPACE(polyvec_matrix_expand)
void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
-#ifndef DILITHIUM_USE_AES
#define polyvec_matrix_expand_row0 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row0)
void polyvec_matrix_expand_row0(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
#define polyvec_matrix_expand_row1 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row1)
@@ -99,7 +98,6 @@ void polyvec_matrix_expand_row5(polyvecl *rowa, polyvecl *rowb, const uint8_t rh
void polyvec_matrix_expand_row6(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
#define polyvec_matrix_expand_row7 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row7)
void polyvec_matrix_expand_row7(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#endif
#define polyvec_matrix_pointwise_montgomery DILITHIUM_NAMESPACE(polyvec_matrix_pointwise_montgomery)
void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/rejsample.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/rejsample.c
index 54e4ca5f6d..8b1dde4440 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/rejsample.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/rejsample.c
@@ -291,12 +291,9 @@ unsigned int rej_uniform_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM
_mm256_storeu_si256((__m256i *)&r[ctr], d);
ctr += _mm_popcnt_u32(good);
-#ifndef DILITHIUM_USE_AES
if(ctr > N - 8) break;
-#endif
}
-#ifndef DILITHIUM_USE_AES
uint32_t t;
while(ctr < N && pos <= REJ_UNIFORM_BUFLEN - 3) {
t = buf[pos++];
@@ -307,7 +304,6 @@ unsigned int rej_uniform_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM
if(t < Q)
r[ctr++] = t;
}
-#endif
return ctr;
}
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/sign.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/sign.c
index 448cdd17de..a39f8515c4 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/sign.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/sign.c
@@ -9,11 +9,7 @@
#include "randombytes.h"
#include "symmetric.h"
#include "fips202.h"
-#ifdef DILITHIUM_USE_AES
-#include "aes256ctr.h"
-#endif
-#ifndef DILITHIUM_USE_AES
static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], const uint8_t rho[SEEDBYTES], unsigned int i) {
switch(i) {
case 0:
@@ -54,7 +50,6 @@ static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], co
#endif
}
}
-#endif
/*************************************************
* Name: crypto_sign_keypair
@@ -72,13 +67,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
unsigned int i;
uint8_t seedbuf[2*SEEDBYTES + CRHBYTES];
const uint8_t *rho, *rhoprime, *key;
-#ifdef DILITHIUM_USE_AES
- uint64_t nonce;
- aes256ctr_ctx aesctx;
- polyvecl rowbuf[1];
-#else
polyvecl rowbuf[2];
-#endif
polyvecl s1, *row = rowbuf;
polyveck s2;
poly t1, t0;
@@ -96,20 +85,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
memcpy(sk + SEEDBYTES, key, SEEDBYTES);
/* Sample short vectors s1 and s2 */
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, rhoprime, 0);
- for(i = 0; i < L; ++i) {
- nonce = i;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s1.vec[i], &aesctx);
- }
- for(i = 0; i < K; ++i) {
- nonce = L + i;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s2.vec[i], &aesctx);
- }
- aes256_ctx_release(&aesctx);
-#elif K == 4 && L == 4
+#if K == 4 && L == 4
poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
poly_uniform_eta_4x(&s2.vec[0], &s2.vec[1], &s2.vec[2], &s2.vec[3], rhoprime, 4, 5, 6, 7);
#elif K == 6 && L == 5
@@ -127,29 +103,16 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
/* Pack secret vectors */
for(i = 0; i < L; i++)
- polyeta_pack(sk + 3*SEEDBYTES + i*POLYETA_PACKEDBYTES, &s1.vec[i]);
+ polyeta_pack(sk + 2*SEEDBYTES + TRBYTES + i*POLYETA_PACKEDBYTES, &s1.vec[i]);
for(i = 0; i < K; i++)
- polyeta_pack(sk + 3*SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
+ polyeta_pack(sk + 2*SEEDBYTES + TRBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
/* Transform s1 */
polyvecl_ntt(&s1);
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, rho, 0);
-#endif
-
for(i = 0; i < K; i++) {
/* Expand matrix row */
-#ifdef DILITHIUM_USE_AES
- for(unsigned int j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-#else
polyvec_matrix_expand_row(&row, rowbuf, rho, i);
-#endif
/* Compute inner-product */
polyvecl_pointwise_acc_montgomery(&t1, row, &s1);
@@ -162,15 +125,11 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
poly_caddq(&t1);
poly_power2round(&t1, &t0, &t1);
polyt1_pack(pk + SEEDBYTES + i*POLYT1_PACKEDBYTES, &t1);
- polyt0_pack(sk + 3*SEEDBYTES + (L+K)*POLYETA_PACKEDBYTES + i*POLYT0_PACKEDBYTES, &t0);
+ polyt0_pack(sk + 2*SEEDBYTES + TRBYTES + (L+K)*POLYETA_PACKEDBYTES + i*POLYT0_PACKEDBYTES, &t0);
}
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
/* Compute H(rho, t1) and store in secret key */
- shake256(sk + 2*SEEDBYTES, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(sk + 2*SEEDBYTES, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
return 0;
}
@@ -190,10 +149,10 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
**************************************************/
int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
unsigned int i, n, pos;
- uint8_t seedbuf[3*SEEDBYTES + 2*CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
+ uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
+ uint8_t *rho, *tr, *key, *rnd, *mu, *rhoprime;
uint8_t hintbuf[N];
- uint8_t *hint = sig + SEEDBYTES + L*POLYZ_PACKEDBYTES;
+ uint8_t *hint = sig + CTILDEBYTES + L*POLYZ_PACKEDBYTES;
uint64_t nonce = 0;
polyvecl mat[K], s1, z;
polyveck t0, s2, w1;
@@ -206,23 +165,25 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
rho = seedbuf;
tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
+ key = tr + TRBYTES;
+ rnd = key + SEEDBYTES;
+ mu = rnd + RNDBYTES;
rhoprime = mu + CRHBYTES;
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
/* Compute CRH(tr, msg) */
shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
+ shake256_inc_absorb(&state, tr, TRBYTES);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
+ randombytes(rnd, RNDBYTES);
#else
- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
+ memset(rnd, 0, RNDBYTES);
#endif
+ shake256(rhoprime, CRHBYTES, key, SEEDBYTES + RNDBYTES + CRHBYTES);
/* Expand matrix and transform vectors */
polyvec_matrix_expand(mat, rho);
@@ -230,20 +191,9 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
polyveck_ntt(&s2);
polyveck_ntt(&t0);
-#ifdef DILITHIUM_USE_AES
- aes256ctr_ctx aesctx;
- aes256ctr_init_u64(&aesctx, rhoprime, 0);
-#endif
-
rej:
/* Sample intermediate vector y */
-#ifdef DILITHIUM_USE_AES
- for(i = 0; i < L; ++i) {
- aes256ctr_init_iv_u64(&aesctx, nonce);
- nonce++;
- poly_uniform_gamma1_preinit(&z.vec[i], &aesctx);
- }
-#elif L == 4
+#if L == 4
poly_uniform_gamma1_4x(&z.vec[0], &z.vec[1], &z.vec[2], &z.vec[3],
rhoprime, nonce, nonce + 1, nonce + 2, nonce + 3);
nonce += 4;
@@ -277,7 +227,7 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
shake256_inc_absorb(&state, mu, CRHBYTES);
shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
shake256_inc_finalize(&state);
- shake256_inc_squeeze(sig, SEEDBYTES, &state);
+ shake256_inc_squeeze(sig, CTILDEBYTES, &state);
poly_challenge(&c, sig);
poly_ntt(&c);
@@ -322,14 +272,10 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
hint[OMEGA + i] = pos = pos + n;
}
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
shake256_inc_ctx_release(&state);
/* Pack z into signature */
for(i = 0; i < L; i++)
- polyz_pack(sig + SEEDBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
+ polyz_pack(sig + CTILDEBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
*siglen = CRYPTO_BYTES;
return 0;
@@ -379,14 +325,8 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
/* polyw1_pack writes additional 14 bytes */
ALIGNED_UINT8(K*POLYW1_PACKEDBYTES+14) buf;
uint8_t mu[CRHBYTES];
- const uint8_t *hint = sig + SEEDBYTES + L*POLYZ_PACKEDBYTES;
-#ifdef DILITHIUM_USE_AES
- uint64_t nonce;
- aes256ctr_ctx aesctx;
- polyvecl rowbuf[1];
-#else
+ const uint8_t *hint = sig + CTILDEBYTES + L*POLYZ_PACKEDBYTES;
polyvecl rowbuf[2];
-#endif
polyvecl *row = rowbuf;
polyvecl z;
poly c, w1, h;
@@ -396,9 +336,9 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
return -1;
/* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, SEEDBYTES);
+ shake256_inc_absorb(&state, mu, CRHBYTES);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -410,26 +350,13 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
/* Unpack z; shortness follows from unpacking */
for(i = 0; i < L; i++) {
- polyz_unpack(&z.vec[i], sig + SEEDBYTES + i*POLYZ_PACKEDBYTES);
+ polyz_unpack(&z.vec[i], sig + CTILDEBYTES + i*POLYZ_PACKEDBYTES);
poly_ntt(&z.vec[i]);
}
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, pk, 0);
-#endif
-
for(i = 0; i < K; i++) {
/* Expand matrix row */
-#ifdef DILITHIUM_USE_AES
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-#else
polyvec_matrix_expand_row(&row, rowbuf, pk, i);
-#endif
/* Compute i-th row of Az - c2^Dt1 */
polyvecl_pointwise_acc_montgomery(&w1, row, &z);
@@ -445,21 +372,12 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
/* Get hint polynomial and reconstruct w1 */
memset(h.vec, 0, sizeof(poly));
- if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) {
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
+ if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA)
return -1;
- }
for(j = pos; j < hint[OMEGA + i]; ++j) {
/* Coefficients are ordered for strong unforgeability */
- if(j > pos && hint[j] <= hint[j-1]) {
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
- return -1;
- }
+ if(j > pos && hint[j] <= hint[j-1]) return -1;
h.coeffs[hint[j]] = 1;
}
pos = hint[OMEGA + i];
@@ -469,10 +387,6 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
polyw1_pack(buf.coeffs + i*POLYW1_PACKEDBYTES, &w1);
}
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
/* Extra indices are zero for strong unforgeability */
for(j = pos; j < OMEGA; ++j)
if(hint[j]) return -1;
@@ -482,9 +396,9 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
shake256_inc_absorb(&state, mu, CRHBYTES);
shake256_inc_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
shake256_inc_finalize(&state);
- shake256_inc_squeeze(buf.coeffs, SEEDBYTES, &state);
+ shake256_inc_squeeze(buf.coeffs, CTILDEBYTES, &state);
shake256_inc_ctx_release(&state);
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < CTILDEBYTES; ++i)
if(buf.coeffs[i] != sig[i])
return -1;
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/symmetric.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/symmetric.h
index be160c5176..fa49963ae3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/symmetric.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_avx2/symmetric.h
@@ -4,26 +4,6 @@
#include
#include "params.h"
-#ifdef DILITHIUM_USE_AES
-
-#include "aes256ctr.h"
-#include "fips202.h"
-
-typedef aes256ctr_ctx stream128_state;
-typedef aes256ctr_ctx stream256_state;
-
-#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
-#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define stream128_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) aes256_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) aes256_ctx_release(STATE)
-
-#else
-
#include "fips202.h"
typedef shake128incctx stream128_state;
@@ -46,5 +26,3 @@ void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CR
#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
#endif
-
-#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/api.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/api.h
index ceeef106dc..78caa5c728 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/api.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/api.h
@@ -5,7 +5,7 @@
#include
#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
+#define pqcrystals_dilithium2_SECRETKEYBYTES 2560
#define pqcrystals_dilithium2_BYTES 2420
#define pqcrystals_dilithium2_ref_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
@@ -30,31 +30,10 @@ int pqcrystals_dilithium2_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium2aes_ref_PUBLICKEYBYTES pqcrystals_dilithium2_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium2aes_ref_SECRETKEYBYTES pqcrystals_dilithium2_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium2aes_ref_BYTES pqcrystals_dilithium2_ref_BYTES
-
-int pqcrystals_dilithium2aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
-#define pqcrystals_dilithium3_BYTES 3293
+#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
+#define pqcrystals_dilithium3_BYTES 3309
#define pqcrystals_dilithium3_ref_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
#define pqcrystals_dilithium3_ref_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
@@ -78,31 +57,10 @@ int pqcrystals_dilithium3_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium3aes_ref_PUBLICKEYBYTES pqcrystals_dilithium3_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium3aes_ref_SECRETKEYBYTES pqcrystals_dilithium3_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium3aes_ref_BYTES pqcrystals_dilithium3_ref_BYTES
-
-int pqcrystals_dilithium3aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
-#define pqcrystals_dilithium5_BYTES 4595
+#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
+#define pqcrystals_dilithium5_BYTES 4627
#define pqcrystals_dilithium5_ref_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
#define pqcrystals_dilithium5_ref_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
@@ -126,27 +84,5 @@ int pqcrystals_dilithium5_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium5aes_ref_PUBLICKEYBYTES pqcrystals_dilithium5_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium5aes_ref_SECRETKEYBYTES pqcrystals_dilithium5_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium5aes_ref_BYTES pqcrystals_dilithium5_ref_BYTES
-
-int pqcrystals_dilithium5aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/config.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/config.h
index 14b08e0f06..98b8ccb11d 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/config.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/config.h
@@ -2,8 +2,7 @@
#define CONFIG_H
//#define DILITHIUM_MODE 2
-//#define DILITHIUM_USE_AES
-//#define DILITHIUM_RANDOMIZED_SIGNING
+#define DILITHIUM_RANDOMIZED_SIGNING
//#define USE_RDPMC
//#define DBENCH
@@ -11,21 +10,6 @@
#define DILITHIUM_MODE 2
#endif
-#ifdef DILITHIUM_USE_AES
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2aes_ref_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3aes_ref_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5aes_ref_##s
-#endif
-#else
#if DILITHIUM_MODE == 2
#define CRYPTO_ALGNAME "Dilithium2"
#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_ref
@@ -39,6 +23,5 @@
#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_ref
#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_ref_##s
#endif
-#endif
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/packing.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/packing.c
index 9de5826cde..039a686da3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/packing.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/packing.c
@@ -64,7 +64,7 @@ void unpack_pk(uint8_t rho[SEEDBYTES],
**************************************************/
void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
+ const uint8_t tr[TRBYTES],
const uint8_t key[SEEDBYTES],
const polyveck *t0,
const polyvecl *s1,
@@ -80,9 +80,9 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
sk[i] = key[i];
sk += SEEDBYTES;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < TRBYTES; ++i)
sk[i] = tr[i];
- sk += SEEDBYTES;
+ sk += TRBYTES;
for(i = 0; i < L; ++i)
polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -110,7 +110,7 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
* - uint8_t sk[]: byte array containing bit-packed sk
**************************************************/
void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
+ uint8_t tr[TRBYTES],
uint8_t key[SEEDBYTES],
polyveck *t0,
polyvecl *s1,
@@ -127,9 +127,9 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
key[i] = sk[i];
sk += SEEDBYTES;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < TRBYTES; ++i)
tr[i] = sk[i];
- sk += SEEDBYTES;
+ sk += TRBYTES;
for(i=0; i < L; ++i)
polyeta_unpack(&s1->vec[i], sk + i*POLYETA_PACKEDBYTES);
@@ -154,15 +154,15 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
* - const polyveck *h: pointer to hint vector h
**************************************************/
void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
+ const uint8_t c[CTILDEBYTES],
const polyvecl *z,
const polyveck *h)
{
unsigned int i, j, k;
- for(i=0; i < SEEDBYTES; ++i)
+ for(i=0; i < CTILDEBYTES; ++i)
sig[i] = c[i];
- sig += SEEDBYTES;
+ sig += CTILDEBYTES;
for(i = 0; i < L; ++i)
polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]);
@@ -195,16 +195,16 @@ void pack_sig(uint8_t sig[CRYPTO_BYTES],
*
* Returns 1 in case of malformed signature; otherwise 0.
