Update incremental block-wise SHAKE squeezes in MLDSA

aws · Jan 3, 2025 · b6a5590 · b6a5590
1 parent c5d0afd
commit b6a5590
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 29 deletions.
diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c
@@ -316,9 +316,9 @@ void ml_dsa_poly_uniform(ml_dsa_poly *a,
   t[1] = nonce >> 8;
 
   SHAKE_Init(&state, SHAKE128_BLOCKSIZE);
-  SHAKE_Update(&state, seed, ML_DSA_SEEDBYTES);
-  SHAKE_Update(&state, t, 2);
-  SHAKE_Finalize(buf, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE);
+  SHAKE_Absorb(&state, seed, ML_DSA_SEEDBYTES);
+  SHAKE_Absorb(&state, t, 2);
+  SHAKE_Squeeze(buf, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE);
 
   ctr = ml_dsa_rej_uniform(a->coeffs, ML_DSA_N, buf, buflen);
 
@@ -418,9 +418,9 @@ void ml_dsa_poly_uniform_eta(ml_dsa_params *params,
   t[1] = nonce >> 8;
 
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHAKE_Update(&state, seed, ML_DSA_CRHBYTES);
-  SHAKE_Update(&state, t, 2);
-  SHAKE_Finalize(buf, &state, ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE);
+  SHAKE_Absorb(&state, seed, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, t, 2);
+  SHAKE_Squeeze(buf, &state, ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE);
 
   ctr = rej_eta(params, a->coeffs, ML_DSA_N, buf, buflen);
 
@@ -460,9 +460,9 @@ void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params,
   t[1] = nonce >> 8;
 
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHAKE_Update(&state, seed, ML_DSA_CRHBYTES);
-  SHAKE_Update(&state, t, 2);
-  SHAKE_Finalize(buf, &state, POLY_UNIFORM_GAMMA1_NBLOCKS * SHAKE256_BLOCKSIZE);
+  SHAKE_Absorb(&state, seed, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, t, 2);
+  SHAKE_Final(buf, &state, POLY_UNIFORM_GAMMA1_NBLOCKS * SHAKE256_BLOCKSIZE);
   ml_dsa_polyz_unpack(params, a, buf);
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   OPENSSL_cleanse(buf, sizeof(buf));
@@ -487,8 +487,8 @@ void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, const uint8_t
   KECCAK1600_CTX state;
 
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHAKE_Update(&state, seed, params->c_tilde_bytes);
-  SHAKE_Finalize(buf, &state, SHAKE256_BLOCKSIZE);
+  SHAKE_Absorb(&state, seed, params->c_tilde_bytes);
+  SHAKE_Squeeze(buf, &state, SHAKE256_BLOCKSIZE);
 
   signs = 0;
   for(i = 0; i < 8; ++i) {

diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c
@@ -156,17 +156,17 @@ int ml_dsa_sign_internal(ml_dsa_params *params,
   // processing of M' in the external function. However, as M' = (pre, msg),
   // mu = CRH(tr, M') = CRH(tr, pre, msg).
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHAKE_Update(&state, tr, ML_DSA_TRBYTES);
-  SHAKE_Update(&state, pre, prelen);
-  SHAKE_Update(&state, m, mlen);
-  SHAKE_Finalize(mu, &state, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, tr, ML_DSA_TRBYTES);
+  SHAKE_Absorb(&state, pre, prelen);
+  SHAKE_Absorb(&state, m, mlen);
+  SHAKE_Final(mu, &state, ML_DSA_CRHBYTES);
 
   /* FIPS 204: line 7 Compute rhoprime = CRH(key, rnd, mu) */
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHAKE_Update(&state, key, ML_DSA_SEEDBYTES);
-  SHAKE_Update(&state, rnd, ML_DSA_RNDBYTES);
-  SHAKE_Update(&state, mu, ML_DSA_CRHBYTES);
-  SHAKE_Finalize(rhoprime, &state, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, key, ML_DSA_SEEDBYTES);
+  SHAKE_Absorb(&state, rnd, ML_DSA_RNDBYTES);
+  SHAKE_Absorb(&state, mu, ML_DSA_CRHBYTES);
+  SHAKE_Final(rhoprime, &state, ML_DSA_CRHBYTES);
 
   /* FIPS 204: line 5 Expand matrix and transform vectors */
   ml_dsa_polyvec_matrix_expand(params, mat, rho);
@@ -191,9 +191,9 @@ int ml_dsa_sign_internal(ml_dsa_params *params,
   ml_dsa_polyveck_pack_w1(params, sig, &w1);
 
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHAKE_Update(&state, mu, ML_DSA_CRHBYTES);
-  SHAKE_Update(&state, sig, params->k * params->poly_w1_packed_bytes);
-  SHAKE_Finalize(sig, &state, params->c_tilde_bytes);
+  SHAKE_Absorb(&state, mu, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, sig, params->k * params->poly_w1_packed_bytes);
+  SHAKE_Final(sig, &state, params->c_tilde_bytes);
   ml_dsa_poly_challenge(params, &cp, sig);
   ml_dsa_poly_ntt(&cp);
 
@@ -395,10 +395,10 @@ int ml_dsa_verify_internal(ml_dsa_params *params,
   // Like crypto_sign_signature_internal, the processing of M' is performed
   // here, as opposed to within the external function.
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHAKE_Update(&state, tr, ML_DSA_TRBYTES);
-  SHAKE_Update(&state, pre, prelen);
-  SHAKE_Update(&state, m, mlen);
-  SHAKE_Finalize(mu, &state, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, tr, ML_DSA_TRBYTES);
+  SHAKE_Absorb(&state, pre, prelen);
+  SHAKE_Absorb(&state, m, mlen);
+  SHAKE_Final(mu, &state, ML_DSA_CRHBYTES);
 
   /* FIPS 204: line 9 Matrix-vector multiplication; compute Az - c2^dt1 */
   ml_dsa_poly_challenge(params, &cp, c);
@@ -423,9 +423,9 @@ int ml_dsa_verify_internal(ml_dsa_params *params,
 
   /* FIPS 204: line 12 Call random oracle and verify challenge */
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHAKE_Update(&state, mu, ML_DSA_CRHBYTES);
-  SHAKE_Update(&state, buf, params->k * params->poly_w1_packed_bytes);
-  SHAKE_Finalize(c2, &state, params->c_tilde_bytes);
+  SHAKE_Absorb(&state, mu, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, buf, params->k * params->poly_w1_packed_bytes);
+  SHAKE_Final(c2, &state, params->c_tilde_bytes);
 
   for(i = 0; i < params->c_tilde_bytes; ++i) {
     if(c[i] != c2[i]) {