From 5084da907497dfc2586dedbdebafec6067621e9c Mon Sep 17 00:00:00 2001 From: Jake Massimo Date: Thu, 19 Dec 2024 17:37:05 -0800 Subject: [PATCH 01/12] header collisions --- crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h | 4 ++-- crypto/dilithium/pqcrystals_dilithium_ref_common/params.h | 4 ++-- crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h | 4 ++-- crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h | 4 ++-- crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h index ecceb13941..a4cb81c7bb 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h @@ -1,5 +1,5 @@ -#ifndef NTT_H -#define NTT_H +#ifndef ML_DSA_NTT_H +#define ML_DSA_NTT_H #include #include "params.h" diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h index 2cdbaad391..f4db11497d 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h @@ -1,5 +1,5 @@ -#ifndef PARAMS_H -#define PARAMS_H +#ifndef ML_DSA_PARAMS_H +#define ML_DSA_PARAMS_H // The only defined parameters are those that don't depend // on the parameter set. All other parameters are specified diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h index 3fc65a1be5..4d5e90b20a 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h @@ -1,5 +1,5 @@ -#ifndef POLY_H -#define POLY_H +#ifndef ML_DSA_POLY_H +#define ML_DSA_POLY_H #include #include "params.h" diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h index f6d467fa12..4d232e307f 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h @@ -1,5 +1,5 @@ -#ifndef POLYVEC_H -#define POLYVEC_H +#ifndef ML_DSA_POLYVEC_H +#define ML_DSA_POLYVEC_H #include #include "params.h" diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h index 9de2cd7e25..f377eee291 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h @@ -1,5 +1,5 @@ -#ifndef REDUCE_H -#define REDUCE_H +#ifndef ML_DSA_REDUCE_H +#define ML_DSA_REDUCE_H #include #include "params.h" From f420d8f1b76b92559332db9af09d148b11aa4ff1 Mon Sep 17 00:00:00 2001 From: Jake Massimo Date: Thu, 19 Dec 2024 18:23:59 -0800 Subject: [PATCH 02/12] ml_dsa unique constant names --- .../pqcrystals_dilithium_ref_common/ntt.c | 14 +-- .../pqcrystals_dilithium_ref_common/ntt.h | 4 +- .../pqcrystals_dilithium_ref_common/packing.c | 4 +- .../pqcrystals_dilithium_ref_common/params.c | 6 +- .../pqcrystals_dilithium_ref_common/params.h | 8 +- .../pqcrystals_dilithium_ref_common/poly.c | 110 +++++++++--------- .../pqcrystals_dilithium_ref_common/poly.h | 2 +- .../pqcrystals_dilithium_ref_common/reduce.c | 8 +- .../pqcrystals_dilithium_ref_common/reduce.h | 3 +- .../rounding.c | 16 +-- 10 files changed, 87 insertions(+), 88 deletions(-) diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c index b9260d6750..76abf2e24b 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c @@ -3,7 +3,7 @@ #include "ntt.h" #include "reduce.h" -static const int32_t zetas[N] = { +static const int32_t zetas[ML_DSA_N] = { 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, 1826347, 2353451, -359251, -2091905, 3119733, -2884855, 3111497, 2680103, 2725464, 1024112, -1079900, 3585928, -549488, -1119584, 2619752, -2108549, @@ -47,13 +47,13 @@ static const int32_t zetas[N] = { * * Arguments: - uint32_t p[N]: input/output coefficient array **************************************************/ -void ntt(int32_t a[N]) { +void ntt(int32_t a[ML_DSA_N]) { unsigned int len, start, j, k; int32_t zeta, t; k = 0; for(len = 128; len > 0; len >>= 1) { - for(start = 0; start < N; start = j + len) { + for(start = 0; start < ML_DSA_N; start = j + len) { zeta = zetas[++k]; for(j = start; j < start + len; ++j) { t = fqmul(zeta, a[j + len]); @@ -76,14 +76,14 @@ void ntt(int32_t a[N]) { * * Arguments: - uint32_t p[N]: input/output coefficient array **************************************************/ -void invntt_tomont(int32_t a[N]) { +void invntt_tomont(int32_t a[ML_DSA_N]) { unsigned int start, len, j, k; int32_t t, zeta; const int32_t f = 41978; // mont^2/256 k = 256; - for(len = 1; len < N; len <<= 1) { - for(start = 0; start < N; start = j + len) { + for(len = 1; len < ML_DSA_N; len <<= 1) { + for(start = 0; start < ML_DSA_N; start = j + len) { zeta = -zetas[--k]; for(j = start; j < start + len; ++j) { t = a[j]; @@ -94,7 +94,7 @@ void invntt_tomont(int32_t a[N]) { } } - for(j = 0; j < N; ++j) { + for(j = 0; j < ML_DSA_N; ++j) { a[j] = fqmul(f, a[j]); } } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h index a4cb81c7bb..96b3b017de 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h @@ -4,8 +4,8 @@ #include #include "params.h" -void ntt(int32_t a[N]); +void ntt(int32_t a[ML_DSA_N]); -void invntt_tomont(int32_t a[N]); +void invntt_tomont(int32_t a[ML_DSA_N]); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.c index 4504a72ff4..c61651f686 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.c @@ -208,7 +208,7 @@ void pack_sig(ml_dsa_params *params, k = 0; for(i = 0; i < params->k; ++i) { - for(j = 0; j < N; ++j) { + for(j = 0; j < ML_DSA_N; ++j) { if(h->vec[i].coeffs[j] != 0) { sig[k++] = j; } @@ -254,7 +254,7 @@ int unpack_sig(ml_dsa_params *params, /* Decode h */ k = 0; for(i = 0; i < params->k; ++i) { - for(j = 0; j < N; ++j) { + for(j = 0; j < ML_DSA_N; ++j) { h->vec[i].coeffs[j] = 0; } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.c index 9d28db175c..e94334484b 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.c @@ -16,7 +16,7 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->omega = 80; params->c_tilde_bytes = 32; params->gamma1 = (1 << 17); - params->gamma2 = (Q-1)/88; + params->gamma2 = (ML_DSA_Q-1)/88; params->eta = 2; params->poly_z_packed_bytes = 576; params->poly_w1_packed_bytes = 192; @@ -38,7 +38,7 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->omega = 55; params->c_tilde_bytes = 48; params->gamma1 = (1 << 19); - params->gamma2 = (Q-1)/32; + params->gamma2 = (ML_DSA_Q-1)/32; params->eta = 4; params->poly_z_packed_bytes = 640; params->poly_w1_packed_bytes = 128; @@ -60,7 +60,7 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->omega = 75; params->c_tilde_bytes = 64; params->gamma1 = (1 << 19); - params->gamma2 = (Q-1)/32; + params->gamma2 = (ML_DSA_Q-1)/32; params->eta = 2; params->poly_z_packed_bytes = 640; params->poly_w1_packed_bytes = 128; diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h index f4db11497d..29bc7c3715 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h @@ -9,10 +9,10 @@ #define CRHBYTES 64 #define TRBYTES 64 #define RNDBYTES 32 -#define N 256 -#define Q 8380417 -#define D 13 -#define ROOT_OF_UNITY 1753 +#define ML_DSA_N 256 +#define ML_DSA_Q 8380417 +#define ML_DSA_D 13 +#define ML_DSA_ROOT_OF_UNITY 1753 #define POLYT1_PACKEDBYTES 320 #define POLYT0_PACKEDBYTES 416 diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c index ab257b71ac..c0e0279305 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c @@ -16,7 +16,7 @@ **************************************************/ void poly_reduce(poly *a) { unsigned int i; - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { a->coeffs[i] = reduce32(a->coeffs[i]); } } @@ -31,7 +31,7 @@ void poly_reduce(poly *a) { **************************************************/ void poly_caddq(poly *a) { unsigned int i; - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { a->coeffs[i] = caddq(a->coeffs[i]); } } @@ -47,7 +47,7 @@ void poly_caddq(poly *a) { **************************************************/ void poly_add(poly *c, const poly *a, const poly *b) { unsigned int i; - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = a->coeffs[i] + b->coeffs[i]; } } @@ -65,7 +65,7 @@ void poly_add(poly *c, const poly *a, const poly *b) { **************************************************/ void poly_sub(poly *c, const poly *a, const poly *b) { unsigned int i; - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = a->coeffs[i] - b->coeffs[i]; } } @@ -80,8 +80,8 @@ void poly_sub(poly *c, const poly *a, const poly *b) { **************************************************/ void poly_shiftl(poly *a) { unsigned int i; - for(i = 0; i < N; ++i) { - a->coeffs[i] <<= D; + for(i = 0; i < ML_DSA_N; ++i) { + a->coeffs[i] <<= ML_DSA_D; } } @@ -123,7 +123,7 @@ void poly_invntt_tomont(poly *a) { **************************************************/ void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { unsigned int i; - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = fqmul(a->coeffs[i], b->coeffs[i]); } } @@ -142,7 +142,7 @@ void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { **************************************************/ void poly_power2round(poly *a1, poly *a0, const poly *a) { unsigned int i; - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { a1->coeffs[i] = power2round(&a0->coeffs[i], a->coeffs[i]); } } @@ -163,7 +163,7 @@ void poly_power2round(poly *a1, poly *a0, const poly *a) { **************************************************/ void poly_decompose(ml_dsa_params *params, poly *a1, poly *a0, const poly *a) { unsigned int i; - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { a1->coeffs[i] = decompose(params, &a0->coeffs[i], a->coeffs[i]); } } @@ -184,7 +184,7 @@ void poly_decompose(ml_dsa_params *params, poly *a1, poly *a0, const poly *a) { **************************************************/ unsigned int poly_make_hint(ml_dsa_params *params, poly *h, const poly *a0, const poly *a1) { unsigned int i, s = 0; - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { h->coeffs[i] = make_hint(params, a0->coeffs[i], a1->coeffs[i]); s += h->coeffs[i]; } @@ -203,7 +203,7 @@ unsigned int poly_make_hint(ml_dsa_params *params, poly *h, const poly *a0, cons **************************************************/ void poly_use_hint(ml_dsa_params *params, poly *b, const poly *a, const poly *h) { unsigned int i; - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { b->coeffs[i] = use_hint(params, a->coeffs[i], h->coeffs[i]); } } @@ -223,14 +223,14 @@ int poly_chknorm(const poly *a, int32_t B) { unsigned int i; int32_t t; - if(B > (Q-1)/8) { + if(B > (ML_DSA_Q-1)/8) { return 1; } /* It is ok to leak which coefficient violates the bound since the probability for each coefficient is independent of secret data but we must not leak the sign of the centralized representative. */ - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { /* Absolute value */ t = a->coeffs[i] >> 31; t = a->coeffs[i] - (t & 2*a->coeffs[i]); @@ -271,7 +271,7 @@ static unsigned int rej_uniform(int32_t *a, t |= (uint32_t)buf[pos++] << 16; t &= 0x7FFFFF; - if(t < Q) { + if(t < ML_DSA_Q) { a[ctr++] = t; } } @@ -283,7 +283,7 @@ static unsigned int rej_uniform(int32_t *a, * * Description: FIPS 204: Algorithm 30 RejNTTPoly. * Sample polynomial with uniformly random coefficients -* in [0,Q-1] by performing rejection sampling on the +* in [0,ML_DSA_Q-1] by performing rejection sampling on the * output stream of SHAKE128(seed|nonce) * * Arguments: - poly *a: pointer to output polynomial @@ -309,16 +309,16 @@ void poly_uniform(poly *a, SHA3_Update(&state, t, 2); SHAKE_Final(buf, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE); - ctr = rej_uniform(a->coeffs, N, buf, buflen); + ctr = rej_uniform(a->coeffs, ML_DSA_N, buf, buflen); - while(ctr < N) { + while(ctr < ML_DSA_N) { off = buflen % 3; for(i = 0; i < off; ++i) buf[i] = buf[buflen - off + i]; SHAKE_Final(buf + off, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE); buflen = SHAKE128_RATE + off; - ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen); + ctr += rej_uniform(a->coeffs + ctr, ML_DSA_N - ctr, buf, buflen); } /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(buf, sizeof(buf)); @@ -411,11 +411,11 @@ void poly_uniform_eta(ml_dsa_params *params, SHA3_Update(&state, t, 2); SHAKE_Final(buf, &state, DILITHIUM_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE); - ctr = rej_eta(params, a->coeffs, N, buf, buflen); + ctr = rej_eta(params, a->coeffs, ML_DSA_N, buf, buflen); - while(ctr < N) { + while(ctr < ML_DSA_N) { SHAKE_Final(buf, &state, SHAKE256_BLOCKSIZE); - ctr += rej_eta(params, a->coeffs + ctr, N - ctr, buf, SHAKE256_RATE); + ctr += rej_eta(params, a->coeffs + ctr, ML_DSA_N - ctr, buf, SHAKE256_RATE); } /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(buf, sizeof(buf)); @@ -485,10 +485,10 @@ void poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed) { } pos = 8; - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = 0; } - for(i = N-params->tau; i < N; ++i) { + for(i = ML_DSA_N-params->tau; i < ML_DSA_N; ++i) { do { if(pos >= SHAKE256_RATE) { SHAKE_Final(buf, &state, SHAKE256_BLOCKSIZE); @@ -526,7 +526,7 @@ void polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { (params->eta == 4)); if (params->eta == 2) { - for(i = 0; i < N/8; ++i) { + for(i = 0; i < ML_DSA_N/8; ++i) { t[0] = params->eta - a->coeffs[8*i+0]; t[1] = params->eta - a->coeffs[8*i+1]; t[2] = params->eta - a->coeffs[8*i+2]; @@ -542,7 +542,7 @@ void polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { } } else if (params->eta == 4) { - for(i = 0; i < N/2; ++i) { + for(i = 0; i < ML_DSA_N/2; ++i) { t[0] = params->eta - a->coeffs[2*i+0]; t[1] = params->eta - a->coeffs[2*i+1]; r[i] = t[0] | (t[1] << 4); @@ -565,7 +565,7 @@ void polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { (params->eta == 4)); if (params->eta == 2) { - for(i = 0; i < N/8; ++i) { + for(i = 0; i < ML_DSA_N/8; ++i) { r->coeffs[8*i+0] = (a[3*i+0] >> 0) & 7; r->coeffs[8*i+1] = (a[3*i+0] >> 3) & 7; r->coeffs[8*i+2] = ((a[3*i+0] >> 6) | (a[3*i+1] << 2)) & 7; @@ -586,7 +586,7 @@ void polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { } } else if (params->eta == 4) { - for(i = 0; i < N/2; ++i) { + for(i = 0; i < ML_DSA_N/2; ++i) { r->coeffs[2*i+0] = a[i] & 0x0F; r->coeffs[2*i+1] = a[i] >> 4; r->coeffs[2*i+0] = params->eta - r->coeffs[2*i+0]; @@ -608,7 +608,7 @@ void polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { void polyt1_pack(uint8_t *r, const poly *a) { unsigned int i; - for(i = 0; i < N/4; ++i) { + for(i = 0; i < ML_DSA_N/4; ++i) { r[5*i+0] = (a->coeffs[4*i+0] >> 0); r[5*i+1] = (a->coeffs[4*i+0] >> 8) | (a->coeffs[4*i+1] << 2); r[5*i+2] = (a->coeffs[4*i+1] >> 6) | (a->coeffs[4*i+2] << 4); @@ -629,7 +629,7 @@ void polyt1_pack(uint8_t *r, const poly *a) { void polyt1_unpack(poly *r, const uint8_t *a) { unsigned int i; - for(i = 0; i < N/4; ++i) { + for(i = 0; i < ML_DSA_N/4; ++i) { r->coeffs[4*i+0] = ((a[5*i+0] >> 0) | ((uint32_t)a[5*i+1] << 8)) & 0x3FF; r->coeffs[4*i+1] = ((a[5*i+1] >> 2) | ((uint32_t)a[5*i+2] << 6)) & 0x3FF; r->coeffs[4*i+2] = ((a[5*i+2] >> 4) | ((uint32_t)a[5*i+3] << 4)) & 0x3FF; @@ -650,15 +650,15 @@ void polyt0_pack(uint8_t *r, const poly *a) { unsigned int i; uint32_t t[8]; - for(i = 0; i < N/8; ++i) { - t[0] = (1 << (D-1)) - a->coeffs[8*i+0]; - t[1] = (1 << (D-1)) - a->coeffs[8*i+1]; - t[2] = (1 << (D-1)) - a->coeffs[8*i+2]; - t[3] = (1 << (D-1)) - a->coeffs[8*i+3]; - t[4] = (1 << (D-1)) - a->coeffs[8*i+4]; - t[5] = (1 << (D-1)) - a->coeffs[8*i+5]; - t[6] = (1 << (D-1)) - a->coeffs[8*i+6]; - t[7] = (1 << (D-1)) - a->coeffs[8*i+7]; + for(i = 0; i < ML_DSA_N/8; ++i) { + t[0] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+0]; + t[1] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+1]; + t[2] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+2]; + t[3] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+3]; + t[4] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+4]; + t[5] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+5]; + t[6] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+6]; + t[7] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+7]; r[13*i+ 0] = t[0]; r[13*i+ 1] = t[0] >> 8; @@ -694,7 +694,7 @@ void polyt0_pack(uint8_t *r, const poly *a) { void polyt0_unpack(poly *r, const uint8_t *a) { unsigned int i; - for(i = 0; i < N/8; ++i) { + for(i = 0; i < ML_DSA_N/8; ++i) { r->coeffs[8*i+0] = a[13*i+0]; r->coeffs[8*i+0] |= (uint32_t)a[13*i+1] << 8; r->coeffs[8*i+0] &= 0x1FFF; @@ -731,14 +731,14 @@ void polyt0_unpack(poly *r, const uint8_t *a) { r->coeffs[8*i+7] |= (uint32_t)a[13*i+12] << 5; r->coeffs[8*i+7] &= 0x1FFF; - r->coeffs[8*i+0] = (1 << (D-1)) - r->coeffs[8*i+0]; - r->coeffs[8*i+1] = (1 << (D-1)) - r->coeffs[8*i+1]; - r->coeffs[8*i+2] = (1 << (D-1)) - r->coeffs[8*i+2]; - r->coeffs[8*i+3] = (1 << (D-1)) - r->coeffs[8*i+3]; - r->coeffs[8*i+4] = (1 << (D-1)) - r->coeffs[8*i+4]; - r->coeffs[8*i+5] = (1 << (D-1)) - r->coeffs[8*i+5]; - r->coeffs[8*i+6] = (1 << (D-1)) - r->coeffs[8*i+6]; - r->coeffs[8*i+7] = (1 << (D-1)) - r->coeffs[8*i+7]; + r->coeffs[8*i+0] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+0]; + r->coeffs[8*i+1] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+1]; + r->coeffs[8*i+2] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+2]; + r->coeffs[8*i+3] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+3]; + r->coeffs[8*i+4] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+4]; + r->coeffs[8*i+5] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+5]; + r->coeffs[8*i+6] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+6]; + r->coeffs[8*i+7] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+7]; } } @@ -761,7 +761,7 @@ void polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { (params->gamma1 == (1 << 19))); if (params->gamma1 == (1 << 17)) { - for(i = 0; i < N/4; ++i) { + for(i = 0; i < ML_DSA_N/4; ++i) { t[0] = params->gamma1 - a->coeffs[4*i+0]; t[1] = params->gamma1 - a->coeffs[4*i+1]; t[2] = params->gamma1 - a->coeffs[4*i+2]; @@ -782,7 +782,7 @@ void polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { } } else if (params->gamma1 == (1 << 19)) { - for(i = 0; i < N/2; ++i) { + for(i = 0; i < ML_DSA_N/2; ++i) { t[0] = params->gamma1 - a->coeffs[2*i+0]; t[1] = params->gamma1 - a->coeffs[2*i+1]; @@ -813,7 +813,7 @@ void polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { (params->gamma1 == (1 << 19))); if (params->gamma1 == (1 << 17)) { - for(i = 0; i < N/4; ++i) { + for(i = 0; i < ML_DSA_N/4; ++i) { r->coeffs[4*i+0] = a[9*i+0]; r->coeffs[4*i+0] |= (uint32_t)a[9*i+1] << 8; r->coeffs[4*i+0] |= (uint32_t)a[9*i+2] << 16; @@ -841,7 +841,7 @@ void polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { } } else if (params->gamma1 == (1 << 19)) { - for(i = 0; i < N/2; ++i) { + for(i = 0; i < ML_DSA_N/2; ++i) { r->coeffs[2*i+0] = a[5*i+0]; r->coeffs[2*i+0] |= (uint32_t)a[5*i+1] << 8; r->coeffs[2*i+0] |= (uint32_t)a[5*i+2] << 16; @@ -872,8 +872,8 @@ void polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { void polyw1_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { unsigned int i; - if (params->gamma2 == (Q-1)/88) { - for(i = 0; i < N/4; ++i) { + if (params->gamma2 == (ML_DSA_Q-1)/88) { + for(i = 0; i < ML_DSA_N/4; ++i) { r[3*i+0] = a->coeffs[4*i+0]; r[3*i+0] |= a->coeffs[4*i+1] << 6; r[3*i+1] = a->coeffs[4*i+1] >> 2; @@ -882,8 +882,8 @@ void polyw1_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { r[3*i+2] |= a->coeffs[4*i+3] << 2; } } - else if (params->gamma2 == (Q-1)/32) { - for(i = 0; i < N/2; ++i) + else if (params->gamma2 == (ML_DSA_Q-1)/32) { + for(i = 0; i < ML_DSA_N/2; ++i) r[i] = a->coeffs[2*i+0] | (a->coeffs[2*i+1] << 4); } } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h index 4d5e90b20a..5dbf25a20a 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h @@ -5,7 +5,7 @@ #include "params.h" typedef struct { - int32_t coeffs[N]; + int32_t coeffs[ML_DSA_N]; } poly; void poly_reduce(poly *a); diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c index 8d2ed54c47..cf09caf4ed 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c @@ -19,8 +19,8 @@ int64_t fqmul(int32_t a, int32_t b) { int32_t t; s = (int64_t)a*b; - t = (int64_t)(int32_t)s*QINV; - t = (s - (int64_t)t*Q) >> 32; + t = (int64_t)(int32_t)s * ML_DSA_QINV; + t = (s - (int64_t)t * ML_DSA_Q) >> 32; return t; } @@ -38,7 +38,7 @@ int32_t reduce32(int32_t a) { int32_t t; t = (a + (1 << 22)) >> 23; - t = a - t*Q; + t = a - t * ML_DSA_Q; return t; } @@ -52,7 +52,7 @@ int32_t reduce32(int32_t a) { * Returns r. **************************************************/ int32_t caddq(int32_t a) { - a += (a >> 31) & Q; + a += (a >> 31) & ML_DSA_Q; return a; } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h index f377eee291..d40bbc0189 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h @@ -4,8 +4,7 @@ #include #include "params.h" -#define MONT -4186625 // 2^32 % Q -#define QINV 58728449 // q^(-1) mod 2^32 +#define ML_DSA_QINV 58728449 // q^(-1) mod 2^32 int64_t fqmul(int32_t a, int32_t b); diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.c index 4bff538887..32f5704422 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.c @@ -18,8 +18,8 @@ int32_t power2round(int32_t *a0, int32_t a) { int32_t a1; - a1 = (a + (1 << (D-1)) - 1) >> D; - *a0 = a - (a1 << D); + a1 = (a + (1 << (ML_DSA_D-1)) - 1) >> ML_DSA_D; + *a0 = a - (a1 << ML_DSA_D); return a1; } @@ -40,21 +40,21 @@ int32_t power2round(int32_t *a0, int32_t a) { * Returns a1. **************************************************/ int32_t decompose(ml_dsa_params *params, int32_t *a0, int32_t a) { - assert((params->gamma2 == (Q-1)/32) || (params->gamma2 == (Q-1)/88)); + assert((params->gamma2 == (ML_DSA_Q-1)/32) || (params->gamma2 == (ML_DSA_Q-1)/88)); int32_t a1; a1 = (a + 127) >> 7; - if (params->gamma2 == (Q-1)/32) { + if (params->gamma2 == (ML_DSA_Q-1)/32) { a1 = (a1*1025 + (1 << 21)) >> 22; a1 &= 15; } - if (params->gamma2 == (Q-1)/88) { + if (params->gamma2 == (ML_DSA_Q-1)/88) { a1 = (a1*11275 + (1 << 23)) >> 24; a1 ^= ((43 - a1) >> 31) & a1; } *a0 = a - a1*2*params->gamma2; - *a0 -= (((Q-1)/2 - *a0) >> 31) & Q; + *a0 -= (((ML_DSA_Q-1)/2 - *a0) >> 31) & ML_DSA_Q; return a1; } @@ -94,14 +94,14 @@ unsigned int make_hint(ml_dsa_params *params, int32_t a0, int32_t a1) { int32_t use_hint(ml_dsa_params *params, int32_t a, unsigned int hint) { int32_t a0, a1; - assert((params->gamma2 == (Q-1)/32) || (params->gamma2 == (Q-1)/88)); + assert((params->gamma2 == (ML_DSA_Q-1)/32) || (params->gamma2 == (ML_DSA_Q-1)/88)); a1 = decompose(params, &a0, a); if(hint == 0) { return a1; } - if (params->gamma2 == (Q-1)/32) { + if (params->gamma2 == (ML_DSA_Q-1)/32) { if(a0 > 0) { return (a1 + 1) & 15; } From a3fd830df59e98b8287353f83f8ff7f0cb8b2284 Mon Sep 17 00:00:00 2001 From: Jake Massimo Date: Thu, 19 Dec 2024 18:35:24 -0800 Subject: [PATCH 03/12] rename duplicate functions --- .../pqcrystals_dilithium_ref_common/ntt.c | 4 ++-- .../pqcrystals_dilithium_ref_common/ntt.h | 2 +- .../pqcrystals_dilithium_ref_common/params.h | 1 - .../pqcrystals_dilithium_ref_common/poly.c | 22 +++++++++---------- .../pqcrystals_dilithium_ref_common/poly.h | 10 ++++----- .../pqcrystals_dilithium_ref_common/polyvec.c | 20 ++++++++--------- .../pqcrystals_dilithium_ref_common/sign.c | 4 ++-- 7 files changed, 31 insertions(+), 32 deletions(-) diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c index 76abf2e24b..074a8cda84 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c @@ -39,7 +39,7 @@ static const int32_t zetas[ML_DSA_N] = { }; /************************************************* -* Name: ntt +* Name: ml_dsa_ntt * * Description: FIPS 204: Algorithm 41. * Forward NTT, in-place. No modular reduction is performed after @@ -47,7 +47,7 @@ static const int32_t zetas[ML_DSA_N] = { * * Arguments: - uint32_t p[N]: input/output coefficient array **************************************************/ -void ntt(int32_t a[ML_DSA_N]) { +void ml_dsa_ntt(int32_t a[ML_DSA_N]) { unsigned int len, start, j, k; int32_t zeta, t; diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h index 96b3b017de..2dd56181a8 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h @@ -4,7 +4,7 @@ #include #include "params.h" -void ntt(int32_t a[ML_DSA_N]); +void ml_dsa_ntt(int32_t a[ML_DSA_N]); void invntt_tomont(int32_t a[ML_DSA_N]); diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h index 29bc7c3715..0b72e1ff3d 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h @@ -12,7 +12,6 @@ #define ML_DSA_N 256 #define ML_DSA_Q 8380417 #define ML_DSA_D 13 -#define ML_DSA_ROOT_OF_UNITY 1753 #define POLYT1_PACKEDBYTES 320 #define POLYT0_PACKEDBYTES 416 diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c index c0e0279305..d04405187f 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c @@ -7,14 +7,14 @@ #include "../../fipsmodule/sha/internal.h" /************************************************* -* Name: poly_reduce +* Name: ml_dsa_poly_reduce * * Description: Inplace reduction of all coefficients of polynomial to * representative in [-6283009,6283007]. * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_reduce(poly *a) { +void ml_dsa_poly_reduce(poly *a) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { a->coeffs[i] = reduce32(a->coeffs[i]); @@ -37,7 +37,7 @@ void poly_caddq(poly *a) { } /************************************************* -* Name: poly_add +* Name: ml_dsa_poly_add * * Description: Add polynomials. No modular reduction is performed. * @@ -45,7 +45,7 @@ void poly_caddq(poly *a) { * - const poly *a: pointer to first summand * - const poly *b: pointer to second summand **************************************************/ -void poly_add(poly *c, const poly *a, const poly *b) { +void ml_dsa_poly_add(poly *c, const poly *a, const poly *b) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = a->coeffs[i] + b->coeffs[i]; @@ -53,7 +53,7 @@ void poly_add(poly *c, const poly *a, const poly *b) { } /************************************************* -* Name: poly_sub +* Name: ml_dsa_poly_sub * * Description: Subtract polynomials. No modular reduction is * performed. @@ -63,7 +63,7 @@ void poly_add(poly *c, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial to be * subtraced from first input polynomial **************************************************/ -void poly_sub(poly *c, const poly *a, const poly *b) { +void ml_dsa_poly_sub(poly *c, const poly *a, const poly *b) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = a->coeffs[i] - b->coeffs[i]; @@ -86,19 +86,19 @@ void poly_shiftl(poly *a) { } /************************************************* -* Name: poly_ntt +* Name: ml_dsa_poly_ntt * * Description: Inplace forward NTT. Coefficients can grow by * 8*Q in absolute value. * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_ntt(poly *a) { - ntt(a->coeffs); +void ml_dsa_poly_ntt(poly *a) { + ml_dsa_ntt(a->coeffs); } /************************************************* -* Name: poly_invntt_tomont +* Name: ml_dsa_poly_invntt_tomont * * Description: Inplace inverse NTT and multiplication by 2^{32}. * Input coefficients need to be less than Q in absolute @@ -106,7 +106,7 @@ void poly_ntt(poly *a) { * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_invntt_tomont(poly *a) { +void ml_dsa_poly_invntt_tomont(poly *a) { invntt_tomont(a->coeffs); } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h index 5dbf25a20a..540e538d9e 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h @@ -8,19 +8,19 @@ typedef struct { int32_t coeffs[ML_DSA_N]; } poly; -void poly_reduce(poly *a); +void ml_dsa_poly_reduce(poly *a); void poly_caddq(poly *a); -void poly_add(poly *c, const poly *a, const poly *b); +void ml_dsa_poly_add(poly *c, const poly *a, const poly *b); -void poly_sub(poly *c, const poly *a, const poly *b); +void ml_dsa_poly_sub(poly *c, const poly *a, const poly *b); void poly_shiftl(poly *a); -void poly_ntt(poly *a); +void ml_dsa_poly_ntt(poly *a); -void poly_invntt_tomont(poly *a); +void ml_dsa_poly_invntt_tomont(poly *a); void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b); diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c index ddf6072813..cb62a13352 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c @@ -106,7 +106,7 @@ void polyvecl_uniform_gamma1(ml_dsa_params *params, void polyvecl_reduce(ml_dsa_params *params, polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { - poly_reduce(&v->vec[i]); + ml_dsa_poly_reduce(&v->vec[i]); } } @@ -127,7 +127,7 @@ void polyvecl_add(ml_dsa_params *params, const polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { - poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); + ml_dsa_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); } } @@ -143,7 +143,7 @@ void polyvecl_add(ml_dsa_params *params, void polyvecl_ntt(ml_dsa_params *params, polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { - poly_ntt(&v->vec[i]); + ml_dsa_poly_ntt(&v->vec[i]); } } @@ -160,7 +160,7 @@ void polyvecl_ntt(ml_dsa_params *params, polyvecl *v) { void polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { - poly_invntt_tomont(&v->vec[i]); + ml_dsa_poly_invntt_tomont(&v->vec[i]); } } @@ -208,7 +208,7 @@ void polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]); for(i = 1; i < params->l; ++i) { poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]); - poly_add(w, w, &t); + ml_dsa_poly_add(w, w, &t); } } @@ -273,7 +273,7 @@ void polyveck_uniform_eta(ml_dsa_params *params, void polyveck_reduce(ml_dsa_params *params, polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_reduce(&v->vec[i]); + ml_dsa_poly_reduce(&v->vec[i]); } } @@ -310,7 +310,7 @@ void polyveck_add(ml_dsa_params *params, const polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); + ml_dsa_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); } } @@ -332,7 +332,7 @@ void polyveck_sub(ml_dsa_params *params, const polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]); + ml_dsa_poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]); } } @@ -364,7 +364,7 @@ void polyveck_shiftl(ml_dsa_params *params, polyveck *v) { void polyveck_ntt(ml_dsa_params *params, polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_ntt(&v->vec[i]); + ml_dsa_poly_ntt(&v->vec[i]); } } @@ -381,7 +381,7 @@ void polyveck_ntt(ml_dsa_params *params, polyveck *v) { void polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_invntt_tomont(&v->vec[i]); + ml_dsa_poly_invntt_tomont(&v->vec[i]); } } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c index 3b5b2d20df..701eab489a 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c @@ -195,7 +195,7 @@ int crypto_sign_signature_internal(ml_dsa_params *params, SHA3_Update(&state, sig, params->k * params->poly_w1_packed_bytes); SHAKE_Final(sig, &state, params->c_tilde_bytes); poly_challenge(params, &cp, sig); - poly_ntt(&cp); + ml_dsa_poly_ntt(&cp); /* FIPS 204: line 20 Compute z, reject if it reveals secret */ polyvecl_pointwise_poly_montgomery(params, &z, &cp, &s1); @@ -407,7 +407,7 @@ int crypto_sign_verify_internal(ml_dsa_params *params, polyvecl_ntt(params, &z); polyvec_matrix_pointwise_montgomery(params, &w1, mat, &z); - poly_ntt(&cp); + ml_dsa_poly_ntt(&cp); polyveck_shiftl(params, &t1); polyveck_ntt(params, &t1); polyveck_pointwise_poly_montgomery(params, &t1, &cp, &t1); From 4a7a61a9c6c03d6f284b8ddca8b1fec55744062b Mon Sep 17 00:00:00 2001 From: Jake Massimo Date: Thu, 19 Dec 2024 18:56:16 -0800 Subject: [PATCH 04/12] rename dilithium constants --- .../pqcrystals_dilithium_ref_common/params.h | 12 ++++++------ .../dilithium/pqcrystals_dilithium_ref_common/poly.c | 8 ++++---- .../pqcrystals_dilithium_ref_common/polyvec.h | 4 ++-- .../dilithium/pqcrystals_dilithium_ref_common/sign.c | 12 ++++++------ 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h index 0b72e1ff3d..9e886f1ecd 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h @@ -37,12 +37,12 @@ typedef struct { // We define max values for some parameters because they are used // for static allocation. -#define DILITHIUM_K_MAX (8) -#define DILITHIUM_L_MAX (7) -#define DILITHIUM_C_TILDE_BYTES_MAX (64) -#define DILITHIUM_POLYW1_PACKEDBYTES_MAX (192) -#define DILITHIUM_POLY_UNIFORM_ETA_NBLOCKS_MAX ((227 + SHAKE256_RATE - 1)/SHAKE256_RATE) -#define DILITHIUM_POLYZ_PACKEDBYTES_MAX (576) +#define ML_DSA_K_MAX (8) +#define ML_DSA_L_MAX (7) +#define ML_DSA_C_TILDE_BYTES_MAX (64) +#define ML_DSA_POLYW1_PACKEDBYTES_MAX (192) +#define ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX ((227 + SHAKE256_RATE - 1)/SHAKE256_RATE) +#define ML_DSA_POLYZ_PACKEDBYTES_MAX (576) void ml_dsa_44_params_init(ml_dsa_params *params); void ml_dsa_65_params_init(ml_dsa_params *params); diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c index d04405187f..776247377e 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c @@ -398,8 +398,8 @@ void poly_uniform_eta(ml_dsa_params *params, uint16_t nonce) { unsigned int ctr; - unsigned int buflen = DILITHIUM_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_RATE; - uint8_t buf[DILITHIUM_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_RATE]; + unsigned int buflen = ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_RATE; + uint8_t buf[ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_RATE]; KECCAK1600_CTX state; uint8_t t[2]; @@ -409,7 +409,7 @@ void poly_uniform_eta(ml_dsa_params *params, SHAKE_Init(&state, SHAKE256_BLOCKSIZE); SHA3_Update(&state, seed, CRHBYTES); SHA3_Update(&state, t, 2); - SHAKE_Final(buf, &state, DILITHIUM_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE); + SHAKE_Final(buf, &state, ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE); ctr = rej_eta(params, a->coeffs, ML_DSA_N, buf, buflen); @@ -434,7 +434,7 @@ void poly_uniform_eta(ml_dsa_params *params, * - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 16-bit nonce **************************************************/ -#define POLY_UNIFORM_GAMMA1_NBLOCKS ((DILITHIUM_POLYZ_PACKEDBYTES_MAX + SHAKE256_RATE - 1) / SHAKE256_RATE) +#define POLY_UNIFORM_GAMMA1_NBLOCKS ((ML_DSA_POLYZ_PACKEDBYTES_MAX + SHAKE256_RATE - 1) / SHAKE256_RATE) void poly_uniform_gamma1(ml_dsa_params *params, poly *a, const uint8_t seed[CRHBYTES], diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h index 4d232e307f..f8774505af 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h @@ -7,7 +7,7 @@ /* Vectors of polynomials of length L */ typedef struct { - poly vec[DILITHIUM_L_MAX]; + poly vec[ML_DSA_L_MAX]; } polyvecl; void polyvecl_uniform_eta(ml_dsa_params *params, @@ -44,7 +44,7 @@ void polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, int polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t B); typedef struct { - poly vec[DILITHIUM_K_MAX]; + poly vec[ML_DSA_K_MAX]; } polyveck; void polyveck_uniform_eta(ml_dsa_params *params, diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c index 701eab489a..45f4cd43f8 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c @@ -30,7 +30,7 @@ int crypto_sign_keypair_internal(ml_dsa_params *params, uint8_t seedbuf[2*SEEDBYTES + CRHBYTES]; uint8_t tr[TRBYTES]; const uint8_t *rho, *rhoprime, *key; - polyvecl mat[DILITHIUM_K_MAX]; + polyvecl mat[ML_DSA_K_MAX]; polyvecl s1 = {{{{0}}}}; polyvecl s1hat; polyveck s2, t1, t0; @@ -138,7 +138,7 @@ int crypto_sign_signature_internal(ml_dsa_params *params, uint8_t seedbuf[2*SEEDBYTES + TRBYTES + 2*CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint16_t nonce = 0; - polyvecl mat[DILITHIUM_K_MAX], s1, y, z; + polyvecl mat[ML_DSA_K_MAX], s1, y, z; polyveck t0, s2, w1, w0, h; poly cp; KECCAK1600_CTX state; @@ -365,14 +365,14 @@ int crypto_sign_verify_internal(ml_dsa_params *params, const uint8_t *pk) { unsigned int i; - uint8_t buf[DILITHIUM_K_MAX*DILITHIUM_POLYW1_PACKEDBYTES_MAX]; + uint8_t buf[ML_DSA_K_MAX*ML_DSA_POLYW1_PACKEDBYTES_MAX]; uint8_t rho[SEEDBYTES]; uint8_t mu[CRHBYTES]; uint8_t tr[TRBYTES]; - uint8_t c[DILITHIUM_C_TILDE_BYTES_MAX]; - uint8_t