**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
+int unpack_sig(uint8_t c[CTILDEBYTES],
polyvecl *z,
polyveck *h,
const uint8_t sig[CRYPTO_BYTES])
{
unsigned int i, j, k;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < CTILDEBYTES; ++i)
c[i] = sig[i];
- sig += SEEDBYTES;
+ sig += CTILDEBYTES;
for(i = 0; i < L; ++i)
polyz_unpack(&z->vec[i], sig + i*POLYZ_PACKEDBYTES);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/packing.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/packing.h
index 7c7cb6f4c2..8e47728ce3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/packing.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/packing.h
@@ -11,21 +11,21 @@ void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], co
#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
+ const uint8_t tr[TRBYTES],
const uint8_t key[SEEDBYTES],
const polyveck *t0,
const polyvecl *s1,
const polyveck *s2);
#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
+void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[CTILDEBYTES], const polyvecl *z, const polyveck *h);
#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
+ uint8_t tr[TRBYTES],
uint8_t key[SEEDBYTES],
polyveck *t0,
polyvecl *s1,
@@ -33,6 +33,6 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
+int unpack_sig(uint8_t c[CTILDEBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/params.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/params.h
index 63b02e2db4..1e8a7b505b 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/params.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/params.h
@@ -5,6 +5,8 @@
#define SEEDBYTES 32
#define CRHBYTES 64
+#define TRBYTES 64
+#define RNDBYTES 32
#define N 256
#define Q 8380417
#define D 13
@@ -19,6 +21,7 @@
#define GAMMA1 (1 << 17)
#define GAMMA2 ((Q-1)/88)
#define OMEGA 80
+#define CTILDEBYTES 32
#elif DILITHIUM_MODE == 3
#define K 6
@@ -29,6 +32,7 @@
#define GAMMA1 (1 << 19)
#define GAMMA2 ((Q-1)/32)
#define OMEGA 55
+#define CTILDEBYTES 48
#elif DILITHIUM_MODE == 5
#define K 8
@@ -39,6 +43,7 @@
#define GAMMA1 (1 << 19)
#define GAMMA2 ((Q-1)/32)
#define OMEGA 75
+#define CTILDEBYTES 64
#endif
@@ -65,10 +70,11 @@
#endif
#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
+#define CRYPTO_SECRETKEYBYTES (2*SEEDBYTES \
+ + TRBYTES \
+ L*POLYETA_PACKEDBYTES \
+ K*POLYETA_PACKEDBYTES \
+ K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
+#define CRYPTO_BYTES (CTILDEBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/poly.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/poly.c
index 006e83c93d..d44063fee8 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/poly.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/poly.c
@@ -335,7 +335,7 @@ static unsigned int rej_uniform(int32_t *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* output stream of SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
@@ -422,7 +422,7 @@ static unsigned int rej_eta(int32_t *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [-ETA,ETA] by performing rejection sampling on the
-* output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* output stream from SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
@@ -459,7 +459,7 @@ void poly_uniform_eta(poly *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* of SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/polyvec.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/polyvec.c
index c4e9037ab7..40032b656b 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/polyvec.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/polyvec.c
@@ -9,7 +9,6 @@
* Description: Implementation of ExpandA. Generates matrix A with uniformly
* random coefficients a_{i,j} by performing rejection
* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
*
* Arguments: - polyvecl mat[K]: output matrix
* - const uint8_t rho[]: byte array containing seed rho
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/sign.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/sign.c
index 16333eb84d..9298ad2177 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/sign.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium2_ref/sign.c
@@ -22,7 +22,7 @@
**************************************************/
int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
uint8_t seedbuf[2*SEEDBYTES + CRHBYTES];
- uint8_t tr[SEEDBYTES];
+ uint8_t tr[TRBYTES];
const uint8_t *rho, *rhoprime, *key;
polyvecl mat[K];
polyvecl s1, s1hat;
@@ -58,7 +58,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
pack_pk(pk, rho, &t1);
/* Compute H(rho, t1) and write secret key */
- shake256(tr, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(tr, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
return 0;
@@ -84,8 +84,8 @@ int crypto_sign_signature(uint8_t *sig,
const uint8_t *sk)
{
unsigned int n;
- uint8_t seedbuf[3*SEEDBYTES + 2*CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
+ uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
+ uint8_t *rho, *tr, *key, *mu, *rhoprime, *rnd;
uint16_t nonce = 0;
polyvecl mat[K], s1, y, z;
polyveck t0, s2, w1, w0, h;
@@ -94,23 +94,27 @@ int crypto_sign_signature(uint8_t *sig,
rho = seedbuf;
tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
+ key = tr + TRBYTES;
+ rnd = key + SEEDBYTES;
+ mu = rnd + RNDBYTES;
rhoprime = mu + CRHBYTES;
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
- /* Compute CRH(tr, msg) */
+
+ /* Compute mu = CRH(tr, msg) */
shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
+ shake256_inc_absorb(&state, tr, TRBYTES);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
+ randombytes(rnd, RNDBYTES);
#else
- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
+ for(n=0;n
#include "params.h"
-#ifdef DILITHIUM_USE_AES
-
-#include "aes256ctr.h"
-#include "fips202.h"
-
-typedef aes256ctr_ctx stream128_state;
-typedef aes256ctr_ctx stream256_state;
-
-#define dilithium_aes256ctr_init DILITHIUM_NAMESPACE(dilithium_aes256ctr_init)
-void dilithium_aes256ctr_init(aes256ctr_ctx *state,
- const uint8_t key[32],
- uint16_t nonce);
-
-#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
-#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define stream128_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) \
- aes256_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) \
- aes256_ctx_release(STATE)
-
-#else
-
#include "fips202.h"
typedef shake128incctx stream128_state;
@@ -65,5 +34,3 @@ void dilithium_shake256_stream_init(shake256incctx *state,
#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
#endif
-
-#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/api.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/api.h
index d64709d676..55b637669d 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/api.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/api.h
@@ -5,7 +5,7 @@
#include
#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
+#define pqcrystals_dilithium2_SECRETKEYBYTES 2560
#define pqcrystals_dilithium2_BYTES 2420
#define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
@@ -30,31 +30,10 @@ int pqcrystals_dilithium2_avx2_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium2aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2aes_avx2_SECRETKEYBYTES pqcrystals_dilithium2_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium2aes_avx2_BYTES pqcrystals_dilithium2_avx2_BYTES
-
-int pqcrystals_dilithium2aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
-#define pqcrystals_dilithium3_BYTES 3293
+#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
+#define pqcrystals_dilithium3_BYTES 3309
#define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
#define pqcrystals_dilithium3_avx2_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
@@ -78,31 +57,10 @@ int pqcrystals_dilithium3_avx2_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium3aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium3aes_avx2_SECRETKEYBYTES pqcrystals_dilithium3_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium3aes_avx2_BYTES pqcrystals_dilithium3_avx2_BYTES
-
-int pqcrystals_dilithium3aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
-#define pqcrystals_dilithium5_BYTES 4595
+#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
+#define pqcrystals_dilithium5_BYTES 4627
#define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
#define pqcrystals_dilithium5_avx2_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
@@ -126,27 +84,5 @@ int pqcrystals_dilithium5_avx2_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium5aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium5aes_avx2_SECRETKEYBYTES pqcrystals_dilithium5_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium5aes_avx2_BYTES pqcrystals_dilithium5_avx2_BYTES
-
-int pqcrystals_dilithium5aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/config.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/config.h
index d4a511cea5..a9facc0038 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/config.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/config.h
@@ -2,8 +2,7 @@
#define CONFIG_H
//#define DILITHIUM_MODE 2
-//#define DILITHIUM_USE_AES
-//#define DILITHIUM_RANDOMIZED_SIGNING
+#define DILITHIUM_RANDOMIZED_SIGNING
//#define USE_RDPMC
//#define DBENCH
@@ -11,21 +10,6 @@
#define DILITHIUM_MODE 2
#endif
-#ifdef DILITHIUM_USE_AES
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2aes_avx2_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3aes_avx2_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5aes_avx2_##s
-#endif
-#else
#if DILITHIUM_MODE == 2
#define CRYPTO_ALGNAME "Dilithium2"
#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_avx2
@@ -39,6 +23,5 @@
#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_avx2
#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_avx2_##s
#endif
-#endif
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/packing.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/packing.c
index 9de5826cde..039a686da3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/packing.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/packing.c
@@ -64,7 +64,7 @@ void unpack_pk(uint8_t rho[SEEDBYTES],
**************************************************/
void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
+ const uint8_t tr[TRBYTES],
const uint8_t key[SEEDBYTES],
const polyveck *t0,
const polyvecl *s1,
@@ -80,9 +80,9 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
sk[i] = key[i];
sk += SEEDBYTES;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < TRBYTES; ++i)
sk[i] = tr[i];
- sk += SEEDBYTES;
+ sk += TRBYTES;
for(i = 0; i < L; ++i)
polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -110,7 +110,7 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
* - uint8_t sk[]: byte array containing bit-packed sk
**************************************************/
void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
+ uint8_t tr[TRBYTES],
uint8_t key[SEEDBYTES],
polyveck *t0,
polyvecl *s1,
@@ -127,9 +127,9 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
key[i] = sk[i];
sk += SEEDBYTES;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < TRBYTES; ++i)
tr[i] = sk[i];
- sk += SEEDBYTES;
+ sk += TRBYTES;
for(i=0; i < L; ++i)
polyeta_unpack(&s1->vec[i], sk + i*POLYETA_PACKEDBYTES);
@@ -154,15 +154,15 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
* - const polyveck *h: pointer to hint vector h
**************************************************/
void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
+ const uint8_t c[CTILDEBYTES],
const polyvecl *z,
const polyveck *h)
{
unsigned int i, j, k;
- for(i=0; i < SEEDBYTES; ++i)
+ for(i=0; i < CTILDEBYTES; ++i)
sig[i] = c[i];
- sig += SEEDBYTES;
+ sig += CTILDEBYTES;
for(i = 0; i < L; ++i)
polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]);
@@ -195,16 +195,16 @@ void pack_sig(uint8_t sig[CRYPTO_BYTES],
*
* Returns 1 in case of malformed signature; otherwise 0.
