Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pull Kyber division fixes from PQ-Crystals into main #1649

Merged
merged 6 commits into from
Jan 8, 2024
Merged

Pull Kyber division fixes from PQ-Crystals into main #1649

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f31686b
Update copy_from_upstream.py
praveksharma Jan 2, 2024
e983919
Run copy_from_upstream.py
praveksharma Jan 2, 2024
fd59f01
Update Kyber ARM patch to reflect pq-crystals/kyber@272125f
SWilson4 Jan 2, 2024
774c376
Run copy_from_upstream
SWilson4 Jan 2, 2024
1d0ec8c
Update to most recent Kyber commit
SWilson4 Jan 3, 2024
0347b00
Run copy_from_upstream
SWilson4 Jan 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/algorithms/kem/kyber.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@
- **Authors' website**: https://pq-crystals.org/
- **Specification version**: NIST Round 3 submission.
- **Primary Source**<a name="primary-source"></a>:
- **Source**: https://github.com/pq-crystals/kyber/commit/dda29cc63af721981ee2c831cf00822e69be3220 with copy_from_upstream patches
- **Source**: https://github.com/pq-crystals/kyber/commit/b628ba78711bc28327dc7d2d5c074a00f061884e with copy_from_upstream patches
- **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
- **Optimized Implementation sources**: https://github.com/pq-crystals/kyber/commit/dda29cc63af721981ee2c831cf00822e69be3220 with copy_from_upstream patches
- **Optimized Implementation sources**: https://github.com/pq-crystals/kyber/commit/b628ba78711bc28327dc7d2d5c074a00f061884e with copy_from_upstream patches
- **oldpqclean-aarch64**:<a name="oldpqclean-aarch64"></a>
- **Source**: https://github.com/PQClean/PQClean/commit/8e220a87308154d48fdfac40abbb191ac7fce06a with copy_from_upstream patches
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a better solution for this? There's apparently no trace (at least in the documentation) as to whether the (aarch64) code version that liboqs runs does or does not contain the "DIV" fix. Code review shows it does, but a more simple inspection by checking these alg documentation files does not. It's "hidden" within the statement (and a changed file contents of) "copy_from_upstream patches". Maybe worth while adding a hash of those patches here at some time?

- **Implementation license (SPDX-Identifier)**: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT) and MIT
Expand Down
2 changes: 1 addition & 1 deletion docs/algorithms/kem/kyber.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ website: https://pq-crystals.org/
nist-round: 3
spec-version: NIST Round 3 submission
primary-upstream:
source: https://github.com/pq-crystals/kyber/commit/dda29cc63af721981ee2c831cf00822e69be3220
source: https://github.com/pq-crystals/kyber/commit/b628ba78711bc28327dc7d2d5c074a00f061884e
with copy_from_upstream patches
spdx-license-identifier: CC0-1.0 or Apache-2.0
optimized-upstreams:
Expand Down
2 changes: 1 addition & 1 deletion scripts/copy_from_upstream/copy_from_upstream.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ upstreams:
name: pqcrystals-kyber
git_url: https://github.com/pq-crystals/kyber.git
git_branch: master
git_commit: dda29cc63af721981ee2c831cf00822e69be3220
bhess marked this conversation as resolved.
Show resolved Hide resolved
git_commit: b628ba78711bc28327dc7d2d5c074a00f061884e
kem_meta_path: '{pretty_name_full}_META.yml'
kem_scheme_path: '.'
patches: [pqcrystals-kyber-yml.patch, pqcrystals-kyber-ref-shake-aes.patch, pqcrystals-kyber-avx2-shake-aes.patch]
Expand Down
205 changes: 199 additions & 6 deletions scripts/copy_from_upstream/patches/pqclean-kyber-armneon-variable-timing-fix.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,31 @@
8f8d63fd708e00cc941ade03f405de21fdf17410
diff --git a/crypto_kem/kyber1024/aarch64/poly.c b/crypto_kem/kyber1024/aarch64/poly.c
index 1dfa52c..02e010b 100644
index 1dfa52c..3115d1c 100644
--- a/crypto_kem/kyber1024/aarch64/poly.c
+++ b/crypto_kem/kyber1024/aarch64/poly.c
@@ -207,14 +207,19 @@ void poly_frommsg(int16_t r[KYBER_N], const uint8_t msg[KYBER_INDCPA_MSGBYTES])
@@ -51,6 +51,7 @@
void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const int16_t a[KYBER_N]) {
unsigned int i, j;
int16_t u;
+ uint32_t d0;
uint8_t t[8];