c2[DILITHIUM_C_TILDE_BYTES_MAX]; + uint8_t c[ML_DSA_C_TILDE_BYTES_MAX]; + uint8_t c2[ML_DSA_C_TILDE_BYTES_MAX]; poly cp; - polyvecl mat[DILITHIUM_K_MAX], z; + polyvecl mat[ML_DSA_K_MAX], z; polyveck t1, w1, h; KECCAK1600_CTX state; From 363d631833cf14a67f949d3edab487ef69b2f2b4 Mon Sep 17 00:00:00 2001 From: Jake Massimo Date: Thu, 19 Dec 2024 19:32:14 -0800 Subject: [PATCH 05/12] change generic names to mldsa specific --- crypto/dilithium/ml_dsa.c | 61 ++++---- .../pqcrystals_dilithium_ref_common/sign.c | 134 +++++++++--------- .../pqcrystals_dilithium_ref_common/sign.h | 80 +++++------ 3 files changed, 137 insertions(+), 138 deletions(-) diff --git a/crypto/dilithium/ml_dsa.c b/crypto/dilithium/ml_dsa.c index 1c80a1a524..6bc2f53ae5 100644 --- a/crypto/dilithium/ml_dsa.c +++ b/crypto/dilithium/ml_dsa.c @@ -27,7 +27,7 @@ int ml_dsa_44_keypair(uint8_t *public_key /* OUT */, uint8_t *private_key /* OUT */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return (crypto_sign_keypair(¶ms, public_key, private_key) == 0); + return (mldsa_keypair(¶ms, public_key, private_key) == 0); } int ml_dsa_44_keypair_internal(uint8_t *public_key /* OUT */, @@ -35,7 +35,7 @@ int ml_dsa_44_keypair_internal(uint8_t *public_key /* OUT */, const uint8_t *seed /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return crypto_sign_keypair_internal(¶ms, public_key, private_key, seed) == 0; + return mldsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; } int ml_dsa_44_sign(const uint8_t *private_key /* IN */, @@ -47,8 +47,8 @@ int ml_dsa_44_sign(const uint8_t *private_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return crypto_sign_signature(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return mldsa_signature(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, private_key) == 0; } int ml_dsa_44_sign_internal(const uint8_t *private_key /* IN */, @@ -61,8 +61,8 @@ int ml_dsa_44_sign_internal(const uint8_t *private_key /* IN */, uint8_t *rnd /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return crypto_sign_signature_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key) == 0; + return mldsa_signature_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, rnd, private_key) == 0; } int ml_dsa_44_verify(const uint8_t *public_key /* IN */, @@ -74,8 +74,8 @@ int ml_dsa_44_verify(const uint8_t *public_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return crypto_sign_verify(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, public_key) == 0; + return mldsa_verify(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, public_key) == 0; } int ml_dsa_44_verify_internal(const uint8_t *public_key /* IN */, @@ -87,15 +87,15 @@ int ml_dsa_44_verify_internal(const uint8_t *public_key /* IN */, size_t pre_len /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return crypto_sign_verify_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, public_key) == 0; + return mldsa_verify_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, public_key) == 0; } int ml_dsa_65_keypair(uint8_t *public_key /* OUT */, uint8_t *private_key /* OUT */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return (crypto_sign_keypair(¶ms, public_key, private_key) == 0); + return (mldsa_keypair(¶ms, public_key, private_key) == 0); } int ml_dsa_65_keypair_internal(uint8_t *public_key /* OUT */, @@ -103,7 +103,7 @@ int ml_dsa_65_keypair_internal(uint8_t *public_key /* OUT */, const uint8_t *seed /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return crypto_sign_keypair_internal(¶ms, public_key, private_key, seed) == 0; + return mldsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; } int ml_dsa_65_sign(const uint8_t *private_key /* IN */, @@ -115,8 +115,8 @@ int ml_dsa_65_sign(const uint8_t *private_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return crypto_sign_signature(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return mldsa_signature(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, private_key) == 0; } int ml_dsa_65_sign_internal(const uint8_t *private_key /* IN */, @@ -129,8 +129,8 @@ int ml_dsa_65_sign_internal(const uint8_t *private_key /* IN */, uint8_t *rnd /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return crypto_sign_signature_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key) == 0; + return mldsa_signature_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, rnd, private_key) == 0; } int ml_dsa_65_verify(const uint8_t *public_key /* IN */, @@ -142,8 +142,8 @@ int ml_dsa_65_verify(const uint8_t *public_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return crypto_sign_verify(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, public_key) == 0; + return mldsa_verify(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, public_key) == 0; } int ml_dsa_65_verify_internal(const uint8_t *public_key /* IN */, @@ -155,15 +155,15 @@ int ml_dsa_65_verify_internal(const uint8_t *public_key /* IN */, size_t pre_len /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return crypto_sign_verify_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, public_key) == 0; + return mldsa_verify_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, public_key) == 0; } int ml_dsa_87_keypair(uint8_t *public_key /* OUT */, uint8_t *private_key /* OUT */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return (crypto_sign_keypair(¶ms, public_key, private_key) == 0); + return (mldsa_keypair(¶ms, public_key, private_key) == 0); } int ml_dsa_87_keypair_internal(uint8_t *public_key /* OUT */, @@ -171,7 +171,7 @@ int ml_dsa_87_keypair_internal(uint8_t *public_key /* OUT */, const uint8_t *seed /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return crypto_sign_keypair_internal(¶ms, public_key, private_key, seed) == 0; + return mldsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; } int ml_dsa_87_sign(const uint8_t *private_key /* IN */, @@ -183,8 +183,8 @@ int ml_dsa_87_sign(const uint8_t *private_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return crypto_sign_signature(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return mldsa_signature(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, private_key) == 0; } int ml_dsa_87_sign_internal(const uint8_t *private_key /* IN */, @@ -197,8 +197,8 @@ int ml_dsa_87_sign_internal(const uint8_t *private_key /* IN */, uint8_t *rnd /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return crypto_sign_signature_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key) == 0; + return mldsa_signature_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, rnd, private_key) == 0; } int ml_dsa_87_verify(const uint8_t *public_key /* IN */, @@ -210,8 +210,8 @@ int ml_dsa_87_verify(const uint8_t *public_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return crypto_sign_verify(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, public_key) == 0; + return mldsa_verify(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, public_key) == 0; } int ml_dsa_87_verify_internal(const uint8_t *public_key /* IN */, @@ -223,7 +223,6 @@ int ml_dsa_87_verify_internal(const uint8_t *public_key /* IN */, size_t pre_len /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return crypto_sign_verify_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, public_key) == 0; + return mldsa_verify_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, public_key) == 0; } - diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c index 45f4cd43f8..0fca375dab 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c @@ -9,7 +9,7 @@ /************************************************* - * Name: crypto_sign_keypair_internal + * Name: mldsa_keypair_internal * * Description: FIPS 204: Algorithm 6 ML-DSA.KeyGen_internal. * Generates public and private key. Internal API. @@ -23,10 +23,10 @@ * * Returns 0 (success) **************************************************/ -int crypto_sign_keypair_internal(ml_dsa_params *params, - uint8_t *pk, - uint8_t *sk, - const uint8_t *seed) { +int mldsa_keypair_internal(ml_dsa_params *params, + uint8_t *pk, + uint8_t *sk, + const uint8_t *seed) { uint8_t seedbuf[2*SEEDBYTES + CRHBYTES]; uint8_t tr[TRBYTES]; const uint8_t *rho, *rhoprime, *key; @@ -83,7 +83,7 @@ int crypto_sign_keypair_internal(ml_dsa_params *params, } /************************************************* -* Name: crypto_sign_keypair +* Name: mldsa_keypair * * Description: FIPS 204: Algorithm 1 ML-DSA.KeyGen * Generates public and private key. @@ -96,18 +96,18 @@ int crypto_sign_keypair_internal(ml_dsa_params *params, * * Returns 0 (success) -1 on failure **************************************************/ -int crypto_sign_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { +int mldsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { uint8_t seed[SEEDBYTES]; if (!RAND_bytes(seed, SEEDBYTES)) { return -1; } - crypto_sign_keypair_internal(params, pk, sk, seed); + mldsa_keypair_internal(params, pk, sk, seed); OPENSSL_cleanse(seed, sizeof(seed)); return 0; } /************************************************* -* Name: crypto_sign_signature_internal +* Name: mldsa_signature_internal * * Description: FIPS 204: Algorithm 7 ML-DSA.Sign_internal. * Computes signature. Internal API. @@ -124,15 +124,15 @@ int crypto_sign_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { * * Returns 0 (success) or -1 (context string too long) **************************************************/ -int crypto_sign_signature_internal(ml_dsa_params *params, - uint8_t *sig, - size_t *siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *pre, - size_t prelen, - const uint8_t *rnd, - const uint8_t *sk) +int mldsa_signature_internal(ml_dsa_params *params, + uint8_t *sig, + size_t *siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *pre, + size_t prelen, + const uint8_t *rnd, + const uint8_t *sk) { unsigned int n; uint8_t seedbuf[2*SEEDBYTES + TRBYTES + 2*CRHBYTES]; @@ -253,7 +253,7 @@ int crypto_sign_signature_internal(ml_dsa_params *params, } /************************************************* -* Name: crypto_sign_signature +* Name: mldsa_signature * * Description: FIPS 204: Algorithm 2 ML-DSA.Sign. * Computes signature in hedged mode. @@ -268,14 +268,14 @@ int crypto_sign_signature_internal(ml_dsa_params *params, * * Returns 0 (success) or -1 (context string too long) **************************************************/ -int crypto_sign_signature(ml_dsa_params *params, - uint8_t *sig, - size_t *siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *sk) +int mldsa_signature(ml_dsa_params *params, + uint8_t *sig, + size_t *siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *ctx, + size_t ctxlen, + const uint8_t *sk) { uint8_t pre[257]; uint8_t rnd[RNDBYTES]; @@ -291,7 +291,7 @@ int crypto_sign_signature(ml_dsa_params *params, if (!RAND_bytes(rnd, RNDBYTES)) { return -1; } - crypto_sign_signature_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, rnd, sk); + mldsa_signature_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, rnd, sk); /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(pre, sizeof(pre)); @@ -300,7 +300,7 @@ int crypto_sign_signature(ml_dsa_params *params, } /************************************************* -* Name: crypto_sign +* Name: mldsa_sign_message * * Description: Compute signed message. * @@ -318,14 +318,14 @@ int crypto_sign_signature(ml_dsa_params *params, * * Returns 0 (success) or -1 (context string too long) **************************************************/ -int crypto_sign(ml_dsa_params *params, - uint8_t *sm, - size_t *smlen, - const uint8_t *m, - size_t mlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *sk) +int mldsa_sign_message(ml_dsa_params *params, + uint8_t *sm, + size_t *smlen, + const uint8_t *m, + size_t mlen, + const uint8_t *ctx, + size_t ctxlen, + const uint8_t *sk) { int ret; size_t i; @@ -333,13 +333,13 @@ int crypto_sign(ml_dsa_params *params, for(i = 0; i < mlen; ++i) { sm[params->bytes + mlen - 1 - i] = m[mlen - 1 - i]; } - ret = crypto_sign_signature(params, sm, smlen, sm + params->bytes, mlen, ctx, ctxlen, sk); + ret = mldsa_signature(params, sm, smlen, sm + params->bytes, mlen, ctx, ctxlen, sk); *smlen += mlen; return ret; } /************************************************* -* Name: crypto_sign_verify_internal +* Name: mldsa_verify_internal * * Description: FIPS 204: Algorithm 8 ML-DSA.Verify_internal. * Verifies signature. Internal API. @@ -355,14 +355,14 @@ int crypto_sign(ml_dsa_params *params, * * Returns 0 if signature could be verified correctly and -1 otherwise **************************************************/ -int crypto_sign_verify_internal(ml_dsa_params *params, - const uint8_t *sig, - size_t siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *pre, - size_t prelen, - const uint8_t *pk) +int mldsa_verify_internal(ml_dsa_params *params, + const uint8_t *sig, + size_t siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *pre, + size_t prelen, + const uint8_t *pk) { unsigned int i; uint8_t buf[ML_DSA_K_MAX*ML_DSA_POLYW1_PACKEDBYTES_MAX]; @@ -449,7 +449,7 @@ int crypto_sign_verify_internal(ml_dsa_params *params, } /************************************************* -* Name: crypto_sign_verify +* Name: mldsa_verify * * Description: FIPS 204: Algorithm 3 ML-DSA.Verify. * Verifies signature. @@ -465,14 +465,14 @@ int crypto_sign_verify_internal(ml_dsa_params *params, * * Returns 0 if signature could be verified correctly and -1 otherwise **************************************************/ -int crypto_sign_verify(ml_dsa_params *params, - const uint8_t *sig, - size_t siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *pk) +int mldsa_verify(ml_dsa_params *params, + const uint8_t *sig, + size_t siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *ctx, + size_t ctxlen, + const uint8_t *pk) { uint8_t pre[257]; @@ -483,11 +483,11 @@ int crypto_sign_verify(ml_dsa_params *params, pre[0] = 0; pre[1] = ctxlen; OPENSSL_memcpy(pre + 2 , ctx, ctxlen); - return crypto_sign_verify_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, pk); + return mldsa_verify_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, pk); } /************************************************* -* Name: crypto_sign_open +* Name: mldsa_verify_message * * Description: Verify signed message. * @@ -503,14 +503,14 @@ int crypto_sign_verify(ml_dsa_params *params, * * Returns 0 if signed message could be verified correctly and -1 otherwise **************************************************/ -int crypto_sign_open(ml_dsa_params *params, - uint8_t *m, - size_t *mlen, - const uint8_t *sm, - size_t smlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *pk) +int mldsa_verify_message(ml_dsa_params *params, + uint8_t *m, + size_t *mlen, + const uint8_t *sm, + size_t smlen, + const uint8_t *ctx, + size_t ctxlen, + const uint8_t *pk) { if(smlen < params->bytes) { @@ -518,7 +518,7 @@ int crypto_sign_open(ml_dsa_params *params, } *mlen = smlen - params->bytes; - if(crypto_sign_verify(params,sm, params->bytes, sm + params->bytes, *mlen, ctx, ctxlen, pk)) { + if(mldsa_verify(params,sm, params->bytes, sm + params->bytes, *mlen, ctx, ctxlen, pk)) { goto badsig; } else { diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h index 9110d6e793..b8d55db40a 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h @@ -5,48 +5,48 @@ #include #include "params.h" -int crypto_sign_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk); +int mldsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk); + +int mldsa_keypair_internal(ml_dsa_params *params, + uint8_t *pk, + uint8_t *sk, + const uint8_t *seed); + +int mldsa_signature(ml_dsa_params *params, + uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t *sk); + +int mldsa_signature_internal(ml_dsa_params *params, + uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, + const uint8_t *pre, size_t prelen, + const uint8_t *rnd, + const uint8_t *sk); + +int mldsa_sign_message(ml_dsa_params *params, + uint8_t *sm, size_t *smlen, + const uint8_t *m, size_t mlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t *sk); -int crypto_sign_keypair_internal(ml_dsa_params *params, - uint8_t *pk, - uint8_t *sk, - const uint8_t *seed); +int mldsa_verify(ml_dsa_params *params, + const uint8_t *sig, size_t siglen, + const uint8_t *m, size_t mlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t *pk); -int crypto_sign_signature(ml_dsa_params *params, - uint8_t *sig, size_t *siglen, +int mldsa_verify_internal(ml_dsa_params *params, + const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *sk); - -int crypto_sign_signature_internal(ml_dsa_params *params, - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pre, size_t prelen, - const uint8_t *rnd, - const uint8_t *sk); - -int crypto_sign(ml_dsa_params *params, - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *sk); - -int crypto_sign_verify(ml_dsa_params *params, - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *pk); - -int crypto_sign_verify_internal(ml_dsa_params *params, - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pre, size_t prelen, - const uint8_t *pk); - -int crypto_sign_open(ml_dsa_params *params, - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *pk); + const uint8_t *pre, size_t prelen, + const uint8_t *pk); + +int mldsa_verify_message(ml_dsa_params *params, + uint8_t *m, size_t *mlen, + const uint8_t *sm, size_t smlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t *pk); #endif From 2bbdfc975539e79985135f515caa45399229d1f6 Mon Sep 17 00:00:00 2001 From: Jake Massimo Date: Mon, 23 Dec 2024 19:49:16 -0800 Subject: [PATCH 06/12] added prefix for all mldsa functions to prevent conflicts --- .../pqcrystals_dilithium_ref_common/ntt.c | 10 +- .../pqcrystals_dilithium_ref_common/ntt.h | 2 +- .../pqcrystals_dilithium_ref_common/packing.c | 132 +++++----- .../pqcrystals_dilithium_ref_common/packing.h | 82 +++---- .../pqcrystals_dilithium_ref_common/params.c | 34 ++- .../pqcrystals_dilithium_ref_common/params.h | 12 +- .../pqcrystals_dilithium_ref_common/poly.c | 118 ++++----- .../pqcrystals_dilithium_ref_common/poly.h | 64 ++--- .../pqcrystals_dilithium_ref_common/polyvec.c | 232 +++++++++--------- .../pqcrystals_dilithium_ref_common/polyvec.h | 144 +++++------ .../pqcrystals_dilithium_ref_common/reduce.c | 20 +- .../pqcrystals_dilithium_ref_common/reduce.h | 8 +- .../rounding.c | 18 +- .../rounding.h | 12 +- .../pqcrystals_dilithium_ref_common/sign.c | 182 +++++++------- .../pqcrystals_dilithium_ref_common/sign.h | 4 +- 16 files changed, 544 insertions(+), 530 deletions(-) diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c index 074a8cda84..93a91e57c0 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c @@ -56,7 +56,7 @@ void ml_dsa_ntt(int32_t a[ML_DSA_N]) { for(start = 0; start < ML_DSA_N; start = j + len) { zeta = zetas[++k]; for(j = start; j < start + len; ++j) { - t = fqmul(zeta, a[j + len]); + t = ml_dsa_fqmul(zeta, a[j + len]); a[j + len] = a[j] - t; a[j] = a[j] + t; } @@ -65,7 +65,7 @@ void ml_dsa_ntt(int32_t a[ML_DSA_N]) { } /************************************************* -* Name: invntt_tomont +* Name: ml_dsa_invntt_tomont * * Description: FIPS 204: Algorithm 42. * Inverse NTT and multiplication by Montgomery factor 2^32. @@ -76,7 +76,7 @@ void ml_dsa_ntt(int32_t a[ML_DSA_N]) { * * Arguments: - uint32_t p[N]: input/output coefficient array **************************************************/ -void invntt_tomont(int32_t a[ML_DSA_N]) { +void ml_dsa_invntt_tomont(int32_t a[ML_DSA_N]) { unsigned int start, len, j, k; int32_t t, zeta; const int32_t f = 41978; // mont^2/256 @@ -89,12 +89,12 @@ void invntt_tomont(int32_t a[ML_DSA_N]) { t = a[j]; a[j] = t + a[j + len]; a[j + len] = t - a[j + len]; - a[j + len] = fqmul(zeta, a[j + len]); + a[j + len] = ml_dsa_fqmul(zeta, a[j + len]); } } } for(j = 0; j < ML_DSA_N; ++j) { - a[j] = fqmul(f, a[j]); + a[j] = ml_dsa_fqmul(f, a[j]); } } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h index 2dd56181a8..108a8b1228 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h @@ -6,6 +6,6 @@ void ml_dsa_ntt(int32_t a[ML_DSA_N]); -void invntt_tomont(int32_t a[ML_DSA_N]); +void ml_dsa_invntt_tomont(int32_t a[ML_DSA_N]); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.c index c61651f686..5ee0b62529 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.c @@ -4,7 +4,7 @@ #include "poly.h" /************************************************* -* Name: pack_pk +* Name: ml_dsa_pack_pk * * Description: FIPS 204: Algorithm 22 pkEncode. * Bit-pack public key pk = (rho, t1). @@ -14,25 +14,25 @@ * - const uint8_t rho[]: byte array containing rho * - const polyveck *t1: pointer to vector t1 **************************************************/ -void pack_pk(ml_dsa_params *params, - uint8_t *pk, - const uint8_t rho[SEEDBYTES], - const polyveck *t1) +void ml_dsa_pack_pk(ml_dsa_params *params, + uint8_t *pk, + const uint8_t rho[ML_DSA_SEEDBYTES], + const polyveck *t1) { unsigned int i; - for(i = 0; i < SEEDBYTES; ++i) { + for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { pk[i] = rho[i]; } - pk += SEEDBYTES; + pk += ML_DSA_SEEDBYTES; for(i = 0; i < params->k; ++i) { - polyt1_pack(pk + i*POLYT1_PACKEDBYTES, &t1->vec[i]); + ml_dsa_polyt1_pack(pk + i * ML_DSA_POLYT1_PACKEDBYTES, &t1->vec[i]); } } /************************************************* -* Name: unpack_pk +* Name: ml_dsa_unpack_pk * * Description: FIPS 204: Algorithm 23 pkDecode. * Unpack public key pk = (rho, t1). @@ -42,25 +42,25 @@ void pack_pk(ml_dsa_params *params, * - const polyveck *t1: pointer to output vector t1 * - uint8_t pk[]: pointer to byte array containing bit-packed pk **************************************************/ -void unpack_pk(ml_dsa_params *params, - uint8_t rho[SEEDBYTES], - polyveck *t1, - const uint8_t *pk) +void ml_dsa_unpack_pk(ml_dsa_params *params, + uint8_t rho[ML_DSA_SEEDBYTES], + polyveck *t1, + const uint8_t *pk) { unsigned int i; - for(i = 0; i < SEEDBYTES; ++i) { + for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { rho[i] = pk[i]; } - pk += SEEDBYTES; + pk += ML_DSA_SEEDBYTES; for(i = 0; i < params->k; ++i) { - polyt1_unpack(&t1->vec[i], pk + i*POLYT1_PACKEDBYTES); + ml_dsa_polyt1_unpack(&t1->vec[i], pk + i * ML_DSA_POLYT1_PACKEDBYTES); } } /************************************************* -* Name: pack_sk +* Name: ml_dsa_pack_sk * * Description: FIPS 204: Algorithm 24 skEncode. * Bit-pack secret key sk = (rho, tr, key, t0, s1, s2). @@ -74,49 +74,49 @@ void unpack_pk(ml_dsa_params *params, * - const polyvecl *s1: pointer to vector s1 * - const polyveck *s2: pointer to vector s2 **************************************************/ -void pack_sk(ml_dsa_params *params, - uint8_t *sk, - const uint8_t rho[SEEDBYTES], - const uint8_t tr[TRBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2) +void ml_dsa_pack_sk(ml_dsa_params *params, + uint8_t *sk, + const uint8_t rho[ML_DSA_SEEDBYTES], + const uint8_t tr[ML_DSA_TRBYTES], + const uint8_t key[ML_DSA_SEEDBYTES], + const polyveck *t0, + const polyvecl *s1, + const polyveck *s2) { unsigned int i; - for(i = 0; i < SEEDBYTES; ++i) { + for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { sk[i] = rho[i]; } - sk += SEEDBYTES; + sk += ML_DSA_SEEDBYTES; - for(i = 0; i < SEEDBYTES; ++i) { + for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { sk[i] = key[i]; } - sk += SEEDBYTES; + sk += ML_DSA_SEEDBYTES; - for(i = 0; i < TRBYTES; ++i) { + for(i = 0; i < ML_DSA_TRBYTES; ++i) { sk[i] = tr[i]; } - sk += TRBYTES; + sk += ML_DSA_TRBYTES; for(i = 0; i < params->l; ++i) { - polyeta_pack(params, sk + i * params->poly_eta_packed_bytes, &s1->vec[i]); + ml_dsa_polyeta_pack(params, sk + i * params->poly_eta_packed_bytes, &s1->vec[i]); } sk += params->l * params->poly_eta_packed_bytes; for(i = 0; i < params->k; ++i) { - polyeta_pack(params,sk + i * params->poly_eta_packed_bytes, &s2->vec[i]); + ml_dsa_polyeta_pack(params,sk + i * params->poly_eta_packed_bytes, &s2->vec[i]); } sk += params->k * params->poly_eta_packed_bytes; for(i = 0; i < params->k; ++i) { - polyt0_pack(sk + i * POLYT0_PACKEDBYTES, &t0->vec[i]); + ml_dsa_polyt0_pack(sk + i * ML_DSA_POLYT0_PACKEDBYTES, &t0->vec[i]); } } /************************************************* -* Name: unpack_sk +* Name: ml_dsa_unpack_sk * * Description: FIPS 204: Algorithm 25 skDecode. * Unpack secret key sk = (rho, tr, key, t0, s1, s2). @@ -130,49 +130,49 @@ void pack_sk(ml_dsa_params *params, * - const polyveck *s2: pointer to output vector s2 * - uint8_t sk[]: pointer to byte array containing bit-packed sk **************************************************/ -void unpack_sk(ml_dsa_params *params, - uint8_t rho[SEEDBYTES], - uint8_t tr[TRBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t *sk) +void ml_dsa_unpack_sk(ml_dsa_params *params, + uint8_t rho[ML_DSA_SEEDBYTES], + uint8_t tr[ML_DSA_TRBYTES], + uint8_t key[ML_DSA_SEEDBYTES], + polyveck *t0, + polyvecl *s1, + polyveck *s2, + const uint8_t *sk) { unsigned int i; - for(i = 0; i < SEEDBYTES; ++i) { + for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { rho[i] = sk[i]; } - sk += SEEDBYTES; + sk += ML_DSA_SEEDBYTES; - for(i = 0; i < SEEDBYTES; ++i) { + for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { key[i] = sk[i]; } - sk += SEEDBYTES; + sk += ML_DSA_SEEDBYTES; - for(i = 0; i < TRBYTES; ++i) { + for(i = 0; i < ML_DSA_TRBYTES; ++i) { tr[i] = sk[i]; } - sk += TRBYTES; + sk += ML_DSA_TRBYTES; for(i=0; i < params->l; ++i) { - polyeta_unpack(params, &s1->vec[i], sk + i * params->poly_eta_packed_bytes); + ml_dsa_polyeta_unpack(params, &s1->vec[i], sk + i * params->poly_eta_packed_bytes); } sk += params->l * params->poly_eta_packed_bytes; for(i=0; i < params->k; ++i) { - polyeta_unpack(params, &s2->vec[i], sk + i * params->poly_eta_packed_bytes); + ml_dsa_polyeta_unpack(params, &s2->vec[i], sk + i * params->poly_eta_packed_bytes); } sk += params->k * params->poly_eta_packed_bytes; for(i=0; i < params->k; ++i) { - polyt0_unpack(&t0->vec[i], sk + i * POLYT0_PACKEDBYTES); + ml_dsa_polyt0_unpack(&t0->vec[i], sk + i * ML_DSA_POLYT0_PACKEDBYTES); } } /************************************************* -* Name: pack_sig +* Name: ml_dsa_pack_sig * * Description: FIPS 204: Algorithm 26 sigEncode. * Bit-pack signature sig = (c, z, h). @@ -183,11 +183,11 @@ void unpack_sk(ml_dsa_params *params, * - const polyvecl *z: pointer to vector z * - const polyveck *h: pointer to hint vector h **************************************************/ -void pack_sig(ml_dsa_params *params, - uint8_t *sig, - const uint8_t *c, - const polyvecl *z, - const polyveck *h) +void ml_dsa_pack_sig(ml_dsa_params *params, + uint8_t *sig, + const uint8_t *c, + const polyvecl *z, + const polyveck *h) { unsigned int i, j, k; @@ -197,7 +197,7 @@ void pack_sig(ml_dsa_params *params, sig += params->c_tilde_bytes; for(i = 0; i < params->l; ++i) { - polyz_pack(params, sig + i * params->poly_z_packed_bytes, &z->vec[i]); + ml_dsa_polyz_pack(params, sig + i * params->poly_z_packed_bytes, &z->vec[i]); } sig += params->l * params->poly_z_packed_bytes; @@ -219,7 +219,7 @@ void pack_sig(ml_dsa_params *params, } /************************************************* -* Name: unpack_sig +* Name: ml_dsa_unpack_sig * * Description: FIPS 204: Algorithm 27 sigDecode. * Unpack signature sig = (c, z, h). @@ -233,11 +233,11 @@ void pack_sig(ml_dsa_params *params, * * Returns 1 in case of malformed signature; otherwise 0. **************************************************/ -int unpack_sig(ml_dsa_params *params, - uint8_t *c, - polyvecl *z, - polyveck *h, - const uint8_t *sig) +int ml_dsa_unpack_sig(ml_dsa_params *params, + uint8_t *c, + polyvecl *z, + polyveck *h, + const uint8_t *sig) { unsigned int i, j, k; @@ -247,7 +247,7 @@ int unpack_sig(ml_dsa_params *params, sig += params->c_tilde_bytes; for(i = 0; i < params->l; ++i) { - polyz_unpack(params, &z->vec[i], sig + i * params->poly_z_packed_bytes); + ml_dsa_polyz_unpack(params, &z->vec[i], sig + i * params->poly_z_packed_bytes); } sig += params->l * params->poly_z_packed_bytes; diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.h index f9fd3bf1fe..a8d525d3d0 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.h @@ -1,48 +1,48 @@ -#ifndef PACKING_H -#define PACKING_H +#ifndef ML_DSA_PACKING_H +#define ML_DSA_PACKING_H #include #include "params.h" #include "polyvec.h" -void pack_pk(ml_dsa_params *params, - uint8_t *pk, - const uint8_t rho[SEEDBYTES], - const polyveck *t1); - -void pack_sk(ml_dsa_params *params, - uint8_t *sk, - const uint8_t rho[SEEDBYTES], - const uint8_t tr[TRBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2); - -void pack_sig(ml_dsa_params *params, - uint8_t *sig, - const uint8_t *c, - const polyvecl *z, - const polyveck *h); - -void unpack_pk(ml_dsa_params *params, - uint8_t rho[SEEDBYTES], - polyveck *t1, - const uint8_t *pk); - -void unpack_sk(ml_dsa_params *params, - uint8_t rho[SEEDBYTES], - uint8_t tr[TRBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t *sk); - -int unpack_sig(ml_dsa_params *params, - uint8_t *c, - polyvecl *z, - polyveck *h, - const uint8_t *sig); +void ml_dsa_pack_pk(ml_dsa_params *params, + uint8_t *pk, + const uint8_t rho[ML_DSA_SEEDBYTES], + const polyveck *t1); + +void ml_dsa_pack_sk(ml_dsa_params *params, + uint8_t *sk, + const uint8_t rho[ML_DSA_SEEDBYTES], + const uint8_t tr[ML_DSA_TRBYTES], + const uint8_t key[ML_DSA_SEEDBYTES], + const polyveck *t0, + const polyvecl *s1, + const polyveck *s2); + +void ml_dsa_pack_sig(ml_dsa_params *params, + uint8_t *sig, + const uint8_t *c, + const polyvecl *z, + const polyveck *h); + +void ml_dsa_unpack_pk(ml_dsa_params *params, + uint8_t rho[ML_DSA_SEEDBYTES], + polyveck *t1, + const uint8_t *pk); + +void ml_dsa_unpack_sk(ml_dsa_params *params, + uint8_t rho[ML_DSA_SEEDBYTES], + uint8_t tr[ML_DSA_TRBYTES], + uint8_t key[ML_DSA_SEEDBYTES], + polyveck *t0, + polyvecl *s1, + polyveck *s2, + const uint8_t *sk); + +int ml_dsa_unpack_sig(ml_dsa_params *params, + uint8_t *c, + polyvecl *z, + polyveck *h, + const uint8_t *sig); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.c index e94334484b..8eae29af76 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.c @@ -24,9 +24,14 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->poly_vech_packed_bytes = (params->omega + params->k); // Sizes for ML-DSA-44 keys and signatures from Table 2. FIPS-204. - params->public_key_bytes = (SEEDBYTES + params->k * POLYT1_PACKEDBYTES); - params->secret_key_bytes = (2 * SEEDBYTES + TRBYTES + params->l * params->poly_eta_packed_bytes + params->k * params->poly_eta_packed_bytes + params->k * POLYT0_PACKEDBYTES); - params->bytes = (params->c_tilde_bytes + params->l * params->poly_z_packed_bytes + params->poly_vech_packed_bytes); + params->public_key_bytes = (ML_DSA_SEEDBYTES + params->k * ML_DSA_POLYT1_PACKEDBYTES); + params->secret_key_bytes = (2 * ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + + params->l * params->poly_eta_packed_bytes + + params->k * params->poly_eta_packed_bytes + + params->k * ML_DSA_POLYT0_PACKEDBYTES); + params->bytes = (params->c_tilde_bytes + + params->l * params->poly_z_packed_bytes + + params->poly_vech_packed_bytes); } else if (k == 3) { // Parameters for ML-DSA-65 from Table 1. FIPS-204: ML-DSA Parameter Sets. @@ -46,9 +51,14 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->poly_vech_packed_bytes = (params->omega + params->k); // Sizes for ML-DSA-65 keys and signatures from Table 2. FIPS-204. - params->public_key_bytes = (SEEDBYTES + params->k * POLYT1_PACKEDBYTES); - params->secret_key_bytes = (2 * SEEDBYTES + TRBYTES + params->l * params->poly_eta_packed_bytes + params->k * params->poly_eta_packed_bytes + params->k * POLYT0_PACKEDBYTES); - params->bytes = (params->c_tilde_bytes + params->l * params->poly_z_packed_bytes + params->poly_vech_packed_bytes); + params->public_key_bytes = (ML_DSA_SEEDBYTES + params->k * ML_DSA_POLYT1_PACKEDBYTES); + params->secret_key_bytes = (2 * ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + + params->l * params->poly_eta_packed_bytes + + params->k * params->poly_eta_packed_bytes + + params->k * ML_DSA_POLYT0_PACKEDBYTES); + params->bytes = (params->c_tilde_bytes + + params->l * params->poly_z_packed_bytes + + params->poly_vech_packed_bytes); } else { // Parameters for ML-DSA-87 from Table 1. FIPS-204: ML-DSA Parameter Sets. @@ -68,9 +78,14 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->poly_vech_packed_bytes = (params->omega + params->k); // Sizes for ML-DSA-87 keys and signatures from Table 2. FIPS-204. - params->public_key_bytes = (SEEDBYTES + params->k * POLYT1_PACKEDBYTES); - params->secret_key_bytes = (2 * SEEDBYTES + TRBYTES + params->l * params->poly_eta_packed_bytes + params->k * params->poly_eta_packed_bytes + params->k * POLYT0_PACKEDBYTES); - params->bytes = (params->c_tilde_bytes + params->l * params->poly_z_packed_bytes + params->poly_vech_packed_bytes); + params->public_key_bytes = (ML_DSA_SEEDBYTES + params->k * ML_DSA_POLYT1_PACKEDBYTES); + params->secret_key_bytes = (2 * ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + + params->l * params->poly_eta_packed_bytes + + params->k * params->poly_eta_packed_bytes + + params->k * ML_DSA_POLYT0_PACKEDBYTES); + params->bytes = (params->c_tilde_bytes + + params->l * params->poly_z_packed_bytes + + params->poly_vech_packed_bytes); } } @@ -83,4 +98,3 @@ void ml_dsa_65_params_init(ml_dsa_params *params) { void ml_dsa_87_params_init(ml_dsa_params *params) { ml_dsa_params_init(params, 5); } - diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h index 9e886f1ecd..f67d751664 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h @@ -5,15 +5,15 @@ // on the parameter set. All other parameters are specified // in ml_dsa_params structure that is unique for each parameter // set (ML-DSA 44/65/87). -#define SEEDBYTES 32 -#define CRHBYTES 64 -#define TRBYTES 64 -#define RNDBYTES 32 +#define ML_DSA_SEEDBYTES 32 +#define ML_DSA_CRHBYTES 64 +#define ML_DSA_TRBYTES 64 +#define ML_DSA_RNDBYTES 32 #define ML_DSA_N 256 #define ML_DSA_Q 8380417 #define ML_DSA_D 13 -#define POLYT1_PACKEDBYTES 320 -#define POLYT0_PACKEDBYTES 416 +#define ML_DSA_POLYT1_PACKEDBYTES 320 +#define ML_DSA_POLYT0_PACKEDBYTES 416 // Structure for ML-DSA parameters that depend on the parameter set. typedef struct { diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c index 776247377e..71dfa97852 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c @@ -17,22 +17,22 @@ void ml_dsa_poly_reduce(poly *a) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { - a->coeffs[i] = reduce32(a->coeffs[i]); + a->coeffs[i] = ml_dsa_reduce32(a->coeffs[i]); } } /************************************************* -* Name: poly_caddq +* Name: ml_dsa_poly_caddq * * Description: For all coefficients of in/out polynomial add Q if * coefficient is negative. * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_caddq(poly *a) { +void ml_dsa_poly_caddq(poly *a) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { - a->coeffs[i] = caddq(a->coeffs[i]); + a->coeffs[i] = ml_dsa_caddq(a->coeffs[i]); } } @@ -71,14 +71,14 @@ void ml_dsa_poly_sub(poly *c, const poly *a, const poly *b) { } /************************************************* -* Name: poly_shiftl +* Name: ml_dsa_poly_shiftl * * Description: Multiply polynomial by 2^D without modular reduction. Assumes * input coefficients to be less than 2^{31-D} in absolute value. * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_shiftl(poly *a) { +void ml_dsa_poly_shiftl(poly *a) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { a->coeffs[i] <<= ML_DSA_D; @@ -107,11 +107,11 @@ void ml_dsa_poly_ntt(poly *a) { * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ void ml_dsa_poly_invntt_tomont(poly *a) { - invntt_tomont(a->coeffs); + ml_dsa_invntt_tomont(a->coeffs); } /************************************************* -* Name: poly_pointwise_montgomery +* Name: ml_dsa_poly_pointwise_montgomery * * Description: Pointwise multiplication of polynomials in NTT domain * representation and multiplication of resulting polynomial @@ -121,15 +121,15 @@ void ml_dsa_poly_invntt_tomont(poly *a) { * - const poly *a: pointer to first input polynomial * - const poly *b: pointer to second input polynomial **************************************************/ -void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { +void ml_dsa_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { - c->coeffs[i] = fqmul(a->coeffs[i], b->coeffs[i]); + c->coeffs[i] = ml_dsa_fqmul(a->coeffs[i], b->coeffs[i]); } } /************************************************* -* Name: poly_power2round +* Name: ml_dsa_poly_power2round * * Description: For all coefficients c of the input polynomial, * compute c0, c1 such that c mod Q = c1*2^D + c0 @@ -140,15 +140,15 @@ void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { * - poly *a0: pointer to output polynomial with coefficients c0 * - const poly *a: pointer to input polynomial **************************************************/ -void poly_power2round(poly *a1, poly *a0, const poly *a) { +void ml_dsa_poly_power2round(poly *a1, poly *a0, const poly *a) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { - a1->coeffs[i] = power2round(&a0->coeffs[i], a->coeffs[i]); + a1->coeffs[i] = ml_dsa_power2round(&a0->coeffs[i], a->coeffs[i]); } } /************************************************* -* Name: poly_decompose +* Name: ml_dsa_poly_decompose * * Description: For all coefficients c of the input polynomial, * compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0 @@ -161,15 +161,15 @@ void poly_power2round(poly *a1, poly *a0, const poly *a) { * - poly *a0: pointer to output polynomial with coefficients c0 * - const poly *a: pointer to input polynomial **************************************************/ -void poly_decompose(ml_dsa_params *params, poly *a1, poly *a0, const poly *a) { +void ml_dsa_poly_decompose(ml_dsa_params *params, poly *a1, poly *a0, const poly *a) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { - a1->coeffs[i] = decompose(params, &a0->coeffs[i], a->coeffs[i]); + a1->coeffs[i] = ml_dsa_decompose(params, &a0->coeffs[i], a->coeffs[i]); } } /************************************************* -* Name: poly_make_hint +* Name: ml_dsa_poly_make_hint * * Description: Compute hint polynomial. The coefficients of which indicate * whether the low bits of the corresponding coefficient of @@ -182,17 +182,17 @@ void poly_decompose(ml_dsa_params *params, poly *a1, poly *a0, const poly *a) { * * Returns number of 1 bits. **************************************************/ -unsigned int poly_make_hint(ml_dsa_params *params, poly *h, const poly *a0, const poly *a1) { +unsigned int ml_dsa_poly_make_hint(ml_dsa_params *params, poly *h, const poly *a0, const poly *a1) { unsigned int i, s = 0; for(i = 0; i < ML_DSA_N; ++i) { - h->coeffs[i] = make_hint(params, a0->coeffs[i], a1->coeffs[i]); + h->coeffs[i] = ml_dsa_make_hint(params, a0->coeffs[i], a1->coeffs[i]); s += h->coeffs[i]; } return s; } /************************************************* -* Name: poly_use_hint +* Name: ml_dsa_poly_use_hint * * Description: Use hint polynomial to correct the high bits of a polynomial. * @@ -201,15 +201,15 @@ unsigned int poly_make_hint(ml_dsa_params *params, poly *h, const poly *a0, cons * - const poly *a: pointer to input polynomial * - const poly *h: pointer to input hint polynomial **************************************************/ -void poly_use_hint(ml_dsa_params *params, poly *b, const poly *a, const poly *h) { +void ml_dsa_poly_use_hint(ml_dsa_params *params, poly *b, const poly *a, const poly *h) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { - b->coeffs[i] = use_hint(params, a->coeffs[i], h->coeffs[i]); + b->coeffs[i] = ml_dsa_use_hint(params, a->coeffs[i], h->coeffs[i]); } } /************************************************* -* Name: poly_chknorm +* Name: ml_dsa_poly_chknorm * * Description: Check infinity norm of polynomial against given bound. * Assumes input coefficients were reduced by reduce32(). @@ -219,7 +219,7 @@ void poly_use_hint(ml_dsa_params *params, poly *b, const poly *a, const poly *h) * * Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise. **************************************************/ -int poly_chknorm(const poly *a, int32_t B) { +int ml_dsa_poly_chknorm(const poly *a, int32_t B) { unsigned int i; int32_t t; @@ -279,7 +279,7 @@ static unsigned int rej_uniform(int32_t *a, } /************************************************* -* Name: poly_uniform +* Name: ml_dsa_poly_uniform * * Description: FIPS 204: Algorithm 30 RejNTTPoly. * Sample polynomial with uniformly random coefficients @@ -291,8 +291,8 @@ static unsigned int rej_uniform(int32_t *a, * - uint16_t nonce: 2-byte nonce **************************************************/ #define POLY_UNIFORM_NBLOCKS ((768 + SHAKE128_RATE - 1)/ SHAKE128_RATE) -void poly_uniform(poly *a, - const uint8_t seed[SEEDBYTES], +void ml_dsa_poly_uniform(poly *a, + const uint8_t seed[ML_DSA_SEEDBYTES], uint16_t nonce) { unsigned int i, ctr, off; @@ -305,7 +305,7 @@ void poly_uniform(poly *a, t[1] = nonce >> 8; SHAKE_Init(&state, SHAKE128_BLOCKSIZE); - SHA3_Update(&state, seed, SEEDBYTES); + SHA3_Update(&state, seed, ML_DSA_SEEDBYTES); SHA3_Update(&state, t, 2); SHAKE_Final(buf, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE); @@ -380,7 +380,7 @@ static unsigned int rej_eta(ml_dsa_params *params, } /************************************************* -* Name: poly_uniform_eta +* Name: ml_dsa_poly_uniform_eta * * Description: FIPS 204: Algorithm 31 RejBoundedPoly. * Sample polynomial with uniformly random coefficients @@ -392,9 +392,9 @@ static unsigned int rej_eta(ml_dsa_params *params, * - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -void poly_uniform_eta(ml_dsa_params *params, +void ml_dsa_poly_uniform_eta(ml_dsa_params *params, poly *a, - const uint8_t seed[CRHBYTES], + const uint8_t seed[ML_DSA_CRHBYTES], uint16_t nonce) { unsigned int ctr; @@ -407,7 +407,7 @@ void poly_uniform_eta(ml_dsa_params *params, t[1] = nonce >> 8; SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, seed, CRHBYTES); + SHA3_Update(&state, seed, ML_DSA_CRHBYTES); SHA3_Update(&state, t, 2); SHAKE_Final(buf, &state, ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE); @@ -423,7 +423,7 @@ void poly_uniform_eta(ml_dsa_params *params, } /************************************************* -* Name: poly_uniform_gamma1 +* Name: ml_dsa_poly_uniform_gamma1 * * Description: Sample polynomial with uniformly random coefficients * in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream @@ -435,10 +435,10 @@ void poly_uniform_eta(ml_dsa_params *params, * - uint16_t nonce: 16-bit nonce **************************************************/ #define POLY_UNIFORM_GAMMA1_NBLOCKS ((ML_DSA_POLYZ_PACKEDBYTES_MAX + SHAKE256_RATE - 1) / SHAKE256_RATE) -void poly_uniform_gamma1(ml_dsa_params *params, - poly *a, - const uint8_t seed[CRHBYTES], - uint16_t nonce) +void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params, + poly *a, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce) { uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS * SHAKE256_RATE]; KECCAK1600_CTX state; @@ -448,18 +448,18 @@ void poly_uniform_gamma1(ml_dsa_params *params, t[1] = nonce >> 8; SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, seed, CRHBYTES); + SHA3_Update(&state, seed, ML_DSA_CRHBYTES); SHA3_Update(&state, t, 2); SHAKE_Final(buf, &state, POLY_UNIFORM_GAMMA1_NBLOCKS * SHAKE256_BLOCKSIZE); - polyz_unpack(params, a, buf); + ml_dsa_polyz_unpack(params, a, buf); /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(buf, sizeof(buf)); OPENSSL_cleanse(&state, sizeof(state)); } /************************************************* -* Name: poly_challenge +* Name: ml_dsa_poly_challenge * * Description: Implementation of H. Samples polynomial with TAU nonzero * coefficients in {-1,1} using the output stream of @@ -469,7 +469,7 @@ void poly_uniform_gamma1(ml_dsa_params *params, * - poly *c: pointer to output polynomial * - const uint8_t mu[]: byte array containing seed of length CTILDEBYTES **************************************************/ -void poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed) { +void ml_dsa_poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed) { unsigned int i, b, pos; uint64_t signs; uint8_t buf[SHAKE256_RATE]; @@ -509,7 +509,7 @@ void poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed) { } /************************************************* -* Name: polyeta_pack +* Name: ml_dsa_polyeta_pack * * Description: Bit-pack polynomial with coefficients in [-ETA,ETA]. * @@ -518,7 +518,7 @@ void poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed) { * POLYETA_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { +void ml_dsa_polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { unsigned int i; uint8_t t[8]; @@ -551,7 +551,7 @@ void polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { } /************************************************* -* Name: polyeta_unpack +* Name: ml_dsa_polyeta_unpack * * Description: Unpack polynomial with coefficients in [-ETA,ETA]. * @@ -559,7 +559,7 @@ void polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { * - poly *r: pointer to output polynomial * - const uint8_t *a: byte array with bit-packed polynomial **************************************************/ -void polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { +void ml_dsa_polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { unsigned int i; assert((params->eta == 2) || (params->eta == 4)); @@ -596,7 +596,7 @@ void polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { } /************************************************* -* Name: polyt1_pack +* Name: ml_dsa_polyt1_pack * * Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits. * Input coefficients are assumed to be standard representatives. @@ -605,7 +605,7 @@ void polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { * POLYT1_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyt1_pack(uint8_t *r, const poly *a) { +void ml_dsa_polyt1_pack(uint8_t *r, const poly *a) { unsigned int i; for(i = 0; i < ML_DSA_N/4; ++i) { @@ -618,7 +618,7 @@ void polyt1_pack(uint8_t *r, const poly *a) { } /************************************************* -* Name: polyt1_unpack +* Name: ml_dsa_polyt1_unpack * * Description: Unpack polynomial t1 with 10-bit coefficients. * Output coefficients are standard representatives. @@ -626,7 +626,7 @@ void polyt1_pack(uint8_t *r, const poly *a) { * Arguments: - poly *r: pointer to output polynomial * - const uint8_t *a: byte array with bit-packed polynomial **************************************************/ -void polyt1_unpack(poly *r, const uint8_t *a) { +void ml_dsa_polyt1_unpack(poly *r, const uint8_t *a) { unsigned int i; for(i = 0; i < ML_DSA_N/4; ++i) { @@ -638,7 +638,7 @@ void polyt1_unpack(poly *r, const uint8_t *a) { } /************************************************* -* Name: polyt0_pack +* Name: ml_dsa_polyt0_pack * * Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. * @@ -646,7 +646,7 @@ void polyt1_unpack(poly *r, const uint8_t *a) { * POLYT0_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyt0_pack(uint8_t *r, const poly *a) { +void ml_dsa_polyt0_pack(uint8_t *r, const poly *a) { unsigned int i; uint32_t t[8]; @@ -684,14 +684,14 @@ void polyt0_pack(uint8_t *r, const poly *a) { } /************************************************* -* Name: polyt0_unpack +* Name: ml_dsa_polyt0_unpack * * Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. * * Arguments: - poly *r: pointer to output polynomial * - const uint8_t *a: byte array with bit-packed polynomial **************************************************/ -void polyt0_unpack(poly *r, const uint8_t *a) { +void ml_dsa_polyt0_unpack(poly *r, const uint8_t *a) { unsigned int i; for(i = 0; i < ML_DSA_N/8; ++i) { @@ -743,7 +743,7 @@ void polyt0_unpack(poly *r, const uint8_t *a) { } /************************************************* -* Name: polyz_pack +* Name: ml_dsa_polyz_pack * * Description: Bit-pack polynomial with coefficients * in [-(GAMMA1 - 1), GAMMA1]. @@ -753,7 +753,7 @@ void polyt0_unpack(poly *r, const uint8_t *a) { * POLYZ_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { +void ml_dsa_polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { unsigned int i; uint32_t t[4]; @@ -797,7 +797,7 @@ void polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { } /************************************************* -* Name: polyz_unpack +* Name: ml_dsa_polyz_unpack * * Description: Unpack polynomial z with coefficients * in [-(GAMMA1 - 1), GAMMA1]. @@ -806,7 +806,7 @@ void polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { * - poly *r: pointer to output polynomial * - const uint8_t *a: byte array with bit-packed polynomial **************************************************/ -void polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { +void ml_dsa_polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { unsigned int i; assert((params->gamma1 == (1 << 17)) || @@ -859,7 +859,7 @@ void polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { } /************************************************* -* Name: polyw1_pack +* Name: ml_dsa_polyw1_pack * * Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43]. * Input coefficients are assumed to be standard representatives. @@ -869,7 +869,7 @@ void polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { * POLYW1_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyw1_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { +void ml_dsa_polyw1_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { unsigned int i; if (params->gamma2 == (ML_DSA_Q-1)/88) { diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h index 540e538d9e..6df0d3b9ac 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h @@ -10,65 +10,65 @@ typedef struct { void ml_dsa_poly_reduce(poly *a); -void poly_caddq(poly *a); +void ml_dsa_poly_caddq(poly *a); void ml_dsa_poly_add(poly *c, const poly *a, const poly *b); void ml_dsa_poly_sub(poly *c, const poly *a, const poly *b); -void poly_shiftl(poly *a); +void ml_dsa_poly_shiftl(poly *a); void ml_dsa_poly_ntt(poly *a); void ml_dsa_poly_invntt_tomont(poly *a); -void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b); +void ml_dsa_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b); -void poly_power2round(poly *a1, poly *a0, const poly *a); +void ml_dsa_poly_power2round(poly *a1, poly *a0, const poly *a); -void poly_decompose(ml_dsa_params *params, poly *a1, poly *a0, const poly *a); +void ml_dsa_poly_decompose(ml_dsa_params *params, poly *a1, poly *a0, const poly *a); -unsigned int poly_make_hint(ml_dsa_params *params, - poly *h, - const poly *a0, - const poly *a1); +unsigned int ml_dsa_poly_make_hint(ml_dsa_params *params, + poly *h, + const poly *a0, + const poly *a1); -void poly_use_hint(ml_dsa_params *params, poly *b, const poly *a, const poly *h); +void ml_dsa_poly_use_hint(ml_dsa_params *params, poly *b, const poly *a, const poly *h); -int poly_chknorm(const poly *a, int32_t B); +int ml_dsa_poly_chknorm(const poly *a, int32_t B); -void poly_uniform(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce); +void ml_dsa_poly_uniform(poly *a, + const uint8_t seed[ML_DSA_SEEDBYTES], + uint16_t nonce); -void poly_uniform_eta(ml_dsa_params *params, - poly *a, - const uint8_t seed[CRHBYTES], - uint16_t nonce); +void ml_dsa_poly_uniform_eta(ml_dsa_params *params, + poly *a, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce); -void poly_uniform_gamma1(ml_dsa_params *params, - poly *a, - const uint8_t seed[CRHBYTES], - uint16_t nonce); +void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params, + poly *a, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce); -void poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed); +void ml_dsa_poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed); -void polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a); +void ml_dsa_polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a); -void polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a); +void ml_dsa_polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a); -void polyt1_pack(uint8_t *r, const poly *a); +void ml_dsa_polyt1_pack(uint8_t *r, const poly *a); -void polyt1_unpack(poly *r, const uint8_t *a); +void ml_dsa_polyt1_unpack(poly *r, const uint8_t *a); -void polyt0_pack(uint8_t *r, const poly *a); +void ml_dsa_polyt0_pack(uint8_t *r, const poly *a); -void polyt0_unpack(poly *r, const uint8_t *a); +void ml_dsa_polyt0_unpack(poly *r, const uint8_t *a); -void polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a); +void ml_dsa_polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a); -void polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a); +void ml_dsa_polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a); -void polyw1_pack(ml_dsa_params *params, uint8_t *r, const poly *a); +void ml_dsa_polyw1_pack(ml_dsa_params *params, uint8_t *r, const poly *a); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c index cb62a13352..406b34d5b1 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c @@ -4,7 +4,7 @@ #include "poly.h" /************************************************* -* Name: polyvec_matrix_expand +* Name: ml_dsa_polyvec_matrix_expand * * Description: FIPS 204: Algorithm 32 ExpandA. * Generates matrix A with uniformly @@ -15,19 +15,19 @@ * - polyvecl mat: pointer to output matrix * - const uint8_t rho[]: byte array containing seed rho **************************************************/ -void polyvec_matrix_expand(ml_dsa_params *params, - polyvecl *mat, - const uint8_t rho[SEEDBYTES]) { +void ml_dsa_polyvec_matrix_expand(ml_dsa_params *params, + polyvecl *mat, + const uint8_t rho[ML_DSA_SEEDBYTES]) { unsigned int i, j; for(i = 0; i < params->k; ++i) { for(j = 0; j < params->l; ++j) { - poly_uniform(&mat[i].vec[j], rho, (i << 8) + j); + ml_dsa_poly_uniform(&mat[i].vec[j], rho, (i << 8) + j); } } } /************************************************* -* Name: polyvec_matrix_pointwise_montgomery +* Name: ml_dsa_polyvec_matrix_pointwise_montgomery * * Description: Pointwise multiply vectors of polynomials of length K, * wrapper for polyvecl_pointwise_acc_montgomery. @@ -37,13 +37,13 @@ void polyvec_matrix_expand(ml_dsa_params *params, * - polyvecl mat: pointer to first input vector * - polyvecl v: pointer to second input vector **************************************************/ -void polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, - polyveck *t, - const polyvecl *mat, - const polyvecl *v) { +void ml_dsa_polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, + polyveck *t, + const polyvecl *mat, + const polyvecl *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - polyvecl_pointwise_acc_montgomery(params, &t->vec[i], &mat[i], v); + ml_dsa_polyvecl_pointwise_acc_montgomery(params, &t->vec[i], &mat[i], v); } } @@ -52,7 +52,7 @@ void polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, /**************************************************************/ /************************************************* -* Name: polyvecl_uniform_eta +* Name: ml_dsa_polyvecl_uniform_eta * * Description: FIPS 204: Algorithm 33 ExpandS (for vectors l). * Samples vector v with polynomial coordinates whose @@ -63,17 +63,17 @@ void polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, * - const uint8_t seed: byte array containing seed * - uint16_t nonce: 2-byte nonce **************************************************/ -void polyvecl_uniform_eta(ml_dsa_params *params, - polyvecl *v, - const uint8_t seed[CRHBYTES], - uint16_t nonce) { +void ml_dsa_polyvecl_uniform_eta(ml_dsa_params *params, + polyvecl *v, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce) { unsigned int i; for(i = 0; i < params->l; ++i) - poly_uniform_eta(params, &v->vec[i], seed, nonce++); + ml_dsa_poly_uniform_eta(params, &v->vec[i], seed, nonce++); } /************************************************* -* Name: polyvecl_uniform_gamma1 +* Name: ml_dsa_polyvecl_uniform_gamma1 * * Description: FIPS 204: Algorithm 34 ExpandMask. * Samples vector v with polynomial coordinates whose @@ -84,18 +84,18 @@ void polyvecl_uniform_eta(ml_dsa_params *params, * - const uint8_t seed: byte array containing seed * - uint16_t nonce: 2-byte nonce **************************************************/ -void polyvecl_uniform_gamma1(ml_dsa_params *params, - polyvecl *v, - const uint8_t seed[CRHBYTES], - uint16_t nonce) { +void ml_dsa_polyvecl_uniform_gamma1(ml_dsa_params *params, + polyvecl *v, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce) { unsigned int i; for(i = 0; i < params->l; ++i) { - poly_uniform_gamma1(params, &v->vec[i], seed, params->l*nonce + i); + ml_dsa_poly_uniform_gamma1(params, &v->vec[i], seed, params->l*nonce + i); } } /************************************************* -* Name: polyvecl_reduce +* Name: ml_dsa_polyvecl_reduce * * Description: Reduce coefficients of polynomials in vector of length L * to representatives in [-6283009,6283007]. @@ -103,7 +103,7 @@ void polyvecl_uniform_gamma1(ml_dsa_params *params, * Arguments: - ml_dsa_params: parameter struct * - polyveck *v: pointer to input/output vector **************************************************/ -void polyvecl_reduce(ml_dsa_params *params, polyvecl *v) { +void ml_dsa_polyvecl_reduce(ml_dsa_params *params, polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { ml_dsa_poly_reduce(&v->vec[i]); @@ -111,7 +111,7 @@ void polyvecl_reduce(ml_dsa_params *params, polyvecl *v) { } /************************************************* -* Name: polyvecl_add +* Name: ml_dsa_polyvecl_add * * Description: Add vectors of polynomials of length L. * No modular reduction is performed. @@ -121,10 +121,10 @@ void polyvecl_reduce(ml_dsa_params *params, polyvecl *v) { * - const polyvecl *u: pointer to first summand * - const polyvecl *v: pointer to second summand **************************************************/ -void polyvecl_add(ml_dsa_params *params, - polyvecl *w, - const polyvecl *u, - const polyvecl *v) { +void ml_dsa_polyvecl_add(ml_dsa_params *params, + polyvecl *w, + const polyvecl *u, + const polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { ml_dsa_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); @@ -132,7 +132,7 @@ void polyvecl_add(ml_dsa_params *params, } /************************************************* -* Name: polyvecl_ntt +* Name: ml_dsa_polyvecl_ntt * * Description: Forward NTT of all polynomials in vector of length L. Output * coefficients can be up to 16*Q larger than input coefficients. @@ -140,7 +140,7 @@ void polyvecl_add(ml_dsa_params *params, * Arguments: - ml_dsa_params: parameter struct * - polyvecl *v: pointer to input/output vector **************************************************/ -void polyvecl_ntt(ml_dsa_params *params, polyvecl *v) { +void ml_dsa_polyvecl_ntt(ml_dsa_params *params, polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { ml_dsa_poly_ntt(&v->vec[i]); @@ -148,7 +148,7 @@ void polyvecl_ntt(ml_dsa_params *params, polyvecl *v) { } /************************************************* -* Name: polyvecl_invntt_tomont +* Name: ml_dsa_polyvecl_invntt_tomont * * Description: Inverse NTT and multiplication by 2^{32} of polynomials * in vector of length l. Input coefficients need to be less @@ -157,7 +157,7 @@ void polyvecl_ntt(ml_dsa_params *params, polyvecl *v) { * Arguments: - ml_dsa_params: parameter struct * - polyvecl *v: pointer to input/output vector **************************************************/ -void polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v) { +void ml_dsa_polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { ml_dsa_poly_invntt_tomont(&v->vec[i]); @@ -165,7 +165,7 @@ void polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v) { } /************************************************* -* Name: polyvecl_pointwise_poly_montgomery +* Name: ml_dsa_polyvecl_pointwise_poly_montgomery * * Description: Pointwise multiplication of polynomials in NTT domain * representation and multiplication of resulting polynomial @@ -176,18 +176,18 @@ void polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v) { * - const poly *a: pointer to input polynomial * - const polyvecl *v: pointer to input vector **************************************************/ -void polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, - polyvecl *r, - const poly *a, - const polyvecl *v) { +void ml_dsa_polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, + polyvecl *r, + const poly *a, + const polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { - poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); + ml_dsa_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); } } /************************************************* -* Name: polyvecl_pointwise_acc_montgomery +* Name: ml_dsa_polyvecl_pointwise_acc_montgomery * * Description: Pointwise multiply vectors of polynomials of length L, multiply * resulting vector by 2^{-32} and add (accumulate) polynomials @@ -198,22 +198,22 @@ void polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, * - const polyvecl *u: pointer to first input vector * - const polyvecl *v: pointer to second input vector **************************************************/ -void polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, - poly *w, - const polyvecl *u, - const polyvecl *v) +void ml_dsa_polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, + poly *w, + const polyvecl *u, + const polyvecl *v) { unsigned int i; poly t; - poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]); + ml_dsa_poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]); for(i = 1; i < params->l; ++i) { - poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]); + ml_dsa_poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]); ml_dsa_poly_add(w, w, &t); } } /************************************************* -* Name: polyvecl_chknorm +* Name: ml_dsa_polyvecl_chknorm * * Description: Check infinity norm of polynomials in vector of length L. * Assumes input polyvecl to be reduced by polyvecl_reduce(). @@ -225,10 +225,10 @@ void polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, * Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8 * and 1 otherwise. **************************************************/ -int polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t bound) { +int ml_dsa_polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t bound) { unsigned int i; for(i = 0; i < params->l; ++i) { - if(poly_chknorm(&v->vec[i], bound)) { + if(ml_dsa_poly_chknorm(&v->vec[i], bound)) { return 1; } } @@ -240,7 +240,7 @@ int polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t bound) { /**************************************************************/ /************************************************* -* Name: polyvecl_uniform_eta +* Name: ml_dsa_polyvecl_uniform_eta * * Description: FIPS 204: Algorithm 33 ExpandS (for vectors k). * Samples vector v with polynomial coordinates whose @@ -251,18 +251,18 @@ int polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t bound) { * - const uint8_t seed: byte array containing seed * - uint16_t nonce: 2-byte nonce **************************************************/ -void polyveck_uniform_eta(ml_dsa_params *params, - polyveck *v, - const uint8_t seed[CRHBYTES], - uint16_t nonce) { +void ml_dsa_polyveck_uniform_eta(ml_dsa_params *params, + polyveck *v, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_uniform_eta(params, &v->vec[i], seed, nonce++); + ml_dsa_poly_uniform_eta(params, &v->vec[i], seed, nonce++); } } /************************************************* -* Name: polyveck_reduce +* Name: ml_dsa_polyveck_reduce * * Description: Reduce coefficients of polynomials in vector of length K * to representatives in [-6283009,6283007]. @@ -270,7 +270,7 @@ void polyveck_uniform_eta(ml_dsa_params *params, * Arguments: - ml_dsa_params: parameter struct * - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_reduce(ml_dsa_params *params, polyveck *v) { +void ml_dsa_polyveck_reduce(ml_dsa_params *params, polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { ml_dsa_poly_reduce(&v->vec[i]); @@ -278,7 +278,7 @@ void polyveck_reduce(ml_dsa_params *params, polyveck *v) { } /************************************************* -* Name: polyveck_caddq +* Name: ml_dsa_polyveck_caddq * * Description: For all coefficients of polynomials in vector of length K * add Q if coefficient is negative. @@ -286,15 +286,15 @@ void polyveck_reduce(ml_dsa_params *params, polyveck *v) { * Arguments: - ml_dsa_params: parameter struct * - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_caddq(ml_dsa_params *params, polyveck *v) { +void ml_dsa_polyveck_caddq(ml_dsa_params *params, polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_caddq(&v->vec[i]); + ml_dsa_poly_caddq(&v->vec[i]); } } /************************************************* -* Name: polyveck_add +* Name: ml_dsa_polyveck_add * * Description: Add vectors of polynomials of length K. * No modular reduction is performed. @@ -304,10 +304,10 @@ void polyveck_caddq(ml_dsa_params *params, polyveck *v) { * - const polyveck *u: pointer to first summand * - const polyveck *v: pointer to second summand **************************************************/ -void polyveck_add(ml_dsa_params *params, - polyveck *w, - const polyveck *u, - const polyveck *v) { +void ml_dsa_polyveck_add(ml_dsa_params *params, + polyveck *w, + const polyveck *u, + const polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { ml_dsa_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); @@ -315,7 +315,7 @@ void polyveck_add(ml_dsa_params *params, } /************************************************* -* Name: polyveck_sub +* Name: ml_dsa_polyveck_sub * * Description: Subtract vectors of polynomials of length K. * No modular reduction is performed. @@ -326,10 +326,10 @@ void polyveck_add(ml_dsa_params *params, * - const polyveck *v: pointer to second input vector to be * subtracted from first input vector **************************************************/ -void polyveck_sub(ml_dsa_params *params, - polyveck *w, - const polyveck *u, - const polyveck *v) { +void ml_dsa_polyveck_sub(ml_dsa_params *params, + polyveck *w, + const polyveck *u, + const polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { ml_dsa_poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]); @@ -337,7 +337,7 @@ void polyveck_sub(ml_dsa_params *params, } /************************************************* -* Name: polyveck_shiftl +* Name: ml_dsa_polyveck_shiftl * * Description: Multiply vector of polynomials of Length K by 2^D without modular * reduction. Assumes input coefficients to be less than 2^{31-D}. @@ -345,15 +345,15 @@ void polyveck_sub(ml_dsa_params *params, * Arguments: - ml_dsa_params: parameter struct * - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_shiftl(ml_dsa_params *params, polyveck *v) { +void ml_dsa_polyveck_shiftl(ml_dsa_params *params, polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_shiftl(&v->vec[i]); + ml_dsa_poly_shiftl(&v->vec[i]); } } /************************************************* -* Name: polyveck_ntt +* Name: ml_dsa_polyveck_ntt * * Description: Forward NTT of all polynomials in vector of length K. Output * coefficients can be up to 16*Q larger than input coefficients. @@ -361,7 +361,7 @@ void polyveck_shiftl(ml_dsa_params *params, polyveck *v) { * Arguments: - ml_dsa_params: parameter struct * - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_ntt(ml_dsa_params *params, polyveck *v) { +void ml_dsa_polyveck_ntt(ml_dsa_params *params, polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { ml_dsa_poly_ntt(&v->vec[i]); @@ -369,7 +369,7 @@ void polyveck_ntt(ml_dsa_params *params, polyveck *v) { } /************************************************* -* Name: polyveck_invntt_tomont +* Name: ml_dsa_polyveck_invntt_tomont * * Description: Inverse NTT and multiplication by 2^{32} of polynomials * in vector of length K. Input coefficients need to be less @@ -378,7 +378,7 @@ void polyveck_ntt(ml_dsa_params *params, polyveck *v) { * Arguments: - ml_dsa_params: parameter struct * - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v) { +void ml_dsa_polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { ml_dsa_poly_invntt_tomont(&v->vec[i]); @@ -386,7 +386,7 @@ void polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v) { } /************************************************* -* Name: polyveck_pointwise_poly_montgomery +* Name: ml_dsa_polyveck_pointwise_poly_montgomery * * Description: Pointwise multiplication of polynomials in NTT domain * representation and multiplication of resulting polynomial @@ -397,18 +397,18 @@ void polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v) { * - const poly *a: pointer to input polynomial * - const polyveck *v: pointer to input vector **************************************************/ -void polyveck_pointwise_poly_montgomery(ml_dsa_params *params, - polyveck *r, - const poly *a, - const polyveck *v) { +void ml_dsa_polyveck_pointwise_poly_montgomery(ml_dsa_params *params, + polyveck *r, + const poly *a, + const polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); + ml_dsa_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); } } /************************************************* -* Name: polyveck_chknorm +* Name: ml_dsa_polyveck_chknorm * * Description: Check infinity norm of polynomials in vector of length K. * Assumes input polyveck to be reduced by polyveck_reduce(). @@ -420,10 +420,10 @@ void polyveck_pointwise_poly_montgomery(ml_dsa_params *params, * Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8 * and 1 otherwise. **************************************************/ -int polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t bound) { +int ml_dsa_polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t bound) { unsigned int i; for(i = 0; i < params->k; ++i) { - if(poly_chknorm(&v->vec[i], bound)) { + if(ml_dsa_poly_chknorm(&v->vec[i], bound)) { return 1; } } @@ -431,7 +431,7 @@ int polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t bound) { } /************************************************* -* Name: polyveck_power2round +* Name: ml_dsa_polyveck_power2round * * Description: For all coefficients a of polynomials in vector of length K, * compute a0, a1 such that a mod^+ Q = a1*2^D + a0 @@ -445,18 +445,18 @@ int polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t bound) { * coefficients a0 * - const polyveck *v: pointer to input vector **************************************************/ -void polyveck_power2round(ml_dsa_params *params, - polyveck *v1, - polyveck *v0, - const polyveck *v) { +void ml_dsa_polyveck_power2round(ml_dsa_params *params, + polyveck *v1, + polyveck *v0, + const polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]); + ml_dsa_poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]); } } /************************************************* -* Name: polyveck_decompose +* Name: ml_dsa_polyveck_decompose * * Description: For all coefficients a of polynomials in vector of length K, * compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0 @@ -471,18 +471,18 @@ void polyveck_power2round(ml_dsa_params *params, * coefficients a0 * - const polyveck *v: pointer to input vector **************************************************/ -void polyveck_decompose(ml_dsa_params *params, - polyveck *v1, - polyveck *v0, - const polyveck *v) { +void ml_dsa_polyveck_decompose(ml_dsa_params *params, + polyveck *v1, + polyveck *v0, + const polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_decompose(params, &v1->vec[i], &v0->vec[i], &v->vec[i]); + ml_dsa_poly_decompose(params, &v1->vec[i], &v0->vec[i], &v->vec[i]); } } /************************************************* -* Name: polyveck_make_hint +* Name: ml_dsa_polyveck_make_hint * * Description: Compute hint vector. * @@ -493,20 +493,20 @@ void polyveck_decompose(ml_dsa_params *params, * * Returns number of 1 bits. **************************************************/ -unsigned int polyveck_make_hint(ml_dsa_params *params, - polyveck *h, - const polyveck *v0, - const polyveck *v1) +unsigned int ml_dsa_polyveck_make_hint(ml_dsa_params *params, + polyveck *h, + const polyveck *v0, + const polyveck *v1) { unsigned int i, s = 0; for(i = 0; i < params->k; ++i) { - s += poly_make_hint(params, &h->vec[i], &v0->vec[i], &v1->vec[i]); + s += ml_dsa_poly_make_hint(params, &h->vec[i], &v0->vec[i], &v1->vec[i]); } return s; } /************************************************* -* Name: polyveck_use_hint +* Name: ml_dsa_polyveck_use_hint * * Description: Use hint vector to correct the high bits of input vector. * @@ -516,18 +516,18 @@ unsigned int polyveck_make_hint(ml_dsa_params *params, * - const polyveck *u: pointer to input vector * - const polyveck *h: pointer to input hint vector **************************************************/ -void polyveck_use_hint(ml_dsa_params *params, - polyveck *w, - const polyveck *u, - const polyveck *h) { +void ml_dsa_polyveck_use_hint(ml_dsa_params *params, + polyveck *w, + const polyveck *u, + const polyveck *h) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_use_hint(params, &w->vec[i], &u->vec[i], &h->vec[i]); + ml_dsa_poly_use_hint(params, &w->vec[i], &u->vec[i], &h->vec[i]); } } /************************************************* -* Name: polyveck_pack_w1 +* Name: ml_dsa_polyveck_pack_w1 * * Description: FIPS 204: Algorithm 28 w1Encode. * Encodes a polynomial vector |w1| into a byte string. @@ -537,11 +537,11 @@ void polyveck_use_hint(ml_dsa_params *params, * POLYW1_PACKEDBYTES bytes * - const polyvecl *w1: pointer to vector w1 **************************************************/ -void polyveck_pack_w1(ml_dsa_params *params, - uint8_t *r, - const polyveck *w1) { +void ml_dsa_polyveck_pack_w1(ml_dsa_params *params, + uint8_t *r, + const polyveck *w1) { unsigned int i; for(i = 0; i < params->k; ++i) { - polyw1_pack(params, &r[i*params->poly_w1_packed_bytes], &w1->vec[i]); + ml_dsa_polyw1_pack(params, &r[i*params->poly_w1_packed_bytes], &w1->vec[i]); } } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h index f8774505af..f76fffa382 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h @@ -10,106 +10,106 @@ typedef struct { poly vec[ML_DSA_L_MAX]; } polyvecl; -void polyvecl_uniform_eta(ml_dsa_params *params, - polyvecl *v, - const uint8_t seed[CRHBYTES], - uint16_t nonce); +void ml_dsa_polyvecl_uniform_eta(ml_dsa_params *params, + polyvecl *v, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce); -void polyvecl_uniform_gamma1(ml_dsa_params *params, - polyvecl *v, - const uint8_t seed[CRHBYTES], - uint16_t nonce); +void ml_dsa_polyvecl_uniform_gamma1(ml_dsa_params *params, + polyvecl *v, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce); -void polyvecl_reduce(ml_dsa_params *params, polyvecl *v); +void ml_dsa_polyvecl_reduce(ml_dsa_params *params, polyvecl *v); -void polyvecl_add(ml_dsa_params *params, - polyvecl *w, - const polyvecl *u, - const polyvecl *v); +void ml_dsa_polyvecl_add(ml_dsa_params *params, + polyvecl *w, + const polyvecl *u, + const polyvecl *v); -void polyvecl_ntt(ml_dsa_params *params, polyvecl *v); +void ml_dsa_polyvecl_ntt(ml_dsa_params *params, polyvecl *v); -void polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v); +void ml_dsa_polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v); -void polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, - polyvecl *r, - const poly *a, - const polyvecl *v); +void ml_dsa_polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, + polyvecl *r, + const poly *a, + const polyvecl *v); -void polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, - poly *w, - const polyvecl *u, - const polyvecl *v); +void ml_dsa_polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, + poly *w, + const polyvecl *u, + const polyvecl *v); -int polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t B); +int ml_dsa_polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t B); typedef struct { poly vec[ML_DSA_K_MAX]; } polyveck; -void polyveck_uniform_eta(ml_dsa_params *params, - polyveck *v, - const uint8_t seed[CRHBYTES], - uint16_t nonce); +void ml_dsa_polyveck_uniform_eta(ml_dsa_params *params, + polyveck *v, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce); -void polyveck_reduce(ml_dsa_params *params, polyveck *v); +void ml_dsa_polyveck_reduce(ml_dsa_params *params, polyveck *v); -void polyveck_caddq(ml_dsa_params *params, polyveck *v); +void ml_dsa_polyveck_caddq(ml_dsa_params *params, polyveck *v); -void polyveck_add(ml_dsa_params *params, - polyveck *w, - const polyveck *u, - const polyveck *v); +void ml_dsa_polyveck_add(ml_dsa_params *params, + polyveck *w, + const polyveck *u, + const polyveck *v); -void polyveck_sub(ml_dsa_params *params, - polyveck *w, - const polyveck *u, - const polyveck *v); +void ml_dsa_polyveck_sub(ml_dsa_params *params, + polyveck *w, + const polyveck *u, + const polyveck *v); -void polyveck_shiftl(ml_dsa_params *params, polyveck *v); +void ml_dsa_polyveck_shiftl(ml_dsa_params *params, polyveck *v); -void polyveck_ntt(ml_dsa_params *params, polyveck *v); +void ml_dsa_polyveck_ntt(ml_dsa_params *params, polyveck *v); -void polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v); +void ml_dsa_polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v); -void polyveck_pointwise_poly_montgomery(ml_dsa_params *params, - polyveck *r, - const poly *a, - const polyveck *v); +void ml_dsa_polyveck_pointwise_poly_montgomery(ml_dsa_params *params, + polyveck *r, + const poly *a, + const polyveck *v); -int polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t B); +int ml_dsa_polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t B); -void polyveck_power2round(ml_dsa_params *params, - polyveck *v1, - polyveck *v0, - const polyveck *v); +void ml_dsa_polyveck_power2round(ml_dsa_params *params, + polyveck *v1, + polyveck *v0, + const polyveck *v); -void polyveck_decompose(ml_dsa_params *params, - polyveck *v1, - polyveck *v0, - const polyveck *v); +void ml_dsa_polyveck_decompose(ml_dsa_params *params, + polyveck *v1, + polyveck *v0, + const polyveck *v); -unsigned int polyveck_make_hint(ml_dsa_params *params, - polyveck *h, - const polyveck *v0, - const polyveck *v1); +unsigned int ml_dsa_polyveck_make_hint(ml_dsa_params *params, + polyveck *h, + const polyveck *v0, + const polyveck *v1); -void polyveck_use_hint(ml_dsa_params *params, - polyveck *w, - const polyveck *v, - const polyveck *h); +void ml_dsa_polyveck_use_hint(ml_dsa_params *params, + polyveck *w, + const polyveck *v, + const polyveck *h); -void polyveck_pack_w1(ml_dsa_params *params, - uint8_t *r, - const polyveck *w1); +void ml_dsa_polyveck_pack_w1(ml_dsa_params *params, + uint8_t *r, + const polyveck *w1); -void polyvec_matrix_expand(ml_dsa_params *params, - polyvecl *mat, - const uint8_t rho[SEEDBYTES]); +void ml_dsa_polyvec_matrix_expand(ml_dsa_params *params, + polyvecl *mat, + const uint8_t rho[ML_DSA_SEEDBYTES]); -void polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, - polyveck *t, - const polyvecl *mat, - const polyvecl *v); +void ml_dsa_polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, + polyveck *t, + const polyvecl *mat, + const polyvecl *v); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c index cf09caf4ed..5a1eee8fd6 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c @@ -3,7 +3,7 @@ #include "reduce.h" /************************************************* -* Name: fqmul +* Name: ml_dsa_fqmul * * Description: Multiplication followed by Montgomery reduction * For finite field element a with -2^{31}Q <= a <= Q*2^31, @@ -14,7 +14,7 @@ * * Returns r. **************************************************/ -int64_t fqmul(int32_t a, int32_t b) { +int64_t ml_dsa_fqmul(int32_t a, int32_t b) { int64_t s; int32_t t; @@ -25,7 +25,7 @@ int64_t fqmul(int32_t a, int32_t b) { } /************************************************* -* Name: reduce32 +* Name: ml_dsa_reduce32 * * Description: For finite field element a with a <= 2^{31} - 2^{22} - 1, * compute r \equiv a (mod Q) such that -6283009 <= r <= 6283008. @@ -34,7 +34,7 @@ int64_t fqmul(int32_t a, int32_t b) { * * Returns r. **************************************************/ -int32_t reduce32(int32_t a) { +int32_t ml_dsa_reduce32(int32_t a) { int32_t t; t = (a + (1 << 22)) >> 23; @@ -43,7 +43,7 @@ int32_t reduce32(int32_t a) { } /************************************************* -* Name: caddq +* Name: ml_dsa_caddq * * Description: Add Q if input coefficient is negative. * @@ -51,13 +51,13 @@ int32_t reduce32(int32_t a) { * * Returns r. **************************************************/ -int32_t caddq(int32_t a) { +int32_t ml_dsa_caddq(int32_t a) { a += (a >> 31) & ML_DSA_Q; return a; } /************************************************* -* Name: freeze +* Name: ml_dsa_freeze * * Description: For finite field element a, compute standard * representative r = a mod^+ Q. @@ -66,8 +66,8 @@ int32_t caddq(int32_t a) { * * Returns r. **************************************************/ -int32_t freeze(int32_t a) { - a = reduce32(a); - a = caddq(a); +int32_t ml_dsa_freeze(int32_t a) { + a = ml_dsa_reduce32(a); + a = ml_dsa_caddq(a); return a; } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h index d40bbc0189..ab52ff3488 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h @@ -6,12 +6,12 @@ #define ML_DSA_QINV 58728449 // q^(-1) mod 2^32 -int64_t fqmul(int32_t a, int32_t b); +int64_t ml_dsa_fqmul(int32_t a, int32_t b); -int32_t reduce32(int32_t a); +int32_t ml_dsa_reduce32(int32_t a); -int32_t caddq(int32_t a); +int32_t ml_dsa_caddq(int32_t a); -int32_t freeze(int32_t a); +int32_t ml_dsa_freeze(int32_t a); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.c index 32f5704422..d087520812 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.c @@ -3,7 +3,7 @@ #include "rounding.h" /************************************************* -* Name: power2round +* Name: ml_dsa_power2round * * Description: FIPS 204: Algorithm 35. * For finite field element a, compute a0, a1 such that @@ -15,7 +15,7 @@ * * Returns a1. **************************************************/ -int32_t power2round(int32_t *a0, int32_t a) { +int32_t ml_dsa_power2round(int32_t *a0, int32_t a) { int32_t a1; a1 = (a + (1 << (ML_DSA_D-1)) - 1) >> ML_DSA_D; @@ -24,7 +24,7 @@ int32_t power2round(int32_t *a0, int32_t a) { } /************************************************* -* Name: decompose +* Name: ml_dsa_decompose * * Description: FIPS 204: Algorithm 36. * For finite field element a, compute high and low bits a0, a1 such @@ -39,7 +39,7 @@ int32_t power2round(int32_t *a0, int32_t a) { * * Returns a1. **************************************************/ -int32_t decompose(ml_dsa_params *params, int32_t *a0, int32_t a) { +int32_t ml_dsa_decompose(ml_dsa_params *params, int32_t *a0, int32_t a) { assert((params->gamma2 == (ML_DSA_Q-1)/32) || (params->gamma2 == (ML_DSA_Q-1)/88)); int32_t a1; @@ -59,7 +59,7 @@ int32_t decompose(ml_dsa_params *params, int32_t *a0, int32_t a) { } /************************************************* -* Name: make_hint +* Name: ml_dsa_make_hint * * Description: FIPS 204: Algorithm 39 MakeHint. * Compute hint bit indicating whether the low bits of the @@ -71,7 +71,7 @@ int32_t decompose(ml_dsa_params *params, int32_t *a0, int32_t a) { * * Returns 1 if overflow. **************************************************/ -unsigned int make_hint(ml_dsa_params *params, int32_t a0, int32_t a1) { +unsigned int ml_dsa_make_hint(ml_dsa_params *params, int32_t a0, int32_t a1) { if(a0 > (params->gamma2) || a0 < -(params->gamma2) || (a0 == -(params->gamma2) && a1 != 0)) { return 1; @@ -80,7 +80,7 @@ unsigned int make_hint(ml_dsa_params *params, int32_t a0, int32_t a1) { } /************************************************* -* Name: use_hint +* Name: ml_dsa_use_hint * * Description: FIPS 204: Algorithm 40 UseHint. * Correct high bits according to hint. @@ -91,12 +91,12 @@ unsigned int make_hint(ml_dsa_params *params, int32_t a0, int32_t a1) { * * Returns corrected high bits. **************************************************/ -int32_t use_hint(ml_dsa_params *params, int32_t a, unsigned int hint) { +int32_t ml_dsa_use_hint(ml_dsa_params *params, int32_t a, unsigned int hint) { int32_t a0, a1; assert((params->gamma2 == (ML_DSA_Q-1)/32) || (params->gamma2 == (ML_DSA_Q-1)/88)); - a1 = decompose(params, &a0, a); + a1 = ml_dsa_decompose(params, &a0, a); if(hint == 0) { return a1; } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.h index 5345f64b95..11519cb571 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.h @@ -1,15 +1,15 @@ -#ifndef ROUNDING_H -#define ROUNDING_H +#ifndef ML_DSA_ROUNDING_H +#define ML_DSA_ROUNDING_H #include #include "params.h" -int32_t power2round(int32_t *a0, int32_t a); +int32_t ml_dsa_power2round(int32_t *a0, int32_t a); -int32_t decompose(ml_dsa_params *params, int32_t *a0, int32_t a); +int32_t ml_dsa_decompose(ml_dsa_params *params, int32_t *a0, int32_t a); -unsigned int make_hint(ml_dsa_params *params, int32_t a0, int32_t a1); +unsigned int ml_dsa_make_hint(ml_dsa_params *params, int32_t a0, int32_t a1); -int32_t use_hint(ml_dsa_params *params, int32_t a, unsigned int hint); +int32_t ml_dsa_use_hint(ml_dsa_params *params, int32_t a, unsigned int hint); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c index 0fca375dab..a63c6c2a65 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c @@ -27,48 +27,48 @@ int mldsa_keypair_internal(ml_dsa_params *params, uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - uint8_t seedbuf[2*SEEDBYTES + CRHBYTES]; - uint8_t tr[TRBYTES]; + uint8_t seedbuf[2 * ML_DSA_SEEDBYTES + ML_DSA_CRHBYTES]; + uint8_t tr[ML_DSA_TRBYTES]; const uint8_t *rho, *rhoprime, *key; polyvecl mat[ML_DSA_K_MAX]; polyvecl s1 = {{{{0}}}}; polyvecl s1hat; polyveck s2, t1, t0; - OPENSSL_memcpy(seedbuf, seed, SEEDBYTES); - seedbuf[SEEDBYTES+0] = params->k; - seedbuf[SEEDBYTES+1] = params->l; - SHAKE256(seedbuf, SEEDBYTES + 2, seedbuf, 2 * SEEDBYTES + CRHBYTES); + OPENSSL_memcpy(seedbuf, seed, ML_DSA_SEEDBYTES); + seedbuf[ML_DSA_SEEDBYTES + 0] = params->k; + seedbuf[ML_DSA_SEEDBYTES + 1] = params->l; + SHAKE256(seedbuf, ML_DSA_SEEDBYTES + 2, seedbuf, 2 * ML_DSA_SEEDBYTES + ML_DSA_CRHBYTES); rho = seedbuf; - rhoprime = rho + SEEDBYTES; - key = rhoprime + CRHBYTES; + rhoprime = rho + ML_DSA_SEEDBYTES; + key = rhoprime + ML_DSA_CRHBYTES; /* FIPS 204: line 3 Expand matrix */ - polyvec_matrix_expand(params, mat, rho); + ml_dsa_polyvec_matrix_expand(params, mat, rho); /* FIPS 204: line 4 Sample short vectors s1 and s2 */ - polyvecl_uniform_eta(params, &s1, rhoprime, 0); - polyveck_uniform_eta(params, &s2, rhoprime, params->l); + ml_dsa_polyvecl_uniform_eta(params, &s1, rhoprime, 0); + ml_dsa_polyveck_uniform_eta(params, &s2, rhoprime, params->l); /* FIPS 204: line 5 Matrix-vector multiplication */ s1hat = s1; - polyvecl_ntt(params, &s1hat); - polyvec_matrix_pointwise_montgomery(params, &t1, mat, &s1hat); - polyveck_reduce(params, &t1); - polyveck_invntt_tomont(params, &t1); + ml_dsa_polyvecl_ntt(params, &s1hat); + ml_dsa_polyvec_matrix_pointwise_montgomery(params, &t1, mat, &s1hat); + ml_dsa_polyveck_reduce(params, &t1); + ml_dsa_polyveck_invntt_tomont(params, &t1); /* Add error vector s2 */ - polyveck_add(params, &t1, &t1, &s2); + ml_dsa_polyveck_add(params, &t1, &t1, &s2); /* FIPS 204: line 6 Extract t1 and write public key */ - polyveck_caddq(params, &t1); - polyveck_power2round(params, &t1, &t0, &t1); + ml_dsa_polyveck_caddq(params, &t1); + ml_dsa_polyveck_power2round(params, &t1, &t0, &t1); /* FIPS 204: line 8 */ - pack_pk(params, pk, rho, &t1); + ml_dsa_pack_pk(params, pk, rho, &t1); /* FIPS 204: line 9 Compute H(rho, t1) and line 10 write secret key */ - SHAKE256(pk, params->public_key_bytes, tr, TRBYTES); - pack_sk(params, sk, rho, tr, key, &t0, &s1, &s2); + SHAKE256(pk, params->public_key_bytes, tr, ML_DSA_TRBYTES); + ml_dsa_pack_sk(params, sk, rho, tr, key, &t0, &s1, &s2); /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(seedbuf, sizeof(seedbuf)); @@ -97,8 +97,8 @@ int