**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
+int unpack_sig(uint8_t c[CTILDEBYTES],
polyvecl *z,
polyveck *h,
const uint8_t sig[CRYPTO_BYTES])
{
unsigned int i, j, k;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < CTILDEBYTES; ++i)
c[i] = sig[i];
- sig += SEEDBYTES;
+ sig += CTILDEBYTES;
for(i = 0; i < L; ++i)
polyz_unpack(&z->vec[i], sig + i*POLYZ_PACKEDBYTES);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/packing.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/packing.h
index 7c7cb6f4c2..8e47728ce3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/packing.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/packing.h
@@ -11,21 +11,21 @@ void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], co
#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
+ const uint8_t tr[TRBYTES],
const uint8_t key[SEEDBYTES],
const polyveck *t0,
const polyvecl *s1,
const polyveck *s2);
#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
+void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[CTILDEBYTES], const polyvecl *z, const polyveck *h);
#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
+ uint8_t tr[TRBYTES],
uint8_t key[SEEDBYTES],
polyveck *t0,
polyvecl *s1,
@@ -33,6 +33,6 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
+int unpack_sig(uint8_t c[CTILDEBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/params.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/params.h
index 63b02e2db4..1e8a7b505b 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/params.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/params.h
@@ -5,6 +5,8 @@
#define SEEDBYTES 32
#define CRHBYTES 64
+#define TRBYTES 64
+#define RNDBYTES 32
#define N 256
#define Q 8380417
#define D 13
@@ -19,6 +21,7 @@
#define GAMMA1 (1 << 17)
#define GAMMA2 ((Q-1)/88)
#define OMEGA 80
+#define CTILDEBYTES 32
#elif DILITHIUM_MODE == 3
#define K 6
@@ -29,6 +32,7 @@
#define GAMMA1 (1 << 19)
#define GAMMA2 ((Q-1)/32)
#define OMEGA 55
+#define CTILDEBYTES 48
#elif DILITHIUM_MODE == 5
#define K 8
@@ -39,6 +43,7 @@
#define GAMMA1 (1 << 19)
#define GAMMA2 ((Q-1)/32)
#define OMEGA 75
+#define CTILDEBYTES 64
#endif
@@ -65,10 +70,11 @@
#endif
#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
+#define CRYPTO_SECRETKEYBYTES (2*SEEDBYTES \
+ + TRBYTES \
+ L*POLYETA_PACKEDBYTES \
+ K*POLYETA_PACKEDBYTES \
+ K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
+#define CRYPTO_BYTES (CTILDEBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/poly.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/poly.c
index f1e28e985e..25d36828ad 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/poly.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/poly.c
@@ -9,9 +9,7 @@
#include "rejsample.h"
#include "consts.h"
#include "symmetric.h"
-#ifndef DILITHIUM_USE_AES
#include "fips202x4.h"
-#endif
#ifdef DBENCH
#include "test/cpucycles.h"
@@ -376,7 +374,7 @@ static unsigned int rej_uniform(int32_t *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* output stream of SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
@@ -406,7 +404,6 @@ void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
stream128_release(&state);
}
-#ifndef DILITHIUM_USE_AES
void poly_uniform_4x(poly *a0,
poly *a1,
poly *a2,
@@ -456,7 +453,6 @@ void poly_uniform_4x(poly *a0,
}
shake128x4_inc_ctx_release(&state);
}
-#endif
/*************************************************
* Name: rej_eta
@@ -513,7 +509,6 @@ static unsigned int rej_eta(int32_t *a,
* Description: Sample polynomial with uniformly random coefficients
* in [-ETA,ETA] by performing rejection sampling using the
* output stream of SHAKE256(seed|nonce)
-* or AES256CTR(seed,nonce).
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
@@ -541,7 +536,6 @@ void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
stream256_release(&state);
}
-#ifndef DILITHIUM_USE_AES
void poly_uniform_eta_4x(poly *a0,
poly *a1,
poly *a2,
@@ -597,14 +591,13 @@ void poly_uniform_eta_4x(poly *a0,
}
shake256x4_inc_ctx_release(&state);
}
-#endif
/*************************************************
* Name: poly_uniform_gamma1
*
* Description: Sample polynomial with uniformly random coefficients
* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* of SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
@@ -627,7 +620,6 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
stream256_release(&state);
}
-#ifndef DILITHIUM_USE_AES
void poly_uniform_gamma1_4x(poly *a0,
poly *a1,
poly *a2,
@@ -672,7 +664,6 @@ void poly_uniform_gamma1_4x(poly *a0,
polyz_unpack(a2, buf[2].coeffs);
polyz_unpack(a3, buf[3].coeffs);
}
-#endif
/*************************************************
* Name: challenge
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/poly.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/poly.h
index ce22726d92..7bcd8e5e03 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/poly.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/poly.h
@@ -55,7 +55,6 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-#ifndef DILITHIUM_USE_AES
#define poly_uniform_4x DILITHIUM_NAMESPACE(poly_uniform_4x)
void poly_uniform_4x(poly *a0,
poly *a1,
@@ -86,7 +85,6 @@ void poly_uniform_gamma1_4x(poly *a0,
uint16_t nonce1,
uint16_t nonce2,
uint16_t nonce3);
-#endif
#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
void polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly *a);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/polyvec.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/polyvec.c
index ba3639d938..6e2302168e 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/polyvec.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/polyvec.c
@@ -4,9 +4,6 @@
#include "poly.h"
#include "ntt.h"
#include "consts.h"
-#ifdef DILITHIUM_USE_AES
-#include "aes256ctr.h"
-#endif
/*************************************************
* Name: expand_mat
@@ -14,31 +11,12 @@
* Description: Implementation of ExpandA. Generates matrix A with uniformly
* random coefficients a_{i,j} by performing rejection
* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
*
* Arguments: - polyvecl mat[K]: output matrix
* - const uint8_t rho[]: byte array containing seed rho
**************************************************/
-#ifdef DILITHIUM_USE_AES
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- unsigned int i, j;
- uint64_t nonce;
- aes256ctr_ctx state;
-
- aes256ctr_init_u64(&state, rho, 0);
-
- for(i = 0; i < K; i++) {
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&state, nonce);
- poly_uniform_preinit(&mat[i].vec[j], &state);
- poly_nttunpack(&mat[i].vec[j]);
- }
- }
- aes256_ctx_release(&state);
-}
-#elif K == 4 && L == 4
+#if K == 4 && L == 4
void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
polyvec_matrix_expand_row0(&mat[0], NULL, rho);
polyvec_matrix_expand_row1(&mat[1], NULL, rho);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/polyvec.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/polyvec.h
index 845b46afe3..1b6dc87ac6 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/polyvec.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/polyvec.h
@@ -82,7 +82,6 @@ void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1);
#define polyvec_matrix_expand DILITHIUM_NAMESPACE(polyvec_matrix_expand)
void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
-#ifndef DILITHIUM_USE_AES
#define polyvec_matrix_expand_row0 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row0)
void polyvec_matrix_expand_row0(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
#define polyvec_matrix_expand_row1 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row1)
@@ -99,7 +98,6 @@ void polyvec_matrix_expand_row5(polyvecl *rowa, polyvecl *rowb, const uint8_t rh
void polyvec_matrix_expand_row6(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
#define polyvec_matrix_expand_row7 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row7)
void polyvec_matrix_expand_row7(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#endif
#define polyvec_matrix_pointwise_montgomery DILITHIUM_NAMESPACE(polyvec_matrix_pointwise_montgomery)
void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/rejsample.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/rejsample.c
index 54e4ca5f6d..8b1dde4440 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/rejsample.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/rejsample.c
@@ -291,12 +291,9 @@ unsigned int rej_uniform_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM
_mm256_storeu_si256((__m256i *)&r[ctr], d);
ctr += _mm_popcnt_u32(good);
-#ifndef DILITHIUM_USE_AES
if(ctr > N - 8) break;
-#endif
}
-#ifndef DILITHIUM_USE_AES
uint32_t t;
while(ctr < N && pos <= REJ_UNIFORM_BUFLEN - 3) {
t = buf[pos++];
@@ -307,7 +304,6 @@ unsigned int rej_uniform_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM
if(t < Q)
r[ctr++] = t;
}
-#endif
return ctr;
}
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/sign.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/sign.c
index 448cdd17de..a39f8515c4 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/sign.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/sign.c
@@ -9,11 +9,7 @@
#include "randombytes.h"
#include "symmetric.h"
#include "fips202.h"
-#ifdef DILITHIUM_USE_AES
-#include "aes256ctr.h"
-#endif
-#ifndef DILITHIUM_USE_AES
static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], const uint8_t rho[SEEDBYTES], unsigned int i) {
switch(i) {
case 0:
@@ -54,7 +50,6 @@ static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], co
#endif
}
}
-#endif
/*************************************************
* Name: crypto_sign_keypair
@@ -72,13 +67,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
unsigned int i;
uint8_t seedbuf[2*SEEDBYTES + CRHBYTES];
const uint8_t *rho, *rhoprime, *key;
-#ifdef DILITHIUM_USE_AES
- uint64_t nonce;
- aes256ctr_ctx aesctx;
- polyvecl rowbuf[1];
-#else
polyvecl rowbuf[2];
-#endif
polyvecl s1, *row = rowbuf;
polyveck s2;
poly t1, t0;
@@ -96,20 +85,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
memcpy(sk + SEEDBYTES, key, SEEDBYTES);
/* Sample short vectors s1 and s2 */
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, rhoprime, 0);
- for(i = 0; i < L; ++i) {
- nonce = i;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s1.vec[i], &aesctx);
- }
- for(i = 0; i < K; ++i) {
- nonce = L + i;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s2.vec[i], &aesctx);
- }
- aes256_ctx_release(&aesctx);
-#elif K == 4 && L == 4
+#if K == 4 && L == 4
poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
poly_uniform_eta_4x(&s2.vec[0], &s2.vec[1], &s2.vec[2], &s2.vec[3], rhoprime, 4, 5, 6, 7);
#elif K == 6 && L == 5
@@ -127,29 +103,16 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
/* Pack secret vectors */
for(i = 0; i < L; i++)
- polyeta_pack(sk + 3*SEEDBYTES + i*POLYETA_PACKEDBYTES, &s1.vec[i]);
+ polyeta_pack(sk + 2*SEEDBYTES + TRBYTES + i*POLYETA_PACKEDBYTES, &s1.vec[i]);
for(i = 0; i < K; i++)
- polyeta_pack(sk + 3*SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
+ polyeta_pack(sk + 2*SEEDBYTES + TRBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
/* Transform s1 */
polyvecl_ntt(&s1);
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, rho, 0);
-#endif
-
for(i = 0; i < K; i++) {
/* Expand matrix row */
-#ifdef DILITHIUM_USE_AES
- for(unsigned int j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-#else
polyvec_matrix_expand_row(&row, rowbuf, rho, i);
-#endif
/* Compute inner-product */
polyvecl_pointwise_acc_montgomery(&t1, row, &s1);
@@ -162,15 +125,11 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
poly_caddq(&t1);
poly_power2round(&t1, &t0, &t1);
polyt1_pack(pk + SEEDBYTES + i*POLYT1_PACKEDBYTES, &t1);
- polyt0_pack(sk + 3*SEEDBYTES + (L+K)*POLYETA_PACKEDBYTES + i*POLYT0_PACKEDBYTES, &t0);
+ polyt0_pack(sk + 2*SEEDBYTES + TRBYTES + (L+K)*POLYETA_PACKEDBYTES + i*POLYT0_PACKEDBYTES, &t0);
}
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
/* Compute H(rho, t1) and store in secret key */
- shake256(sk + 2*SEEDBYTES, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(sk + 2*SEEDBYTES, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