for (i = 0; i < KYBER_N / 8; i++) {
@@ -58,7 +59,12 @@ void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const int16_t a[KYBER_N
// map to positive standard representatives
u = a[8 * i + j];
u += (u >> 15) & KYBER_Q;
- t[j] = ((((uint32_t)u << 5) + KYBER_Q / 2) / KYBER_Q) & 31;
+ // t[j] = ((((uint32_t)u << 5) + KYBER_Q / 2) / KYBER_Q) & 31;
+ d0 = u << 5;
+ d0 += 1664;
+ d0 *= 40318;
+ d0 >>= 27;
+ t[j] = d0 & 0x1f;
}

r[0] = (t[0] >> 0) | (t[1] << 5);
@@ -207,14 +213,19 @@ void poly_frommsg(int16_t r[KYBER_N], const uint8_t msg[KYBER_INDCPA_MSGBYTES])
**************************************************/
void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const int16_t a[KYBER_N]) {
unsigned int i, j;
Expand All @@ -25,11 +48,75 @@ index 1dfa52c..02e010b 100644
msg[i] |= t << j;
}
}
diff --git a/crypto_kem/kyber1024/aarch64/polyvec.c b/crypto_kem/kyber1024/aarch64/polyvec.c
index d400348..f9a1ebf 100644
--- a/crypto_kem/kyber1024/aarch64/polyvec.c
+++ b/crypto_kem/kyber1024/aarch64/polyvec.c
@@ -21,6 +21,7 @@
**************************************************/
void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K][KYBER_N]) {
unsigned int i, j, k;
+ uint64_t d0;

#if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352))
uint16_t t[8];
@@ -29,7 +30,13 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K
for (k = 0; k < 8; k++) {
t[k] = a[i][8 * j + k];
t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
- t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
+ // t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
+ d0 = t[k];
+ d0 <<= 11;
+ d0 += 1664;
+ d0 *= 645084;
+ d0 >>= 31;
+ t[k] = d0 & 0x7ff;
}

r[ 0] = (t[0] >> 0);
@@ -53,7 +60,13 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K
for (k = 0; k < 4; k++) {
t[k] = a[i][4 * j + k];
t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
- t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff;
+ // t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff;
+ d0 = t[k];
+ d0 <<= 10;
+ d0 += 1665;
+ d0 *= 1290167;
+ d0 >>= 32;
+ t[k] = d0 & 0x3ff;
}

r[0] = (t[0] >> 0);
diff --git a/crypto_kem/kyber512/aarch64/poly.c b/crypto_kem/kyber512/aarch64/poly.c
index dffc655..fcfcedd 100644
index dffc655..361ce89 100644
--- a/crypto_kem/kyber512/aarch64/poly.c
+++ b/crypto_kem/kyber512/aarch64/poly.c
@@ -194,14 +194,19 @@ void poly_frommsg(int16_t r[KYBER_N], const uint8_t msg[KYBER_INDCPA_MSGBYTES])
@@ -51,6 +51,7 @@
void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const int16_t a[KYBER_N]) {
unsigned int i, j;
int16_t u;
+ uint32_t d0;
uint8_t t[8];

for (i = 0; i < KYBER_N / 8; i++) {
@@ -58,7 +59,12 @@ void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const int16_t a[KYBER_N
// map to positive standard representatives
u = a[8 * i + j];
u += (u >> 15) & KYBER_Q;
- t[j] = ((((uint16_t)u << 4) + KYBER_Q / 2) / KYBER_Q) & 15;
+ // t[j] = ((((uint16_t)u << 4) + KYBER_Q / 2) / KYBER_Q) & 15;
+ d0 = u << 4;
+ d0 += 1665;
+ d0 *= 80635;
+ d0 >>= 28;
+ t[j] = d0 & 0xf;
}

r[0] = t[0] | (t[1] << 4);
@@ -194,14 +200,19 @@ void poly_frommsg(int16_t r[KYBER_N], const uint8_t msg[KYBER_INDCPA_MSGBYTES])
**************************************************/
void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const int16_t a[KYBER_N]) {
unsigned int i, j;
Expand All @@ -52,11 +139,75 @@ index dffc655..fcfcedd 100644
msg[i] |= t << j;
}
}
diff --git a/crypto_kem/kyber512/aarch64/polyvec.c b/crypto_kem/kyber512/aarch64/polyvec.c
index d400348..f9a1ebf 100644
--- a/crypto_kem/kyber512/aarch64/polyvec.c
+++ b/crypto_kem/kyber512/aarch64/polyvec.c
@@ -21,6 +21,7 @@
**************************************************/
void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K][KYBER_N]) {
unsigned int i, j, k;
+ uint64_t d0;