return 0;
}
@@ -190,10 +149,10 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
**************************************************/
int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
unsigned int i, n, pos;
- uint8_t seedbuf[3*SEEDBYTES + 2*CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
+ uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
+ uint8_t *rho, *tr, *key, *rnd, *mu, *rhoprime;
uint8_t hintbuf[N];
- uint8_t *hint = sig + SEEDBYTES + L*POLYZ_PACKEDBYTES;
+ uint8_t *hint = sig + CTILDEBYTES + L*POLYZ_PACKEDBYTES;
uint64_t nonce = 0;
polyvecl mat[K], s1, z;
polyveck t0, s2, w1;
@@ -206,23 +165,25 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
rho = seedbuf;
tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
+ key = tr + TRBYTES;
+ rnd = key + SEEDBYTES;
+ mu = rnd + RNDBYTES;
rhoprime = mu + CRHBYTES;
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
/* Compute CRH(tr, msg) */
shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
+ shake256_inc_absorb(&state, tr, TRBYTES);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
+ randombytes(rnd, RNDBYTES);
#else
- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
+ memset(rnd, 0, RNDBYTES);
#endif
+ shake256(rhoprime, CRHBYTES, key, SEEDBYTES + RNDBYTES + CRHBYTES);
/* Expand matrix and transform vectors */
polyvec_matrix_expand(mat, rho);
@@ -230,20 +191,9 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
polyveck_ntt(&s2);
polyveck_ntt(&t0);
-#ifdef DILITHIUM_USE_AES
- aes256ctr_ctx aesctx;
- aes256ctr_init_u64(&aesctx, rhoprime, 0);
-#endif
-
rej:
/* Sample intermediate vector y */
-#ifdef DILITHIUM_USE_AES
- for(i = 0; i < L; ++i) {
- aes256ctr_init_iv_u64(&aesctx, nonce);
- nonce++;
- poly_uniform_gamma1_preinit(&z.vec[i], &aesctx);
- }
-#elif L == 4
+#if L == 4
poly_uniform_gamma1_4x(&z.vec[0], &z.vec[1], &z.vec[2], &z.vec[3],
rhoprime, nonce, nonce + 1, nonce + 2, nonce + 3);
nonce += 4;
@@ -277,7 +227,7 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
shake256_inc_absorb(&state, mu, CRHBYTES);
shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
shake256_inc_finalize(&state);
- shake256_inc_squeeze(sig, SEEDBYTES, &state);
+ shake256_inc_squeeze(sig, CTILDEBYTES, &state);
poly_challenge(&c, sig);
poly_ntt(&c);
@@ -322,14 +272,10 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
hint[OMEGA + i] = pos = pos + n;
}
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
shake256_inc_ctx_release(&state);
/* Pack z into signature */
for(i = 0; i < L; i++)
- polyz_pack(sig + SEEDBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
+ polyz_pack(sig + CTILDEBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
*siglen = CRYPTO_BYTES;
return 0;
@@ -379,14 +325,8 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
/* polyw1_pack writes additional 14 bytes */
ALIGNED_UINT8(K*POLYW1_PACKEDBYTES+14) buf;
uint8_t mu[CRHBYTES];
- const uint8_t *hint = sig + SEEDBYTES + L*POLYZ_PACKEDBYTES;
-#ifdef DILITHIUM_USE_AES
- uint64_t nonce;
- aes256ctr_ctx aesctx;
- polyvecl rowbuf[1];
-#else
+ const uint8_t *hint = sig + CTILDEBYTES + L*POLYZ_PACKEDBYTES;
polyvecl rowbuf[2];
-#endif
polyvecl *row = rowbuf;
polyvecl z;
poly c, w1, h;
@@ -396,9 +336,9 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
return -1;
/* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, SEEDBYTES);
+ shake256_inc_absorb(&state, mu, CRHBYTES);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -410,26 +350,13 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
/* Unpack z; shortness follows from unpacking */
for(i = 0; i < L; i++) {
- polyz_unpack(&z.vec[i], sig + SEEDBYTES + i*POLYZ_PACKEDBYTES);
+ polyz_unpack(&z.vec[i], sig + CTILDEBYTES + i*POLYZ_PACKEDBYTES);
poly_ntt(&z.vec[i]);
}
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, pk, 0);
-#endif
-
for(i = 0; i < K; i++) {
/* Expand matrix row */
-#ifdef DILITHIUM_USE_AES
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-#else
polyvec_matrix_expand_row(&row, rowbuf, pk, i);
-#endif
/* Compute i-th row of Az - c2^Dt1 */
polyvecl_pointwise_acc_montgomery(&w1, row, &z);
@@ -445,21 +372,12 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
/* Get hint polynomial and reconstruct w1 */
memset(h.vec, 0, sizeof(poly));
- if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) {
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
+ if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA)
return -1;
- }
for(j = pos; j < hint[OMEGA + i]; ++j) {
/* Coefficients are ordered for strong unforgeability */
- if(j > pos && hint[j] <= hint[j-1]) {
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
- return -1;
- }
+ if(j > pos && hint[j] <= hint[j-1]) return -1;
h.coeffs[hint[j]] = 1;
}
pos = hint[OMEGA + i];
@@ -469,10 +387,6 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
polyw1_pack(buf.coeffs + i*POLYW1_PACKEDBYTES, &w1);
}
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
/* Extra indices are zero for strong unforgeability */
for(j = pos; j < OMEGA; ++j)
if(hint[j]) return -1;
@@ -482,9 +396,9 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
shake256_inc_absorb(&state, mu, CRHBYTES);
shake256_inc_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
shake256_inc_finalize(&state);
- shake256_inc_squeeze(buf.coeffs, SEEDBYTES, &state);
+ shake256_inc_squeeze(buf.coeffs, CTILDEBYTES, &state);
shake256_inc_ctx_release(&state);
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < CTILDEBYTES; ++i)
if(buf.coeffs[i] != sig[i])
return -1;
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/symmetric.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/symmetric.h
index be160c5176..fa49963ae3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/symmetric.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_avx2/symmetric.h
@@ -4,26 +4,6 @@
#include
#include "params.h"
-#ifdef DILITHIUM_USE_AES
-
-#include "aes256ctr.h"
-#include "fips202.h"
-
-typedef aes256ctr_ctx stream128_state;
-typedef aes256ctr_ctx stream256_state;
-
-#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
-#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define stream128_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) aes256_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) aes256_ctx_release(STATE)
-
-#else
-
#include "fips202.h"
typedef shake128incctx stream128_state;
@@ -46,5 +26,3 @@ void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CR
#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
#endif
-
-#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/api.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/api.h
index ceeef106dc..78caa5c728 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/api.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/api.h
@@ -5,7 +5,7 @@
#include
#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
+#define pqcrystals_dilithium2_SECRETKEYBYTES 2560
#define pqcrystals_dilithium2_BYTES 2420
#define pqcrystals_dilithium2_ref_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
@@ -30,31 +30,10 @@ int pqcrystals_dilithium2_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium2aes_ref_PUBLICKEYBYTES pqcrystals_dilithium2_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium2aes_ref_SECRETKEYBYTES pqcrystals_dilithium2_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium2aes_ref_BYTES pqcrystals_dilithium2_ref_BYTES
-
-int pqcrystals_dilithium2aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
-#define pqcrystals_dilithium3_BYTES 3293
+#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
+#define pqcrystals_dilithium3_BYTES 3309
#define pqcrystals_dilithium3_ref_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
#define pqcrystals_dilithium3_ref_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
@@ -78,31 +57,10 @@ int pqcrystals_dilithium3_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium3aes_ref_PUBLICKEYBYTES pqcrystals_dilithium3_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium3aes_ref_SECRETKEYBYTES pqcrystals_dilithium3_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium3aes_ref_BYTES pqcrystals_dilithium3_ref_BYTES
-
-int pqcrystals_dilithium3aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
-#define pqcrystals_dilithium5_BYTES 4595
+#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
+#define pqcrystals_dilithium5_BYTES 4627
#define pqcrystals_dilithium5_ref_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
#define pqcrystals_dilithium5_ref_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
@@ -126,27 +84,5 @@ int pqcrystals_dilithium5_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium5aes_ref_PUBLICKEYBYTES pqcrystals_dilithium5_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium5aes_ref_SECRETKEYBYTES pqcrystals_dilithium5_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium5aes_ref_BYTES pqcrystals_dilithium5_ref_BYTES
-
-int pqcrystals_dilithium5aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/config.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/config.h
index 14b08e0f06..98b8ccb11d 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/config.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/config.h
@@ -2,8 +2,7 @@
#define CONFIG_H
//#define DILITHIUM_MODE 2
-//#define DILITHIUM_USE_AES
-//#define DILITHIUM_RANDOMIZED_SIGNING
+#define DILITHIUM_RANDOMIZED_SIGNING
//#define USE_RDPMC
//#define DBENCH
@@ -11,21 +10,6 @@
#define DILITHIUM_MODE 2
#endif
-#ifdef DILITHIUM_USE_AES
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2aes_ref_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3aes_ref_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5aes_ref_##s
-#endif
-#else
#if DILITHIUM_MODE == 2
#define CRYPTO_ALGNAME "Dilithium2"
#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_ref
@@ -39,6 +23,5 @@
#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_ref
#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_ref_##s
#endif
-#endif
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/packing.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/packing.c
index 9de5826cde..039a686da3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/packing.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/packing.c
@@ -64,7 +64,7 @@ void unpack_pk(uint8_t rho[SEEDBYTES],
**************************************************/
void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
+ const uint8_t tr[TRBYTES],
const uint8_t key[SEEDBYTES],
const polyveck *t0,
const polyvecl *s1,
@@ -80,9 +80,9 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
sk[i] = key[i];
sk += SEEDBYTES;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < TRBYTES; ++i)
sk[i] = tr[i];
- sk += SEEDBYTES;
+ sk += TRBYTES;
for(i = 0; i < L; ++i)
polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -110,7 +110,7 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
* - uint8_t sk[]: byte array containing bit-packed sk
**************************************************/
void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
+ uint8_t tr[TRBYTES],
uint8_t key[SEEDBYTES],
polyveck *t0,
polyvecl *s1,
@@ -127,9 +127,9 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
key[i] = sk[i];
sk += SEEDBYTES;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < TRBYTES; ++i)
tr[i] = sk[i];
- sk += SEEDBYTES;
+ sk += TRBYTES;
for(i=0; i < L; ++i)
polyeta_unpack(&s1->vec[i], sk + i*POLYETA_PACKEDBYTES);
@@ -154,15 +154,15 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
* - const polyveck *h: pointer to hint vector h
**************************************************/
void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
+ const uint8_t c[CTILDEBYTES],
const polyvecl *z,
const polyveck *h)
{
unsigned int i, j, k;
- for(i=0; i < SEEDBYTES; ++i)
+ for(i=0; i < CTILDEBYTES; ++i)
sig[i] = c[i];
- sig += SEEDBYTES;
+ sig += CTILDEBYTES;
for(i = 0; i < L; ++i)
polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]);
@@ -195,16 +195,16 @@ void pack_sig(uint8_t sig[CRYPTO_BYTES],
*
* Returns 1 in case of malformed signature; otherwise 0.
**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
+int unpack_sig(uint8_t c[CTILDEBYTES],
polyvecl *z,
polyveck *h,
const uint8_t sig[CRYPTO_BYTES])
{
unsigned int i, j, k;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < CTILDEBYTES; ++i)
c[i] = sig[i];
- sig += SEEDBYTES;
+ sig += CTILDEBYTES;
for(i = 0; i < L; ++i)
polyz_unpack(&z->vec[i], sig + i*POLYZ_PACKEDBYTES);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/packing.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/packing.h
index 7c7cb6f4c2..8e47728ce3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/packing.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/packing.h
@@ -11,21 +11,21 @@ void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], co
#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
+ const uint8_t tr[TRBYTES],
const uint8_t key[SEEDBYTES],
const polyveck *t0,
const polyvecl *s1,
const polyveck *s2);
#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
+void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[CTILDEBYTES], const polyvecl *z, const polyveck *h);
#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
+ uint8_t tr[TRBYTES],
uint8_t key[SEEDBYTES],
polyveck *t0,
polyvecl *s1,
@@ -33,6 +33,6 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
+int unpack_sig(uint8_t c[CTILDEBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/params.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/params.h
index 63b02e2db4..1e8a7b505b 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/params.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/params.h
@@ -5,6 +5,8 @@
#define SEEDBYTES 32
#define CRHBYTES 64
+#define TRBYTES 64
+#define RNDBYTES 32
#define N 256
#define Q 8380417
#define D 13
@@ -19,6 +21,7 @@
#define GAMMA1 (1 << 17)
#define GAMMA2 ((Q-1)/88)
#define OMEGA 80
+#define CTILDEBYTES 32
#elif DILITHIUM_MODE == 3
#define K 6
@@ -29,6 +32,7 @@
#define GAMMA1 (1 << 19)
#define GAMMA2 ((Q-1)/32)
#define OMEGA 55
+#define CTILDEBYTES 48
#elif DILITHIUM_MODE == 5
#define K 8
@@ -39,6 +43,7 @@
#define GAMMA1 (1 << 19)
#define GAMMA2 ((Q-1)/32)
#define OMEGA 75
+#define CTILDEBYTES 64
#endif
@@ -65,10 +70,11 @@
#endif
#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
+#define CRYPTO_SECRETKEYBYTES (2*SEEDBYTES \
+ + TRBYTES \
+ L*POLYETA_PACKEDBYTES \
+ K*POLYETA_PACKEDBYTES \
+ K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
+#define CRYPTO_BYTES (CTILDEBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/poly.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/poly.c
index 006e83c93d..d44063fee8 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/poly.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/poly.c
@@ -335,7 +335,7 @@ static unsigned int rej_uniform(int32_t *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* output stream of SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
@@ -422,7 +422,7 @@ static unsigned int rej_eta(int32_t *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [-ETA,ETA] by performing rejection sampling on the
-* output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* output stream from SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
@@ -459,7 +459,7 @@ void poly_uniform_eta(poly *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* of SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/polyvec.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/polyvec.c
index c4e9037ab7..40032b656b 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/polyvec.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/polyvec.c
@@ -9,7 +9,6 @@
* Description: Implementation of ExpandA. Generates matrix A with uniformly
* random coefficients a_{i,j} by performing rejection
* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
*
* Arguments: - polyvecl mat[K]: output matrix
* - const uint8_t rho[]: byte array containing seed rho
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/sign.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/sign.c
index 16333eb84d..9298ad2177 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/sign.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium3_ref/sign.c
@@ -22,7 +22,7 @@
**************************************************/
int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
uint8_t seedbuf[2*SEEDBYTES + CRHBYTES];
- uint8_t tr[SEEDBYTES];
+ uint8_t tr[TRBYTES];
const uint8_t *rho, *rhoprime, *key;
polyvecl mat[K];
polyvecl s1, s1hat;
@@ -58,7 +58,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
pack_pk(pk, rho, &t1);
/* Compute H(rho, t1) and write secret key */
- shake256(tr, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(tr, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
return 0;
@@ -84,8 +84,8 @@ int crypto_sign_signature(uint8_t *sig,
const uint8_t *sk)
{
unsigned int n;
- uint8_t seedbuf[3*SEEDBYTES + 2*CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
+ uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
+ uint8_t *rho, *tr, *key, *mu, *rhoprime, *rnd;
uint16_t nonce = 0;
polyvecl mat[K], s1, y, z;
polyveck t0, s2, w1, w0, h;
@@ -94,23 +94,27 @@ int crypto_sign_signature(uint8_t *sig,
rho = seedbuf;
tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
+ key = tr + TRBYTES;
+ rnd = key + SEEDBYTES;
+ mu = rnd + RNDBYTES;
rhoprime = mu + CRHBYTES;
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
- /* Compute CRH(tr, msg) */
+
+ /* Compute mu = CRH(tr, msg) */
shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
+ shake256_inc_absorb(&state, tr, TRBYTES);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
+ randombytes(rnd, RNDBYTES);
#else
- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
+ for(n=0;n
#include "params.h"
-#ifdef DILITHIUM_USE_AES
-
-#include "aes256ctr.h"
-#include "fips202.h"
-
-typedef aes256ctr_ctx stream128_state;
-typedef aes256ctr_ctx stream256_state;
-
-#define dilithium_aes256ctr_init DILITHIUM_NAMESPACE(dilithium_aes256ctr_init)
-void dilithium_aes256ctr_init(aes256ctr_ctx *state,
- const uint8_t key[32],
- uint16_t nonce);
-
-#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
-#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define stream128_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) \
- aes256_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) \
- aes256_ctx_release(STATE)
-
-#else
-
#include "fips202.h"
typedef shake128incctx stream128_state;
@@ -65,5 +34,3 @@ void dilithium_shake256_stream_init(shake256incctx *state,
#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
#endif
-
-#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/api.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/api.h
index d64709d676..55b637669d 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/api.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/api.h
@@ -5,7 +5,7 @@
#include
#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
+#define pqcrystals_dilithium2_SECRETKEYBYTES 2560
#define pqcrystals_dilithium2_BYTES 2420
#define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
@@ -30,31 +30,10 @@ int pqcrystals_dilithium2_avx2_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium2aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2aes_avx2_SECRETKEYBYTES pqcrystals_dilithium2_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium2aes_avx2_BYTES pqcrystals_dilithium2_avx2_BYTES
-
-int pqcrystals_dilithium2aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
-#define pqcrystals_dilithium3_BYTES 3293
+#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
+#define pqcrystals_dilithium3_BYTES 3309
#define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
#define pqcrystals_dilithium3_avx2_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
@@ -78,31 +57,10 @@ int pqcrystals_dilithium3_avx2_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium3aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium3aes_avx2_SECRETKEYBYTES pqcrystals_dilithium3_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium3aes_avx2_BYTES pqcrystals_dilithium3_avx2_BYTES
-
-int pqcrystals_dilithium3aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
-#define pqcrystals_dilithium5_BYTES 4595
+#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
+#define pqcrystals_dilithium5_BYTES 4627
#define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
#define pqcrystals_dilithium5_avx2_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
@@ -126,27 +84,5 @@ int pqcrystals_dilithium5_avx2_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium5aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium5aes_avx2_SECRETKEYBYTES pqcrystals_dilithium5_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium5aes_avx2_BYTES pqcrystals_dilithium5_avx2_BYTES
-
-int pqcrystals_dilithium5aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/config.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/config.h
index d4a511cea5..a9facc0038 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/config.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/config.h
@@ -2,8 +2,7 @@
#define CONFIG_H
//#define DILITHIUM_MODE 2
-//#define DILITHIUM_USE_AES
-//#define DILITHIUM_RANDOMIZED_SIGNING
+#define DILITHIUM_RANDOMIZED_SIGNING
//#define USE_RDPMC
//#define DBENCH
@@ -11,21 +10,6 @@
#define DILITHIUM_MODE 2
#endif
-#ifdef DILITHIUM_USE_AES
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2aes_avx2_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3aes_avx2_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5aes_avx2_##s
-#endif
-#else
#if DILITHIUM_MODE == 2
#define CRYPTO_ALGNAME "Dilithium2"
#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_avx2
@@ -39,6 +23,5 @@
#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_avx2
#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_avx2_##s
#endif
-#endif
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/packing.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/packing.c
index 9de5826cde..039a686da3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/packing.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/packing.c
@@ -64,7 +64,7 @@ void unpack_pk(uint8_t rho[SEEDBYTES],
**************************************************/
void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
+ const uint8_t tr[TRBYTES],
const uint8_t key[SEEDBYTES],
const polyveck *t0,
const polyvecl *s1,
@@ -80,9 +80,9 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
sk[i] = key[i];
sk += SEEDBYTES;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < TRBYTES; ++i)
sk[i] = tr[i];
- sk += SEEDBYTES;
+ sk += TRBYTES;
for(i = 0; i < L; ++i)
polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -110,7 +110,7 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
* - uint8_t sk[]: byte array containing bit-packed sk
**************************************************/
void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
+ uint8_t tr[TRBYTES],
uint8_t key[SEEDBYTES],
polyveck *t0,
polyvecl *s1,
@@ -127,9 +127,9 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
key[i] = sk[i];
sk += SEEDBYTES;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < TRBYTES; ++i)
tr[i] = sk[i];
- sk += SEEDBYTES;
+ sk += TRBYTES;
for(i=0; i < L; ++i)
polyeta_unpack(&s1->vec[i], sk + i*POLYETA_PACKEDBYTES);
@@ -154,15 +154,15 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
* - const polyveck *h: pointer to hint vector h
**************************************************/
void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
+ const uint8_t c[CTILDEBYTES],
const polyvecl *z,
const polyveck *h)
{
unsigned int i, j, k;
- for(i=0; i < SEEDBYTES; ++i)
+ for(i=0; i < CTILDEBYTES; ++i)
sig[i] = c[i];
- sig += SEEDBYTES;
+ sig += CTILDEBYTES;
for(i = 0; i < L; ++i)
polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]);
@@ -195,16 +195,16 @@ void pack_sig(uint8_t sig[CRYPTO_BYTES],
*
* Returns 1 in case of malformed signature; otherwise 0.
**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
+int unpack_sig(uint8_t c[CTILDEBYTES],
polyvecl *z,
polyveck *h,
const uint8_t sig[CRYPTO_BYTES])
{
unsigned int i, j, k;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < CTILDEBYTES; ++i)
c[i] = sig[i];
- sig += SEEDBYTES;
+ sig += CTILDEBYTES;
for(i = 0; i < L; ++i)
polyz_unpack(&z->vec[i], sig + i*POLYZ_PACKEDBYTES);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/packing.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/packing.h
index 7c7cb6f4c2..8e47728ce3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/packing.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/packing.h
@@ -11,21 +11,21 @@ void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], co
#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
+ const uint8_t tr[TRBYTES],
const uint8_t key[SEEDBYTES],
const polyveck *t0,
const polyvecl *s1,
const polyveck *s2);
#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
+void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[CTILDEBYTES], const polyvecl *z, const polyveck *h);
#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
+ uint8_t tr[TRBYTES],
uint8_t key[SEEDBYTES],
polyveck *t0,
polyvecl *s1,
@@ -33,6 +33,6 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
+int unpack_sig(uint8_t c[CTILDEBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/params.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/params.h
index 63b02e2db4..1e8a7b505b 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/params.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/params.h
@@ -5,6 +5,8 @@
#define SEEDBYTES 32
#define CRHBYTES 64
+#define TRBYTES 64
+#define RNDBYTES 32
#define N 256
#define Q 8380417
#define D 13
@@ -19,6 +21,7 @@
#define GAMMA1 (1 << 17)
#define GAMMA2 ((Q-1)/88)
#define OMEGA 80
+#define CTILDEBYTES 32
#elif DILITHIUM_MODE == 3
#define K 6
@@ -29,6 +32,7 @@
#define GAMMA1 (1 << 19)
#define GAMMA2 ((Q-1)/32)
#define OMEGA 55
+#define CTILDEBYTES 48
#elif DILITHIUM_MODE == 5
#define K 8
@@ -39,6 +43,7 @@
#define GAMMA1 (1 << 19)
#define GAMMA2 ((Q-1)/32)
#define OMEGA 75
+#define CTILDEBYTES 64
#endif
@@ -65,10 +70,11 @@
#endif
#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
+#define CRYPTO_SECRETKEYBYTES (2*SEEDBYTES \
+ + TRBYTES \
+ L*POLYETA_PACKEDBYTES \
+ K*POLYETA_PACKEDBYTES \
+ K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
+#define CRYPTO_BYTES (CTILDEBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/poly.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/poly.c
index f1e28e985e..25d36828ad 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/poly.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/poly.c
@@ -9,9 +9,7 @@
#include "rejsample.h"
#include "consts.h"
#include "symmetric.h"
-#ifndef DILITHIUM_USE_AES
#include "fips202x4.h"
-#endif
#ifdef DBENCH
#include "test/cpucycles.h"
@@ -376,7 +374,7 @@ static unsigned int rej_uniform(int32_t *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* output stream of SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
@@ -406,7 +404,6 @@ void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
stream128_release(&state);
}
-#ifndef DILITHIUM_USE_AES
void poly_uniform_4x(poly *a0,
poly *a1,
poly *a2,
@@ -456,7 +453,6 @@ void poly_uniform_4x(poly *a0,
}
shake128x4_inc_ctx_release(&state);
}
-#endif
/*************************************************
* Name: rej_eta
@@ -513,7 +509,6 @@ static unsigned int rej_eta(int32_t *a,
* Description: Sample polynomial with uniformly random coefficients
* in [-ETA,ETA] by performing rejection sampling using the
* output stream of SHAKE256(seed|nonce)
-* or AES256CTR(seed,nonce).