#if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352))
uint16_t t[8];
@@ -29,7 +30,13 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K
for (k = 0; k < 8; k++) {
t[k] = a[i][8 * j + k];
t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
- t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
+ // t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
+ d0 = t[k];
+ d0 <<= 11;
+ d0 += 1664;
+ d0 *= 645084;
+ d0 >>= 31;
+ t[k] = d0 & 0x7ff;
}

r[ 0] = (t[0] >> 0);
@@ -53,7 +60,13 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K
for (k = 0; k < 4; k++) {
t[k] = a[i][4 * j + k];
t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
- t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff;
+ // t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff;
+ d0 = t[k];
+ d0 <<= 10;
+ d0 += 1665;
+ d0 *= 1290167;
+ d0 >>= 32;
+ t[k] = d0 & 0x3ff;
}

r[0] = (t[0] >> 0);
diff --git a/crypto_kem/kyber768/aarch64/poly.c b/crypto_kem/kyber768/aarch64/poly.c
index dffc655..fcfcedd 100644
index dffc655..361ce89 100644
--- a/crypto_kem/kyber768/aarch64/poly.c
+++ b/crypto_kem/kyber768/aarch64/poly.c
@@ -194,14 +194,19 @@ void poly_frommsg(int16_t r[KYBER_N], const uint8_t msg[KYBER_INDCPA_MSGBYTES])
@@ -51,6 +51,7 @@
void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const int16_t a[KYBER_N]) {
unsigned int i, j;
int16_t u;
+ uint32_t d0;
uint8_t t[8];

for (i = 0; i < KYBER_N / 8; i++) {
@@ -58,7 +59,12 @@ void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const int16_t a[KYBER_N
// map to positive standard representatives
u = a[8 * i + j];
u += (u >> 15) & KYBER_Q;
- t[j] = ((((uint16_t)u << 4) + KYBER_Q / 2) / KYBER_Q) & 15;
+ // t[j] = ((((uint16_t)u << 4) + KYBER_Q / 2) / KYBER_Q) & 15;
+ d0 = u << 4;
+ d0 += 1665;
+ d0 *= 80635;
+ d0 >>= 28;
+ t[j] = d0 & 0xf;
}

r[0] = t[0] | (t[1] << 4);
@@ -194,14 +200,19 @@ void poly_frommsg(int16_t r[KYBER_N], const uint8_t msg[KYBER_INDCPA_MSGBYTES])
**************************************************/
void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const int16_t a[KYBER_N]) {
unsigned int i, j;
Expand All @@ -79,3 +230,45 @@ index dffc655..fcfcedd 100644
msg[i] |= t << j;
}
}
diff --git a/crypto_kem/kyber768/aarch64/polyvec.c b/crypto_kem/kyber768/aarch64/polyvec.c
index d400348..f9a1ebf 100644
--- a/crypto_kem/kyber768/aarch64/polyvec.c
+++ b/crypto_kem/kyber768/aarch64/polyvec.c
@@ -21,6 +21,7 @@
**************************************************/
void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K][KYBER_N]) {
unsigned int i, j, k;
+ uint64_t d0;