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
@@ -541,7 +536,6 @@ void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
stream256_release(&state);
}
-#ifndef DILITHIUM_USE_AES
void poly_uniform_eta_4x(poly *a0,
poly *a1,
poly *a2,
@@ -597,14 +591,13 @@ void poly_uniform_eta_4x(poly *a0,
}
shake256x4_inc_ctx_release(&state);
}
-#endif
/*************************************************
* Name: poly_uniform_gamma1
*
* Description: Sample polynomial with uniformly random coefficients
* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* of SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
@@ -627,7 +620,6 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
stream256_release(&state);
}
-#ifndef DILITHIUM_USE_AES
void poly_uniform_gamma1_4x(poly *a0,
poly *a1,
poly *a2,
@@ -672,7 +664,6 @@ void poly_uniform_gamma1_4x(poly *a0,
polyz_unpack(a2, buf[2].coeffs);
polyz_unpack(a3, buf[3].coeffs);
}
-#endif
/*************************************************
* Name: challenge
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/poly.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/poly.h
index ce22726d92..7bcd8e5e03 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/poly.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/poly.h
@@ -55,7 +55,6 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-#ifndef DILITHIUM_USE_AES
#define poly_uniform_4x DILITHIUM_NAMESPACE(poly_uniform_4x)
void poly_uniform_4x(poly *a0,
poly *a1,
@@ -86,7 +85,6 @@ void poly_uniform_gamma1_4x(poly *a0,
uint16_t nonce1,
uint16_t nonce2,
uint16_t nonce3);
-#endif
#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
void polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly *a);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/polyvec.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/polyvec.c
index ba3639d938..6e2302168e 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/polyvec.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/polyvec.c
@@ -4,9 +4,6 @@
#include "poly.h"
#include "ntt.h"
#include "consts.h"
-#ifdef DILITHIUM_USE_AES
-#include "aes256ctr.h"
-#endif
/*************************************************
* Name: expand_mat
@@ -14,31 +11,12 @@
* Description: Implementation of ExpandA. Generates matrix A with uniformly
* random coefficients a_{i,j} by performing rejection
* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
*
* Arguments: - polyvecl mat[K]: output matrix
* - const uint8_t rho[]: byte array containing seed rho
**************************************************/
-#ifdef DILITHIUM_USE_AES
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- unsigned int i, j;
- uint64_t nonce;
- aes256ctr_ctx state;
-
- aes256ctr_init_u64(&state, rho, 0);
-
- for(i = 0; i < K; i++) {
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&state, nonce);
- poly_uniform_preinit(&mat[i].vec[j], &state);
- poly_nttunpack(&mat[i].vec[j]);
- }
- }
- aes256_ctx_release(&state);
-}
-#elif K == 4 && L == 4
+#if K == 4 && L == 4
void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
polyvec_matrix_expand_row0(&mat[0], NULL, rho);
polyvec_matrix_expand_row1(&mat[1], NULL, rho);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/polyvec.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/polyvec.h
index 845b46afe3..1b6dc87ac6 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/polyvec.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/polyvec.h
@@ -82,7 +82,6 @@ void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1);
#define polyvec_matrix_expand DILITHIUM_NAMESPACE(polyvec_matrix_expand)
void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
-#ifndef DILITHIUM_USE_AES
#define polyvec_matrix_expand_row0 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row0)
void polyvec_matrix_expand_row0(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
#define polyvec_matrix_expand_row1 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row1)
@@ -99,7 +98,6 @@ void polyvec_matrix_expand_row5(polyvecl *rowa, polyvecl *rowb, const uint8_t rh
void polyvec_matrix_expand_row6(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
#define polyvec_matrix_expand_row7 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row7)
void polyvec_matrix_expand_row7(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#endif
#define polyvec_matrix_pointwise_montgomery DILITHIUM_NAMESPACE(polyvec_matrix_pointwise_montgomery)
void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/rejsample.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/rejsample.c
index 54e4ca5f6d..8b1dde4440 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/rejsample.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/rejsample.c
@@ -291,12 +291,9 @@ unsigned int rej_uniform_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM
_mm256_storeu_si256((__m256i *)&r[ctr], d);
ctr += _mm_popcnt_u32(good);
-#ifndef DILITHIUM_USE_AES
if(ctr > N - 8) break;
-#endif
}
-#ifndef DILITHIUM_USE_AES
uint32_t t;
while(ctr < N && pos <= REJ_UNIFORM_BUFLEN - 3) {
t = buf[pos++];
@@ -307,7 +304,6 @@ unsigned int rej_uniform_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM
if(t < Q)
r[ctr++] = t;
}
-#endif
return ctr;
}
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/sign.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/sign.c
index 448cdd17de..a39f8515c4 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/sign.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/sign.c
@@ -9,11 +9,7 @@
#include "randombytes.h"
#include "symmetric.h"
#include "fips202.h"
-#ifdef DILITHIUM_USE_AES
-#include "aes256ctr.h"
-#endif
-#ifndef DILITHIUM_USE_AES
static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], const uint8_t rho[SEEDBYTES], unsigned int i) {
switch(i) {
case 0:
@@ -54,7 +50,6 @@ static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], co
#endif
}
}
-#endif
/*************************************************
* Name: crypto_sign_keypair
@@ -72,13 +67,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
unsigned int i;
uint8_t seedbuf[2*SEEDBYTES + CRHBYTES];
const uint8_t *rho, *rhoprime, *key;
-#ifdef DILITHIUM_USE_AES
- uint64_t nonce;
- aes256ctr_ctx aesctx;
- polyvecl rowbuf[1];
-#else
polyvecl rowbuf[2];
-#endif
polyvecl s1, *row = rowbuf;
polyveck s2;
poly t1, t0;
@@ -96,20 +85,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
memcpy(sk + SEEDBYTES, key, SEEDBYTES);
/* Sample short vectors s1 and s2 */
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, rhoprime, 0);
- for(i = 0; i < L; ++i) {
- nonce = i;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s1.vec[i], &aesctx);
- }
- for(i = 0; i < K; ++i) {
- nonce = L + i;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s2.vec[i], &aesctx);
- }
- aes256_ctx_release(&aesctx);
-#elif K == 4 && L == 4
+#if K == 4 && L == 4
poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
poly_uniform_eta_4x(&s2.vec[0], &s2.vec[1], &s2.vec[2], &s2.vec[3], rhoprime, 4, 5, 6, 7);
#elif K == 6 && L == 5
@@ -127,29 +103,16 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
/* Pack secret vectors */
for(i = 0; i < L; i++)
- polyeta_pack(sk + 3*SEEDBYTES + i*POLYETA_PACKEDBYTES, &s1.vec[i]);
+ polyeta_pack(sk + 2*SEEDBYTES + TRBYTES + i*POLYETA_PACKEDBYTES, &s1.vec[i]);
for(i = 0; i < K; i++)
- polyeta_pack(sk + 3*SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
+ polyeta_pack(sk + 2*SEEDBYTES + TRBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
/* Transform s1 */
polyvecl_ntt(&s1);
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, rho, 0);
-#endif
-
for(i = 0; i < K; i++) {
/* Expand matrix row */
-#ifdef DILITHIUM_USE_AES
- for(unsigned int j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-#else
polyvec_matrix_expand_row(&row, rowbuf, rho, i);
-#endif
/* Compute inner-product */
polyvecl_pointwise_acc_montgomery(&t1, row, &s1);
@@ -162,15 +125,11 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
poly_caddq(&t1);
poly_power2round(&t1, &t0, &t1);
polyt1_pack(pk + SEEDBYTES + i*POLYT1_PACKEDBYTES, &t1);
- polyt0_pack(sk + 3*SEEDBYTES + (L+K)*POLYETA_PACKEDBYTES + i*POLYT0_PACKEDBYTES, &t0);
+ polyt0_pack(sk + 2*SEEDBYTES + TRBYTES + (L+K)*POLYETA_PACKEDBYTES + i*POLYT0_PACKEDBYTES, &t0);
}
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
/* Compute H(rho, t1) and store in secret key */
- shake256(sk + 2*SEEDBYTES, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(sk + 2*SEEDBYTES, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
return 0;
}
@@ -190,10 +149,10 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
**************************************************/
int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
unsigned int i, n, pos;
- uint8_t seedbuf[3*SEEDBYTES + 2*CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
+ uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
+ uint8_t *rho, *tr, *key, *rnd, *mu, *rhoprime;
uint8_t hintbuf[N];
- uint8_t *hint = sig + SEEDBYTES + L*POLYZ_PACKEDBYTES;
+ uint8_t *hint = sig + CTILDEBYTES + L*POLYZ_PACKEDBYTES;
uint64_t nonce = 0;
polyvecl mat[K], s1, z;
polyveck t0, s2, w1;
@@ -206,23 +165,25 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
rho = seedbuf;
tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
+ key = tr + TRBYTES;
+ rnd = key + SEEDBYTES;
+ mu = rnd + RNDBYTES;
rhoprime = mu + CRHBYTES;
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
/* Compute CRH(tr, msg) */
shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
+ shake256_inc_absorb(&state, tr, TRBYTES);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
+ randombytes(rnd, RNDBYTES);
#else
- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
+ memset(rnd, 0, RNDBYTES);
#endif
+ shake256(rhoprime, CRHBYTES, key, SEEDBYTES + RNDBYTES + CRHBYTES);
/* Expand matrix and transform vectors */
polyvec_matrix_expand(mat, rho);
@@ -230,20 +191,9 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
polyveck_ntt(&s2);
polyveck_ntt(&t0);
-#ifdef DILITHIUM_USE_AES
- aes256ctr_ctx aesctx;
- aes256ctr_init_u64(&aesctx, rhoprime, 0);
-#endif
-
rej:
/* Sample intermediate vector y */
-#ifdef DILITHIUM_USE_AES
- for(i = 0; i < L; ++i) {
- aes256ctr_init_iv_u64(&aesctx, nonce);
- nonce++;
- poly_uniform_gamma1_preinit(&z.vec[i], &aesctx);
- }
-#elif L == 4
+#if L == 4
poly_uniform_gamma1_4x(&z.vec[0], &z.vec[1], &z.vec[2], &z.vec[3],
rhoprime, nonce, nonce + 1, nonce + 2, nonce + 3);
nonce += 4;
@@ -277,7 +227,7 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
shake256_inc_absorb(&state, mu, CRHBYTES);
shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
shake256_inc_finalize(&state);
- shake256_inc_squeeze(sig, SEEDBYTES, &state);
+ shake256_inc_squeeze(sig, CTILDEBYTES, &state);
poly_challenge(&c, sig);
poly_ntt(&c);
@@ -322,14 +272,10 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
hint[OMEGA + i] = pos = pos + n;
}
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
shake256_inc_ctx_release(&state);
/* Pack z into signature */
for(i = 0; i < L; i++)
- polyz_pack(sig + SEEDBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
+ polyz_pack(sig + CTILDEBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
*siglen = CRYPTO_BYTES;
return 0;
@@ -379,14 +325,8 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
/* polyw1_pack writes additional 14 bytes */
ALIGNED_UINT8(K*POLYW1_PACKEDBYTES+14) buf;
uint8_t mu[CRHBYTES];
- const uint8_t *hint = sig + SEEDBYTES + L*POLYZ_PACKEDBYTES;
-#ifdef DILITHIUM_USE_AES
- uint64_t nonce;
- aes256ctr_ctx aesctx;
- polyvecl rowbuf[1];
-#else
+ const uint8_t *hint = sig + CTILDEBYTES + L*POLYZ_PACKEDBYTES;
polyvecl rowbuf[2];
-#endif
polyvecl *row = rowbuf;
polyvecl z;
poly c, w1, h;
@@ -396,9 +336,9 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
return -1;
/* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, SEEDBYTES);
+ shake256_inc_absorb(&state, mu, CRHBYTES);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -410,26 +350,13 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
/* Unpack z; shortness follows from unpacking */
for(i = 0; i < L; i++) {
- polyz_unpack(&z.vec[i], sig + SEEDBYTES + i*POLYZ_PACKEDBYTES);
+ polyz_unpack(&z.vec[i], sig + CTILDEBYTES + i*POLYZ_PACKEDBYTES);
poly_ntt(&z.vec[i]);
}
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, pk, 0);
-#endif
-
for(i = 0; i < K; i++) {
/* Expand matrix row */
-#ifdef DILITHIUM_USE_AES
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-#else
polyvec_matrix_expand_row(&row, rowbuf, pk, i);
-#endif
/* Compute i-th row of Az - c2^Dt1 */
polyvecl_pointwise_acc_montgomery(&w1, row, &z);
@@ -445,21 +372,12 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
/* Get hint polynomial and reconstruct w1 */
memset(h.vec, 0, sizeof(poly));
- if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) {
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
+ if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA)
return -1;
- }
for(j = pos; j < hint[OMEGA + i]; ++j) {
/* Coefficients are ordered for strong unforgeability */
- if(j > pos && hint[j] <= hint[j-1]) {
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
- return -1;
- }
+ if(j > pos && hint[j] <= hint[j-1]) return -1;
h.coeffs[hint[j]] = 1;
}
pos = hint[OMEGA + i];
@@ -469,10 +387,6 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
polyw1_pack(buf.coeffs + i*POLYW1_PACKEDBYTES, &w1);
}
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
/* Extra indices are zero for strong unforgeability */
for(j = pos; j < OMEGA; ++j)
if(hint[j]) return -1;
@@ -482,9 +396,9 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
shake256_inc_absorb(&state, mu, CRHBYTES);
shake256_inc_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
shake256_inc_finalize(&state);
- shake256_inc_squeeze(buf.coeffs, SEEDBYTES, &state);
+ shake256_inc_squeeze(buf.coeffs, CTILDEBYTES, &state);
shake256_inc_ctx_release(&state);
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < CTILDEBYTES; ++i)
if(buf.coeffs[i] != sig[i])
return -1;
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/symmetric.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/symmetric.h
index be160c5176..fa49963ae3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/symmetric.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_avx2/symmetric.h
@@ -4,26 +4,6 @@
#include
#include "params.h"
-#ifdef DILITHIUM_USE_AES
-
-#include "aes256ctr.h"
-#include "fips202.h"
-
-typedef aes256ctr_ctx stream128_state;
-typedef aes256ctr_ctx stream256_state;
-
-#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
-#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define stream128_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) aes256_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) aes256_ctx_release(STATE)
-
-#else
-
#include "fips202.h"
typedef shake128incctx stream128_state;
@@ -46,5 +26,3 @@ void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CR
#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
#endif
-
-#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/api.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/api.h
index ceeef106dc..78caa5c728 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/api.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/api.h
@@ -5,7 +5,7 @@
#include
#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
+#define pqcrystals_dilithium2_SECRETKEYBYTES 2560
#define pqcrystals_dilithium2_BYTES 2420
#define pqcrystals_dilithium2_ref_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
@@ -30,31 +30,10 @@ int pqcrystals_dilithium2_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium2aes_ref_PUBLICKEYBYTES pqcrystals_dilithium2_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium2aes_ref_SECRETKEYBYTES pqcrystals_dilithium2_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium2aes_ref_BYTES pqcrystals_dilithium2_ref_BYTES
-
-int pqcrystals_dilithium2aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
-#define pqcrystals_dilithium3_BYTES 3293
+#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
+#define pqcrystals_dilithium3_BYTES 3309
#define pqcrystals_dilithium3_ref_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
#define pqcrystals_dilithium3_ref_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
@@ -78,31 +57,10 @@ int pqcrystals_dilithium3_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium3aes_ref_PUBLICKEYBYTES pqcrystals_dilithium3_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium3aes_ref_SECRETKEYBYTES pqcrystals_dilithium3_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium3aes_ref_BYTES pqcrystals_dilithium3_ref_BYTES
-
-int pqcrystals_dilithium3aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
-#define pqcrystals_dilithium5_BYTES 4595
+#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
+#define pqcrystals_dilithium5_BYTES 4627
#define pqcrystals_dilithium5_ref_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
#define pqcrystals_dilithium5_ref_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
@@ -126,27 +84,5 @@ int pqcrystals_dilithium5_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
const uint8_t *pk);
-#define pqcrystals_dilithium5aes_ref_PUBLICKEYBYTES pqcrystals_dilithium5_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium5aes_ref_SECRETKEYBYTES pqcrystals_dilithium5_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium5aes_ref_BYTES pqcrystals_dilithium5_ref_BYTES
-
-int pqcrystals_dilithium5aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/config.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/config.h
index 14b08e0f06..98b8ccb11d 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/config.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/config.h
@@ -2,8 +2,7 @@
#define CONFIG_H
//#define DILITHIUM_MODE 2
-//#define DILITHIUM_USE_AES
-//#define DILITHIUM_RANDOMIZED_SIGNING
+#define DILITHIUM_RANDOMIZED_SIGNING
//#define USE_RDPMC
//#define DBENCH
@@ -11,21 +10,6 @@
#define DILITHIUM_MODE 2
#endif
-#ifdef DILITHIUM_USE_AES
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2aes_ref_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3aes_ref_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5aes_ref_##s
-#endif
-#else
#if DILITHIUM_MODE == 2
#define CRYPTO_ALGNAME "Dilithium2"
#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_ref
@@ -39,6 +23,5 @@
#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_ref
#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_ref_##s
#endif
-#endif
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/packing.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/packing.c
index 9de5826cde..039a686da3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/packing.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/packing.c
@@ -64,7 +64,7 @@ void unpack_pk(uint8_t rho[SEEDBYTES],
**************************************************/
void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
+ const uint8_t tr[TRBYTES],
const uint8_t key[SEEDBYTES],
const polyveck *t0,
const polyvecl *s1,
@@ -80,9 +80,9 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
sk[i] = key[i];
sk += SEEDBYTES;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < TRBYTES; ++i)
sk[i] = tr[i];
- sk += SEEDBYTES;
+ sk += TRBYTES;
for(i = 0; i < L; ++i)
polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s1->vec[i]);
@@ -110,7 +110,7 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
* - uint8_t sk[]: byte array containing bit-packed sk
**************************************************/
void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
+ uint8_t tr[TRBYTES],
uint8_t key[SEEDBYTES],
polyveck *t0,
polyvecl *s1,
@@ -127,9 +127,9 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
key[i] = sk[i];
sk += SEEDBYTES;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < TRBYTES; ++i)
tr[i] = sk[i];
- sk += SEEDBYTES;
+ sk += TRBYTES;
for(i=0; i < L; ++i)
polyeta_unpack(&s1->vec[i], sk + i*POLYETA_PACKEDBYTES);
@@ -154,15 +154,15 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
* - const polyveck *h: pointer to hint vector h
**************************************************/
void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
+ const uint8_t c[CTILDEBYTES],
const polyvecl *z,
const polyveck *h)
{
unsigned int i, j, k;
- for(i=0; i < SEEDBYTES; ++i)
+ for(i=0; i < CTILDEBYTES; ++i)
sig[i] = c[i];
- sig += SEEDBYTES;
+ sig += CTILDEBYTES;
for(i = 0; i < L; ++i)
polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]);
@@ -195,16 +195,16 @@ void pack_sig(uint8_t sig[CRYPTO_BYTES],
*
* Returns 1 in case of malformed signature; otherwise 0.