#if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352))
uint16_t t[8];
@@ -29,7 +30,13 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K
for (k = 0; k < 8; k++) {
t[k] = a[i][8 * j + k];
t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
- t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
+ // t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
+ d0 = t[k];
+ d0 <<= 11;
+ d0 += 1664;
+ d0 *= 645084;
+ d0 >>= 31;
+ t[k] = d0 & 0x7ff;
}

r[ 0] = (t[0] >> 0);
@@ -53,7 +60,13 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K
for (k = 0; k < 4; k++) {
t[k] = a[i][4 * j + k];
t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
- t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff;
+ // t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff;
+ d0 = t[k];
+ d0 <<= 10;
+ d0 += 1665;
+ d0 *= 1290167;
+ d0 >>= 32;
+ t[k] = d0 & 0x3ff;
}

r[0] = (t[0] >> 0);
8 changes: 7 additions & 1 deletion src/kem/kyber/oldpqclean_kyber1024_aarch64/poly.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,14 +51,20 @@
void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const int16_t a[KYBER_N]) {
unsigned int i, j;
int16_t u;
uint32_t d0;
uint8_t t[8];

for (i = 0; i < KYBER_N / 8; i++) {
for (j = 0; j < 8; j++) {
// map to positive standard representatives
u = a[8 * i + j];
u += (u >> 15) & KYBER_Q;
t[j] = ((((uint32_t)u << 5) + KYBER_Q / 2) / KYBER_Q) & 31;
// t[j] = ((((uint32_t)u << 5) + KYBER_Q / 2) / KYBER_Q) & 31;
d0 = u << 5;
d0 += 1664;
d0 *= 40318;
d0 >>= 27;
t[j] = d0 & 0x1f;
}

r[0] = (t[0] >> 0) | (t[1] << 5);
Expand Down
17 changes: 15 additions & 2 deletions src/kem/kyber/oldpqclean_kyber1024_aarch64/polyvec.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
**************************************************/
void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K][KYBER_N]) {
unsigned int i, j, k;
uint64_t d0;

#if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352))
uint16_t t[8];
Expand All @@ -29,7 +30,13 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K
for (k = 0; k < 8; k++) {
t[k] = a[i][8 * j + k];
t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
// t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
d0 = t[k];
d0 <<= 11;
d0 += 1664;
d0 *= 645084;
d0 >>= 31;
t[k] = d0 & 0x7ff;
}

r[ 0] = (t[0] >> 0);
Expand All @@ -53,7 +60,13 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K
for (k = 0; k < 4; k++) {
t[k] = a[i][4 * j + k];
t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff;
// t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff;
d0 = t[k];
d0 <<= 10;
d0 += 1665;
d0 *= 1290167;
d0 >>= 32;
t[k] = d0 & 0x3ff;
}

r[0] = (t[0] >> 0);
Expand Down
8 changes: 7 additions & 1 deletion src/kem/kyber/oldpqclean_kyber512_aarch64/poly.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,14 +51,20 @@
void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const int16_t a[KYBER_N]) {
unsigned int i, j;
int16_t u;
uint32_t d0;
uint8_t t[8];

for (i = 0; i < KYBER_N / 8; i++) {
for (j = 0; j < 8; j++) {
// map to positive standard representatives
u = a[8 * i + j];
u += (u >> 15) & KYBER_Q;
t[j] = ((((uint16_t)u << 4) + KYBER_Q / 2) / KYBER_Q) & 15;
// t[j] = ((((uint16_t)u << 4) + KYBER_Q / 2) / KYBER_Q) & 15;
d0 = u << 4;
d0 += 1665;
d0 *= 80635;
d0 >>= 28;
t[j] = d0 & 0xf;
}

r[0] = t[0] | (t[1] << 4);
Expand Down
17 changes: 15 additions & 2 deletions src/kem/kyber/oldpqclean_kyber512_aarch64/polyvec.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
**************************************************/
void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K][KYBER_N]) {
unsigned int i, j, k;
uint64_t d0;

#if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352))
uint16_t t[8];
Expand All @@ -29,7 +30,13 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K
for (k = 0; k < 8; k++) {
t[k] = a[i][8 * j + k];
t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
// t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff;
d0 = t[k];
d0 <<= 11;
d0 += 1664;
d0 *= 645084;
d0 >>= 31;
t[k] = d0 & 0x7ff;
}

r[ 0] = (t[0] >> 0);
Expand All @@ -53,7 +60,13 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], int16_t a[KYBER_K
for (k = 0; k < 4; k++) {
t[k] = a[i][4 * j + k];
t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff;
// t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff;
d0 = t[k];
d0 <<= 10;
d0 += 1665;
d0 *= 1290167;
d0 >>= 32;
t[k] = d0 & 0x3ff;
}

r[0] = (t[0] >> 0);
Expand Down
Loading
Loading