**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
+int unpack_sig(uint8_t c[CTILDEBYTES],
polyvecl *z,
polyveck *h,
const uint8_t sig[CRYPTO_BYTES])
{
unsigned int i, j, k;
- for(i = 0; i < SEEDBYTES; ++i)
+ for(i = 0; i < CTILDEBYTES; ++i)
c[i] = sig[i];
- sig += SEEDBYTES;
+ sig += CTILDEBYTES;
for(i = 0; i < L; ++i)
polyz_unpack(&z->vec[i], sig + i*POLYZ_PACKEDBYTES);
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/packing.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/packing.h
index 7c7cb6f4c2..8e47728ce3 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/packing.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/packing.h
@@ -11,21 +11,21 @@ void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], co
#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
+ const uint8_t tr[TRBYTES],
const uint8_t key[SEEDBYTES],
const polyveck *t0,
const polyvecl *s1,
const polyveck *s2);
#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
+void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[CTILDEBYTES], const polyvecl *z, const polyveck *h);
#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
+ uint8_t tr[TRBYTES],
uint8_t key[SEEDBYTES],
polyveck *t0,
polyvecl *s1,
@@ -33,6 +33,6 @@ void unpack_sk(uint8_t rho[SEEDBYTES],
const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
+int unpack_sig(uint8_t c[CTILDEBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/params.h b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/params.h
index 63b02e2db4..1e8a7b505b 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/params.h
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/params.h
@@ -5,6 +5,8 @@
#define SEEDBYTES 32
#define CRHBYTES 64
+#define TRBYTES 64
+#define RNDBYTES 32
#define N 256
#define Q 8380417
#define D 13
@@ -19,6 +21,7 @@
#define GAMMA1 (1 << 17)
#define GAMMA2 ((Q-1)/88)
#define OMEGA 80
+#define CTILDEBYTES 32
#elif DILITHIUM_MODE == 3
#define K 6
@@ -29,6 +32,7 @@
#define GAMMA1 (1 << 19)
#define GAMMA2 ((Q-1)/32)
#define OMEGA 55
+#define CTILDEBYTES 48
#elif DILITHIUM_MODE == 5
#define K 8
@@ -39,6 +43,7 @@
#define GAMMA1 (1 << 19)
#define GAMMA2 ((Q-1)/32)
#define OMEGA 75
+#define CTILDEBYTES 64
#endif
@@ -65,10 +70,11 @@
#endif
#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
+#define CRYPTO_SECRETKEYBYTES (2*SEEDBYTES \
+ + TRBYTES \
+ L*POLYETA_PACKEDBYTES \
+ K*POLYETA_PACKEDBYTES \
+ K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
+#define CRYPTO_BYTES (CTILDEBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
#endif
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/poly.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/poly.c
index 006e83c93d..d44063fee8 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/poly.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/poly.c
@@ -335,7 +335,7 @@ static unsigned int rej_uniform(int32_t *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* output stream of SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
@@ -422,7 +422,7 @@ static unsigned int rej_eta(int32_t *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [-ETA,ETA] by performing rejection sampling on the
-* output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* output stream from SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
@@ -459,7 +459,7 @@ void poly_uniform_eta(poly *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
+* of SHAKE256(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length CRHBYTES
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/polyvec.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/polyvec.c
index c4e9037ab7..40032b656b 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/polyvec.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/polyvec.c
@@ -9,7 +9,6 @@
* Description: Implementation of ExpandA. Generates matrix A with uniformly
* random coefficients a_{i,j} by performing rejection
* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
*
* Arguments: - polyvecl mat[K]: output matrix
* - const uint8_t rho[]: byte array containing seed rho
diff --git a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/sign.c b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/sign.c
index 16333eb84d..9298ad2177 100644
--- a/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/sign.c
+++ b/src/sig/dilithium/pqcrystals-dilithium_dilithium5_ref/sign.c
@@ -22,7 +22,7 @@
**************************************************/
int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
uint8_t seedbuf[2*SEEDBYTES + CRHBYTES];
- uint8_t tr[SEEDBYTES];
+ uint8_t tr[TRBYTES];
const uint8_t *rho, *rhoprime, *key;
polyvecl mat[K];
polyvecl s1, s1hat;
@@ -58,7 +58,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
pack_pk(pk, rho, &t1);
/* Compute H(rho, t1) and write secret key */
- shake256(tr, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(tr, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
return 0;
@@ -84,8 +84,8 @@ int crypto_sign_signature(uint8_t *sig,
const uint8_t *sk)
{
unsigned int n;
- uint8_t seedbuf[3*SEEDBYTES + 2*CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
+ uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
+ uint8_t *rho, *tr, *key, *mu, *rhoprime, *rnd;
uint16_t nonce = 0;
polyvecl mat[K], s1, y, z;
polyveck t0, s2, w1, w0, h;
@@ -94,23 +94,27 @@ int crypto_sign_signature(uint8_t *sig,
rho = seedbuf;
tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
+ key = tr + TRBYTES;
+ rnd = key + SEEDBYTES;
+ mu = rnd + RNDBYTES;
rhoprime = mu + CRHBYTES;
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
- /* Compute CRH(tr, msg) */
+
+ /* Compute mu = CRH(tr, msg) */
shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
+ shake256_inc_absorb(&state, tr, TRBYTES);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
+ randombytes(rnd, RNDBYTES);
#else
- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
+ for(n=0;n
#include "params.h"
-#ifdef DILITHIUM_USE_AES
-
-#include "aes256ctr.h"
-#include "fips202.h"
-
-typedef aes256ctr_ctx stream128_state;
-typedef aes256ctr_ctx stream256_state;
-
-#define dilithium_aes256ctr_init DILITHIUM_NAMESPACE(dilithium_aes256ctr_init)
-void dilithium_aes256ctr_init(aes256ctr_ctx *state,
- const uint8_t key[32],
- uint16_t nonce);
-
-#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
-#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define stream128_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) \
- aes256_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) \
- aes256_ctx_release(STATE)
-
-#else
-
#include "fips202.h"
typedef shake128incctx stream128_state;
@@ -65,5 +34,3 @@ void dilithium_shake256_stream_init(shake256incctx *state,
#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
#endif
-
-#endif
diff --git a/src/sig/dilithium/sig_dilithium.h b/src/sig/dilithium/sig_dilithium.h
index b63ea73b4b..84ca2e71b6 100644
--- a/src/sig/dilithium/sig_dilithium.h
+++ b/src/sig/dilithium/sig_dilithium.h
@@ -7,7 +7,7 @@
#ifdef OQS_ENABLE_SIG_dilithium_2
#define OQS_SIG_dilithium_2_length_public_key 1312
-#define OQS_SIG_dilithium_2_length_secret_key 2528
+#define OQS_SIG_dilithium_2_length_secret_key 2560
#define OQS_SIG_dilithium_2_length_signature 2420
OQS_SIG *OQS_SIG_dilithium_2_new(void);
@@ -18,8 +18,8 @@ OQS_API OQS_STATUS OQS_SIG_dilithium_2_verify(const uint8_t *message, size_t mes
#ifdef OQS_ENABLE_SIG_dilithium_3
#define OQS_SIG_dilithium_3_length_public_key 1952
-#define OQS_SIG_dilithium_3_length_secret_key 4000
-#define OQS_SIG_dilithium_3_length_signature 3293
+#define OQS_SIG_dilithium_3_length_secret_key 4032
+#define OQS_SIG_dilithium_3_length_signature 3309
OQS_SIG *OQS_SIG_dilithium_3_new(void);
OQS_API OQS_STATUS OQS_SIG_dilithium_3_keypair(uint8_t *public_key, uint8_t *secret_key);
@@ -29,8 +29,8 @@ OQS_API OQS_STATUS OQS_SIG_dilithium_3_verify(const uint8_t *message, size_t mes
#ifdef OQS_ENABLE_SIG_dilithium_5
#define OQS_SIG_dilithium_5_length_public_key 2592
-#define OQS_SIG_dilithium_5_length_secret_key 4864
-#define OQS_SIG_dilithium_5_length_signature 4595
+#define OQS_SIG_dilithium_5_length_secret_key 4896
+#define OQS_SIG_dilithium_5_length_signature 4627
OQS_SIG *OQS_SIG_dilithium_5_new(void);
OQS_API OQS_STATUS OQS_SIG_dilithium_5_keypair(uint8_t *public_key, uint8_t *secret_key);
diff --git a/src/sig/dilithium/sig_dilithium_2.c b/src/sig/dilithium/sig_dilithium_2.c
index de1b2ad1fa..ba42907785 100644
--- a/src/sig/dilithium/sig_dilithium_2.c
+++ b/src/sig/dilithium/sig_dilithium_2.c
@@ -13,7 +13,7 @@ OQS_SIG *OQS_SIG_dilithium_2_new(void) {
return NULL;
}
sig->method_name = OQS_SIG_alg_dilithium_2;
- sig->alg_version = "https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409";
+ sig->alg_version = "https://github.com/pq-crystals/dilithium/tree/standard";
sig->claimed_nist_level = 2;
sig->euf_cma = true;
@@ -39,12 +39,6 @@ extern int pqcrystals_dilithium2_avx2_signature(uint8_t *sig, size_t *siglen, co
extern int pqcrystals_dilithium2_avx2_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
#endif
-#if defined(OQS_ENABLE_SIG_dilithium_2_aarch64)
-extern int PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-extern int PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-#endif
-
OQS_API OQS_STATUS OQS_SIG_dilithium_2_keypair(uint8_t *public_key, uint8_t *secret_key) {
#if defined(OQS_ENABLE_SIG_dilithium_2_avx2)
#if defined(OQS_DIST_BUILD)
@@ -56,16 +50,6 @@ OQS_API OQS_STATUS OQS_SIG_dilithium_2_keypair(uint8_t *public_key, uint8_t *sec
return (OQS_STATUS) pqcrystals_dilithium2_ref_keypair(public_key, secret_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_2_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium2_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_dilithium2_ref_keypair(public_key, secret_key);
#endif
@@ -82,16 +66,6 @@ OQS_API OQS_STATUS OQS_SIG_dilithium_2_sign(uint8_t *signature, size_t *signatur
return (OQS_STATUS) pqcrystals_dilithium2_ref_signature(signature, signature_len, message, message_len, secret_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_2_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_signature(signature, signature_len, message, message_len, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium2_ref_signature(signature, signature_len, message, message_len, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_dilithium2_ref_signature(signature, signature_len, message, message_len, secret_key);
#endif
@@ -108,16 +82,6 @@ OQS_API OQS_STATUS OQS_SIG_dilithium_2_verify(const uint8_t *message, size_t mes
return (OQS_STATUS) pqcrystals_dilithium2_ref_verify(signature, signature_len, message, message_len, public_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_2_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_verify(signature, signature_len, message, message_len, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium2_ref_verify(signature, signature_len, message, message_len, public_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_dilithium2_ref_verify(signature, signature_len, message, message_len, public_key);
#endif
diff --git a/src/sig/dilithium/sig_dilithium_3.c b/src/sig/dilithium/sig_dilithium_3.c
index f1a8311a20..a3d6e015d0 100644
--- a/src/sig/dilithium/sig_dilithium_3.c
+++ b/src/sig/dilithium/sig_dilithium_3.c
@@ -13,7 +13,7 @@ OQS_SIG *OQS_SIG_dilithium_3_new(void) {
return NULL;
}
sig->method_name = OQS_SIG_alg_dilithium_3;
- sig->alg_version = "https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409";
+ sig->alg_version = "https://github.com/pq-crystals/dilithium/tree/standard";
sig->claimed_nist_level = 3;
sig->euf_cma = true;
@@ -39,12 +39,6 @@ extern int pqcrystals_dilithium3_avx2_signature(uint8_t *sig, size_t *siglen, co
extern int pqcrystals_dilithium3_avx2_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
#endif
-#if defined(OQS_ENABLE_SIG_dilithium_3_aarch64)
-extern int PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-extern int PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-#endif
-
OQS_API OQS_STATUS OQS_SIG_dilithium_3_keypair(uint8_t *public_key, uint8_t *secret_key) {
#if defined(OQS_ENABLE_SIG_dilithium_3_avx2)
#if defined(OQS_DIST_BUILD)
@@ -56,16 +50,6 @@ OQS_API OQS_STATUS OQS_SIG_dilithium_3_keypair(uint8_t *public_key, uint8_t *sec
return (OQS_STATUS) pqcrystals_dilithium3_ref_keypair(public_key, secret_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_3_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium3_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_dilithium3_ref_keypair(public_key, secret_key);
#endif
@@ -82,16 +66,6 @@ OQS_API OQS_STATUS OQS_SIG_dilithium_3_sign(uint8_t *signature, size_t *signatur
return (OQS_STATUS) pqcrystals_dilithium3_ref_signature(signature, signature_len, message, message_len, secret_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_3_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_signature(signature, signature_len, message, message_len, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium3_ref_signature(signature, signature_len, message, message_len, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_dilithium3_ref_signature(signature, signature_len, message, message_len, secret_key);
#endif
@@ -108,16 +82,6 @@ OQS_API OQS_STATUS OQS_SIG_dilithium_3_verify(const uint8_t *message, size_t mes
return (OQS_STATUS) pqcrystals_dilithium3_ref_verify(signature, signature_len, message, message_len, public_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_3_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_verify(signature, signature_len, message, message_len, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium3_ref_verify(signature, signature_len, message, message_len, public_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_dilithium3_ref_verify(signature, signature_len, message, message_len, public_key);
#endif
diff --git a/src/sig/dilithium/sig_dilithium_5.c b/src/sig/dilithium/sig_dilithium_5.c
index 06871be6e6..705677e386 100644
--- a/src/sig/dilithium/sig_dilithium_5.c
+++ b/src/sig/dilithium/sig_dilithium_5.c
@@ -13,7 +13,7 @@ OQS_SIG *OQS_SIG_dilithium_5_new(void) {
return NULL;
}
sig->method_name = OQS_SIG_alg_dilithium_5;
- sig->alg_version = "https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409";
+ sig->alg_version = "https://github.com/pq-crystals/dilithium/tree/standard";
sig->claimed_nist_level = 5;
sig->euf_cma = true;
@@ -39,12 +39,6 @@ extern int pqcrystals_dilithium5_avx2_signature(uint8_t *sig, size_t *siglen, co
extern int pqcrystals_dilithium5_avx2_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
#endif
-#if defined(OQS_ENABLE_SIG_dilithium_5_aarch64)
-extern int PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-extern int PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-#endif
-
OQS_API OQS_STATUS OQS_SIG_dilithium_5_keypair(uint8_t *public_key, uint8_t *secret_key) {
#if defined(OQS_ENABLE_SIG_dilithium_5_avx2)
#if defined(OQS_DIST_BUILD)
@@ -56,16 +50,6 @@ OQS_API OQS_STATUS OQS_SIG_dilithium_5_keypair(uint8_t *public_key, uint8_t *sec
return (OQS_STATUS) pqcrystals_dilithium5_ref_keypair(public_key, secret_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_5_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium5_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_dilithium5_ref_keypair(public_key, secret_key);
#endif
@@ -82,16 +66,6 @@ OQS_API OQS_STATUS OQS_SIG_dilithium_5_sign(uint8_t *signature, size_t *signatur
return (OQS_STATUS) pqcrystals_dilithium5_ref_signature(signature, signature_len, message, message_len, secret_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_5_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_signature(signature, signature_len, message, message_len, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium5_ref_signature(signature, signature_len, message, message_len, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_dilithium5_ref_signature(signature, signature_len, message, message_len, secret_key);
#endif
@@ -108,16 +82,6 @@ OQS_API OQS_STATUS OQS_SIG_dilithium_5_verify(const uint8_t *message, size_t mes
return (OQS_STATUS) pqcrystals_dilithium5_ref_verify(signature, signature_len, message, message_len, public_key);
}
#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_5_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_verify(signature, signature_len, message, message_len, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium5_ref_verify(signature, signature_len, message, message_len, public_key);
- }
-#endif /* OQS_DIST_BUILD */
#else
return (OQS_STATUS) pqcrystals_dilithium5_ref_verify(signature, signature_len, message, message_len, public_key);
#endif
diff --git a/tests/KATs/kem/kats.json b/tests/KATs/kem/kats.json
index 0ca48ae58e..2aa233c92a 100644
--- a/tests/KATs/kem/kats.json
+++ b/tests/KATs/kem/kats.json
@@ -25,8 +25,8 @@
"HQC-128": "b9d10eda065c8ff31d40b929ad7f742889544363aa031096850009a882d9d827",
"HQC-192": "e0aaabf79ac558dc9d5e79a8abe88c313ecad1e55956de323f8811c81d0c0779",
"HQC-256": "4a5bc02661794464576dc2742636bd6123a3c0fde9dd0b52d9703866beae2f32",
- "Kyber1024": "5afcf2a568ad32d49b55105b032af1850f03f3888ff9e2a72f4059c58e968f60",
- "Kyber512": "bb0481d3325d828817900b709d23917cefbc10026fc857f098979451f67bb0ca",
- "Kyber768": "89e82a5bf2d4ddb2c6444e10409e6d9ca65dafbca67d1a0db2c9b54920a29172",
+ "Kyber1024": "03d6494b74c45d010e61b0328c1ab318c4df3b7f9dbd04d0e35b3468848584b7",
+ "Kyber512": "76aae1fa3f8367522700b22da635a5bc4ced4298edb0eb9947aa3ba60d62676f",
+ "Kyber768": "c7e76b4b30c786b5b70c152a446e7832c1cb42b3816ec048dbeaf7041211b310",
"sntrup761": "afc42c3a5b10f4ef69654250097ebda9b9564570f4086744b24a6daf2bd1f89a"
}
\ No newline at end of file
diff --git a/tests/KATs/sig/kats.json b/tests/KATs/sig/kats.json
index 921540672c..040f182b0b 100644
--- a/tests/KATs/sig/kats.json
+++ b/tests/KATs/sig/kats.json
@@ -1,7 +1,7 @@
{
- "Dilithium2": "26ae9c1224171e957dbe38672942d31edb7dffbe700825e0cb52128cdb45280a",
- "Dilithium3": "eea584803c3d6991a4acbf9f117147bbdd246faf822cfb1a17effe20b2052ba9",
- "Dilithium5": "3f6e58603a38be57cf08d79b01fcfd0ccc1129a09e14a6122c6fe22c906ddc3b",
+ "Dilithium2": "e6f3ec4dc0b02dd3bcbbc6b105190e1890ca0bb3f802e2b571f0d70f3993a2e1",
+ "Dilithium3": "7225c4531086d88c9b7fa18101b0f78dda2d38df88812c65ddc1ae94fe3c01a7",
+ "Dilithium5": "f5cb5ed44a261a4118f9cfd5d55b4210939cb5b8531968a10c37060551a8927f",
"Falcon-1024": "e699d88eb214fef30597385f40814baeb84ac505d5f05f5c257b0726fc4530b8",
"Falcon-512": "da27fe8a462de7307ddf1f9b00072a457d9c5b14e838c148fbe2662094b9a2ca",
"SPHINCS+-SHA2-128f-simple": "cd1e13db3a56c0a6b3486a7b12bcddfda50cf5d1e4d14d3113e6456e969b8114",
diff --git a/tests/constant_time/sig/passes/dilithium b/tests/constant_time/sig/passes/dilithium
index febdbcb55b..dc2667a81a 100644
--- a/tests/constant_time/sig/passes/dilithium
+++ b/tests/constant_time/sig/passes/dilithium
@@ -36,28 +36,28 @@
Rejection sampling for signature distribution
Memcheck:Cond
...
- src:sign.c:150 # Call to polyvecl_chknorm
+ src:sign.c:154 # Call to polyvecl_chknorm
# fun:pqcrystals_dilithium*_ref_signature
}
{
Rejection sampling for signature distribution
Memcheck:Cond
...
- src:sign.c:159 # Call to polyveck_chknorm
+ src:sign.c:163 # Call to polyveck_chknorm
# fun:pqcrystals_dilithium*_ref_signature
}
{
Rejection sampling for signature distribution
Memcheck:Cond
...
- src:sign.c:166 # Call to polyveck_chknorm
+ src:sign.c:170 # Call to polyveck_chknorm
# fun:pqcrystals_dilithium*_ref_signature
}
{
Hint does not need to be computed in constant time
Memcheck:Cond
...
- src:sign.c:170 # Call to polyveck_make_hint
+ src:sign.c:174 # Call to polyveck_make_hint
# fun:pqcrystals_dilithium*_ref_signature
}
{
diff --git a/tests/constant_time/sig/passes/dilithium-avx2 b/tests/constant_time/sig/passes/dilithium-avx2
index b762378821..e72f52158f 100644
--- a/tests/constant_time/sig/passes/dilithium-avx2
+++ b/tests/constant_time/sig/passes/dilithium-avx2
@@ -89,21 +89,21 @@
Rejection sampling for signature distribution
Memcheck:Cond
...
- src:sign.c:290 # Call to poly_chknorm
+ src:sign.c:240 # Call to poly_chknorm
# fun:pqcrystals_dilithium*_avx2_signature
}
{
Rejection sampling for signature distribution
Memcheck:Cond
...
- src:sign.c:305 # Call to poly_chknorm
+ src:sign.c:255 # Call to poly_chknorm
# fun:pqcrystals_dilithium*_avx2_signature
}
{
Rejection sampling for signature distribution
Memcheck:Cond
...
- src:sign.c:312 # Call to poly_chknorm
+ src:sign.c:262 # Call to poly_chknorm
# fun:pqcrystals_dilithium*_avx2_signature
}
{
@@ -118,27 +118,27 @@
Memcheck:Value8
...
fun:pqcrystals_dilithium*_avx2_poly_make_hint
- src:sign.c:316 # fun:pqcrystals_dilithium*_ref_signature
+ src:sign.c:266 # fun:pqcrystals_dilithium*_ref_signature
}
{
Rejection sampling for hint
Memcheck:Cond
...
- src:sign.c:317 # Checking number of 1 bits in hint
+ src:sign.c:267 # Checking number of 1 bits in hint
# fun:pqcrystals_dilithium*_avx2_signature
}
{
Hint positions are not secret
Memcheck:Cond
...
- src:sign.c:321 # memcpy
+ src:sign.c:271 # memcpy
# fun:pqcrystals_dilithium*_avx2_signature
}
{
Hint positions are not secret
Memcheck:Value8
...
- src:sign.c:321 # memcpy
+ src:sign.c:271 # memcpy
# fun:pqcrystals_dilithium*_avx2_signature
}
{