mldsa_keypair_internal(ml_dsa_params *params, * Returns 0 (success) -1 on failure **************************************************/ int mldsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { - uint8_t seed[SEEDBYTES]; - if (!RAND_bytes(seed, SEEDBYTES)) { + uint8_t seed[ML_DSA_SEEDBYTES]; + if (!RAND_bytes(seed, ML_DSA_SEEDBYTES)) { return -1; } mldsa_keypair_internal(params, pk, sk, seed); @@ -135,7 +135,7 @@ int mldsa_signature_internal(ml_dsa_params *params, const uint8_t *sk) { unsigned int n; - uint8_t seedbuf[2*SEEDBYTES + TRBYTES + 2*CRHBYTES]; + uint8_t seedbuf[2*ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + 2*ML_DSA_CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint16_t nonce = 0; polyvecl mat[ML_DSA_K_MAX], s1, y, z; @@ -144,95 +144,95 @@ int mldsa_signature_internal(ml_dsa_params *params, KECCAK1600_CTX state; rho = seedbuf; - tr = rho + SEEDBYTES; - key = tr + TRBYTES; - mu = key + SEEDBYTES; - rhoprime = mu + CRHBYTES; + tr = rho + ML_DSA_SEEDBYTES; + key = tr + ML_DSA_TRBYTES; + mu = key + ML_DSA_SEEDBYTES; + rhoprime = mu + ML_DSA_CRHBYTES; /* FIPS 204: line 1 */ - unpack_sk(params, rho, tr, key, &t0, &s1, &s2, sk); + ml_dsa_unpack_sk(params, rho, tr, key, &t0, &s1, &s2, sk); /* FIPS 204: line 6 Compute mu = CRH(tr, pre, msg) */ // This differs from FIPS 204 line 6 that performs mu = CRH(tr, M') and the // processing of M' in the external function. However, as M' = (pre, msg), // mu = CRH(tr, M') = CRH(tr, pre, msg). SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, tr, TRBYTES); + SHA3_Update(&state, tr, ML_DSA_TRBYTES); SHA3_Update(&state, pre, prelen); SHA3_Update(&state, m, mlen); - SHAKE_Final(mu, &state, CRHBYTES); + SHAKE_Final(mu, &state, ML_DSA_CRHBYTES); /* FIPS 204: line 7 Compute rhoprime = CRH(key, rnd, mu) */ SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, key, SEEDBYTES); - SHA3_Update(&state, rnd, RNDBYTES); - SHA3_Update(&state, mu, CRHBYTES); - SHAKE_Final(rhoprime, &state, CRHBYTES); + SHA3_Update(&state, key, ML_DSA_SEEDBYTES); + SHA3_Update(&state, rnd, ML_DSA_RNDBYTES); + SHA3_Update(&state, mu, ML_DSA_CRHBYTES); + SHAKE_Final(rhoprime, &state, ML_DSA_CRHBYTES); /* FIPS 204: line 5 Expand matrix and transform vectors */ - polyvec_matrix_expand(params, mat, rho); - polyvecl_ntt(params, &s1); - polyveck_ntt(params, &s2); - polyveck_ntt(params, &t0); + ml_dsa_polyvec_matrix_expand(params, mat, rho); + ml_dsa_polyvecl_ntt(params, &s1); + ml_dsa_polyveck_ntt(params, &s2); + ml_dsa_polyveck_ntt(params, &t0); rej: /* FIPS 204: line 11 Sample intermediate vector y */ - polyvecl_uniform_gamma1(params, &y, rhoprime, nonce++); + ml_dsa_polyvecl_uniform_gamma1(params, &y, rhoprime, nonce++); /* FIPS 204: line 12 Matrix-vector multiplication */ z = y; - polyvecl_ntt(params, &z); - polyvec_matrix_pointwise_montgomery(params, &w1, mat, &z); - polyveck_reduce(params, &w1); - polyveck_invntt_tomont(params, &w1); + ml_dsa_polyvecl_ntt(params, &z); + ml_dsa_polyvec_matrix_pointwise_montgomery(params, &w1, mat, &z); + ml_dsa_polyveck_reduce(params, &w1); + ml_dsa_polyveck_invntt_tomont(params, &w1); /* FIPS 204: line 13 - 14 Decompose w and call the random oracle */ - polyveck_caddq(params, &w1); - polyveck_decompose(params, &w1, &w0, &w1); - polyveck_pack_w1(params, sig, &w1); + ml_dsa_polyveck_caddq(params, &w1); + ml_dsa_polyveck_decompose(params, &w1, &w0, &w1); + ml_dsa_polyveck_pack_w1(params, sig, &w1); SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, mu, CRHBYTES); + SHA3_Update(&state, mu, ML_DSA_CRHBYTES); SHA3_Update(&state, sig, params->k * params->poly_w1_packed_bytes); SHAKE_Final(sig, &state, params->c_tilde_bytes); - poly_challenge(params, &cp, sig); + ml_dsa_poly_challenge(params, &cp, sig); ml_dsa_poly_ntt(&cp); /* FIPS 204: line 20 Compute z, reject if it reveals secret */ - polyvecl_pointwise_poly_montgomery(params, &z, &cp, &s1); - polyvecl_invntt_tomont(params, &z); - polyvecl_add(params, &z, &z, &y); - polyvecl_reduce(params, &z); - if(polyvecl_chknorm(params, &z, params->gamma1 - params->beta)) { + ml_dsa_polyvecl_pointwise_poly_montgomery(params, &z, &cp, &s1); + ml_dsa_polyvecl_invntt_tomont(params, &z); + ml_dsa_polyvecl_add(params, &z, &z, &y); + ml_dsa_polyvecl_reduce(params, &z); + if(ml_dsa_polyvecl_chknorm(params, &z, params->gamma1 - params->beta)) { goto rej; } /* FIPS 204: line 21 Check that subtracting cs2 does not change high bits of w and low bits * do not reveal secret information */ - polyveck_pointwise_poly_montgomery(params, &h, &cp, &s2); - polyveck_invntt_tomont(params, &h); - polyveck_sub(params, &w0, &w0, &h); - polyveck_reduce(params, &w0); - if(polyveck_chknorm(params, &w0, params->gamma2 - params->beta)) { + ml_dsa_polyveck_pointwise_poly_montgomery(params, &h, &cp, &s2); + ml_dsa_polyveck_invntt_tomont(params, &h); + ml_dsa_polyveck_sub(params, &w0, &w0, &h); + ml_dsa_polyveck_reduce(params, &w0); + if(ml_dsa_polyveck_chknorm(params, &w0, params->gamma2 - params->beta)) { goto rej; } /* FIPS 204: line 25 */ - polyveck_pointwise_poly_montgomery(params, &h, &cp, &t0); - polyveck_invntt_tomont(params, &h); - polyveck_reduce(params, &h); - if(polyveck_chknorm(params, &h, params->gamma2)) { + ml_dsa_polyveck_pointwise_poly_montgomery(params, &h, &cp, &t0); + ml_dsa_polyveck_invntt_tomont(params, &h); + ml_dsa_polyveck_reduce(params, &h); + if(ml_dsa_polyveck_chknorm(params, &h, params->gamma2)) { goto rej; } /* FIPS 204: line 26 Compute signer's hint */ - polyveck_add(params, &w0, &w0, &h); - n = polyveck_make_hint(params, &h, &w0, &w1); + ml_dsa_polyveck_add(params, &w0, &w0, &h); + n = ml_dsa_polyveck_make_hint(params, &h, &w0, &w1); if(n > params->omega) { goto rej; } /* FIPS 204: line 33 Write signature */ - pack_sig(params, sig, sig, &z, &h); + ml_dsa_pack_sig(params, sig, sig, &z, &h); *siglen = params->bytes; /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ @@ -278,7 +278,7 @@ int mldsa_signature(ml_dsa_params *params, const uint8_t *sk) { uint8_t pre[257]; - uint8_t rnd[RNDBYTES]; + uint8_t rnd[ML_DSA_RNDBYTES]; if(ctxlen > 255) { return -1; @@ -288,7 +288,7 @@ int mldsa_signature(ml_dsa_params *params, pre[1] = ctxlen; OPENSSL_memcpy(pre + 2 , ctx, ctxlen); - if (!RAND_bytes(rnd, RNDBYTES)) { + if (!RAND_bytes(rnd, ML_DSA_RNDBYTES)) { return -1; } mldsa_signature_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, rnd, sk); @@ -366,9 +366,9 @@ int mldsa_verify_internal(ml_dsa_params *params, { unsigned int i; uint8_t buf[ML_DSA_K_MAX*ML_DSA_POLYW1_PACKEDBYTES_MAX]; - uint8_t rho[SEEDBYTES]; - uint8_t mu[CRHBYTES]; - uint8_t tr[TRBYTES]; + uint8_t rho[ML_DSA_SEEDBYTES]; + uint8_t mu[ML_DSA_CRHBYTES]; + uint8_t tr[ML_DSA_TRBYTES]; uint8_t c[ML_DSA_C_TILDE_BYTES_MAX]; uint8_t c2[ML_DSA_C_TILDE_BYTES_MAX]; poly cp; @@ -380,50 +380,50 @@ int mldsa_verify_internal(ml_dsa_params *params, return -1; } /* FIPS 204: line 1 */ - unpack_pk(params, rho, &t1, pk); + ml_dsa_unpack_pk(params, rho, &t1, pk); /* FIPS 204: line 2 */ - if(unpack_sig(params, c, &z, &h, sig)) { + if(ml_dsa_unpack_sig(params, c, &z, &h, sig)) { return -1; } - if(polyvecl_chknorm(params, &z, params->gamma1 - params->beta)) { + if(ml_dsa_polyvecl_chknorm(params, &z, params->gamma1 - params->beta)) { return -1; } /* FIPS 204: line 6 Compute tr */ - SHAKE256(pk, params->public_key_bytes, tr, TRBYTES); + SHAKE256(pk, params->public_key_bytes, tr, ML_DSA_TRBYTES); /* FIPS 204: line 7 Compute mu = H(BytesToBits(tr) || M', 64) */ // Like crypto_sign_signature_internal, the processing of M' is performed // here, as opposed to within the external function. SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, tr, TRBYTES); + SHA3_Update(&state, tr, ML_DSA_TRBYTES); SHA3_Update(&state, pre, prelen); SHA3_Update(&state, m, mlen); - SHAKE_Final(mu, &state, CRHBYTES); + SHAKE_Final(mu, &state, ML_DSA_CRHBYTES); /* FIPS 204: line 9 Matrix-vector multiplication; compute Az - c2^dt1 */ - poly_challenge(params, &cp, c); - polyvec_matrix_expand(params, mat, rho); + ml_dsa_poly_challenge(params, &cp, c); + ml_dsa_polyvec_matrix_expand(params, mat, rho); - polyvecl_ntt(params, &z); - polyvec_matrix_pointwise_montgomery(params, &w1, mat, &z); + ml_dsa_polyvecl_ntt(params, &z); + ml_dsa_polyvec_matrix_pointwise_montgomery(params, &w1, mat, &z); ml_dsa_poly_ntt(&cp); - polyveck_shiftl(params, &t1); - polyveck_ntt(params, &t1); - polyveck_pointwise_poly_montgomery(params, &t1, &cp, &t1); + ml_dsa_polyveck_shiftl(params, &t1); + ml_dsa_polyveck_ntt(params, &t1); + ml_dsa_polyveck_pointwise_poly_montgomery(params, &t1, &cp, &t1); - polyveck_sub(params, &w1, &w1, &t1); - polyveck_reduce(params, &w1); - polyveck_invntt_tomont(params, &w1); + ml_dsa_polyveck_sub(params, &w1, &w1, &t1); + ml_dsa_polyveck_reduce(params, &w1); + ml_dsa_polyveck_invntt_tomont(params, &w1); /* FIPS 204: line 10 Reconstruct w1 */ - polyveck_caddq(params, &w1); - polyveck_use_hint(params, &w1, &w1, &h); - polyveck_pack_w1(params, buf, &w1); + ml_dsa_polyveck_caddq(params, &w1); + ml_dsa_polyveck_use_hint(params, &w1, &w1, &h); + ml_dsa_polyveck_pack_w1(params, buf, &w1); /* FIPS 204: line 12 Call random oracle and verify challenge */ SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, mu, CRHBYTES); + SHA3_Update(&state, mu, ML_DSA_CRHBYTES); SHA3_Update(&state, buf, params->k * params->poly_w1_packed_bytes); SHAKE_Final(c2, &state, params->c_tilde_bytes); for(i = 0; i < params->c_tilde_bytes; ++i) { diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h index b8d55db40a..c04e85ba23 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h @@ -1,5 +1,5 @@ -#ifndef SIGN_H -#define SIGN_H +#ifndef ML_DSA_SIGN_H +#define ML_DSA_SIGN_H #include #include From f96096fd8ad2b8831fbab680b43de85bd163a6e1 Mon Sep 17 00:00:00 2001 From: Jake Massimo Date: Mon, 23 Dec 2024 23:21:15 -0800 Subject: [PATCH 07/12] unique names for poly --- .../pqcrystals_dilithium_ref_common/poly.c | 77 +++++++++++-------- .../pqcrystals_dilithium_ref_common/poly.h | 66 +++++++++------- .../pqcrystals_dilithium_ref_common/polyvec.c | 8 +- .../pqcrystals_dilithium_ref_common/polyvec.h | 10 +-- .../pqcrystals_dilithium_ref_common/sign.c | 4 +- 5 files changed, 92 insertions(+), 73 deletions(-) diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c index 71dfa97852..063212864b 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c @@ -14,7 +14,7 @@ * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void ml_dsa_poly_reduce(poly *a) { +void ml_dsa_poly_reduce(ml_dsa_poly *a) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { a->coeffs[i] = ml_dsa_reduce32(a->coeffs[i]); @@ -29,7 +29,7 @@ void ml_dsa_poly_reduce(poly *a) { * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void ml_dsa_poly_caddq(poly *a) { +void ml_dsa_poly_caddq(ml_dsa_poly *a) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { a->coeffs[i] = ml_dsa_caddq(a->coeffs[i]); @@ -45,7 +45,7 @@ void ml_dsa_poly_caddq(poly *a) { * - const poly *a: pointer to first summand * - const poly *b: pointer to second summand **************************************************/ -void ml_dsa_poly_add(poly *c, const poly *a, const poly *b) { +void ml_dsa_poly_add(ml_dsa_poly *c, const ml_dsa_poly *a, const ml_dsa_poly *b) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = a->coeffs[i] + b->coeffs[i]; @@ -63,7 +63,7 @@ void ml_dsa_poly_add(poly *c, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial to be * subtraced from first input polynomial **************************************************/ -void ml_dsa_poly_sub(poly *c, const poly *a, const poly *b) { +void ml_dsa_poly_sub(ml_dsa_poly *c, const ml_dsa_poly *a, const ml_dsa_poly *b) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = a->coeffs[i] - b->coeffs[i]; @@ -78,7 +78,7 @@ void ml_dsa_poly_sub(poly *c, const poly *a, const poly *b) { * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void ml_dsa_poly_shiftl(poly *a) { +void ml_dsa_poly_shiftl(ml_dsa_poly *a) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { a->coeffs[i] <<= ML_DSA_D; @@ -93,7 +93,7 @@ void ml_dsa_poly_shiftl(poly *a) { * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void ml_dsa_poly_ntt(poly *a) { +void ml_dsa_poly_ntt(ml_dsa_poly *a) { ml_dsa_ntt(a->coeffs); } @@ -106,7 +106,7 @@ void ml_dsa_poly_ntt(poly *a) { * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void ml_dsa_poly_invntt_tomont(poly *a) { +void ml_dsa_poly_invntt_tomont(ml_dsa_poly *a) { ml_dsa_invntt_tomont(a->coeffs); } @@ -121,7 +121,9 @@ void ml_dsa_poly_invntt_tomont(poly *a) { * - const poly *a: pointer to first input polynomial * - const poly *b: pointer to second input polynomial **************************************************/ -void ml_dsa_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { +void ml_dsa_poly_pointwise_montgomery(ml_dsa_poly *c, + const ml_dsa_poly *a, + const ml_dsa_poly *b) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = ml_dsa_fqmul(a->coeffs[i], b->coeffs[i]); @@ -140,7 +142,7 @@ void ml_dsa_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { * - poly *a0: pointer to output polynomial with coefficients c0 * - const poly *a: pointer to input polynomial **************************************************/ -void ml_dsa_poly_power2round(poly *a1, poly *a0, const poly *a) { +void ml_dsa_poly_power2round(ml_dsa_poly *a1, ml_dsa_poly *a0, const ml_dsa_poly *a) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { a1->coeffs[i] = ml_dsa_power2round(&a0->coeffs[i], a->coeffs[i]); @@ -161,7 +163,10 @@ void ml_dsa_poly_power2round(poly *a1, poly *a0, const poly *a) { * - poly *a0: pointer to output polynomial with coefficients c0 * - const poly *a: pointer to input polynomial **************************************************/ -void ml_dsa_poly_decompose(ml_dsa_params *params, poly *a1, poly *a0, const poly *a) { +void ml_dsa_poly_decompose(ml_dsa_params *params, + ml_dsa_poly *a1, + ml_dsa_poly *a0, + const ml_dsa_poly *a) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { a1->coeffs[i] = ml_dsa_decompose(params, &a0->coeffs[i], a->coeffs[i]); @@ -182,7 +187,10 @@ void ml_dsa_poly_decompose(ml_dsa_params *params, poly *a1, poly *a0, const poly * * Returns number of 1 bits. **************************************************/ -unsigned int ml_dsa_poly_make_hint(ml_dsa_params *params, poly *h, const poly *a0, const poly *a1) { +unsigned int ml_dsa_poly_make_hint(ml_dsa_params *params, + ml_dsa_poly *h, + const ml_dsa_poly *a0, + const ml_dsa_poly *a1) { unsigned int i, s = 0; for(i = 0; i < ML_DSA_N; ++i) { h->coeffs[i] = ml_dsa_make_hint(params, a0->coeffs[i], a1->coeffs[i]); @@ -201,7 +209,10 @@ unsigned int ml_dsa_poly_make_hint(ml_dsa_params *params, poly *h, const poly *a * - const poly *a: pointer to input polynomial * - const poly *h: pointer to input hint polynomial **************************************************/ -void ml_dsa_poly_use_hint(ml_dsa_params *params, poly *b, const poly *a, const poly *h) { +void ml_dsa_poly_use_hint(ml_dsa_params *params, + ml_dsa_poly *b, + const ml_dsa_poly *a, + const ml_dsa_poly *h) { unsigned int i; for(i = 0; i < ML_DSA_N; ++i) { b->coeffs[i] = ml_dsa_use_hint(params, a->coeffs[i], h->coeffs[i]); @@ -219,7 +230,7 @@ void ml_dsa_poly_use_hint(ml_dsa_params *params, poly *b, const poly *a, const p * * Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise. **************************************************/ -int ml_dsa_poly_chknorm(const poly *a, int32_t B) { +int ml_dsa_poly_chknorm(const ml_dsa_poly *a, int32_t B) { unsigned int i; int32_t t; @@ -243,7 +254,7 @@ int ml_dsa_poly_chknorm(const poly *a, int32_t B) { } /************************************************* -* Name: rej_uniform +* Name: ml_dsa_rej_uniform * * Description: Sample uniformly random coefficients in [0, Q-1] by * performing rejection sampling on array of random bytes. @@ -256,10 +267,10 @@ int ml_dsa_poly_chknorm(const poly *a, int32_t B) { * Returns number of sampled coefficients. Can be smaller than len if not enough * random bytes were given. **************************************************/ -static unsigned int rej_uniform(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) +static unsigned int ml_dsa_rej_uniform(int32_t *a, + unsigned int len, + const uint8_t *buf, + unsigned int buflen) { unsigned int ctr, pos; uint32_t t; @@ -291,7 +302,7 @@ static unsigned int rej_uniform(int32_t *a, * - uint16_t nonce: 2-byte nonce **************************************************/ #define POLY_UNIFORM_NBLOCKS ((768 + SHAKE128_RATE - 1)/ SHAKE128_RATE) -void ml_dsa_poly_uniform(poly *a, +void ml_dsa_poly_uniform(ml_dsa_poly *a, const uint8_t seed[ML_DSA_SEEDBYTES], uint16_t nonce) { @@ -309,7 +320,7 @@ void ml_dsa_poly_uniform(poly *a, SHA3_Update(&state, t, 2); SHAKE_Final(buf, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE); - ctr = rej_uniform(a->coeffs, ML_DSA_N, buf, buflen); + ctr = ml_dsa_rej_uniform(a->coeffs, ML_DSA_N, buf, buflen); while(ctr < ML_DSA_N) { off = buflen % 3; @@ -318,7 +329,7 @@ void ml_dsa_poly_uniform(poly *a, SHAKE_Final(buf + off, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE); buflen = SHAKE128_RATE + off; - ctr += rej_uniform(a->coeffs + ctr, ML_DSA_N - ctr, buf, buflen); + ctr += ml_dsa_rej_uniform(a->coeffs + ctr, ML_DSA_N - ctr, buf, buflen); } /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(buf, sizeof(buf)); @@ -393,7 +404,7 @@ static unsigned int rej_eta(ml_dsa_params *params, * - uint16_t nonce: 2-byte nonce **************************************************/ void ml_dsa_poly_uniform_eta(ml_dsa_params *params, - poly *a, + ml_dsa_poly *a, const uint8_t seed[ML_DSA_CRHBYTES], uint16_t nonce) { @@ -436,7 +447,7 @@ void ml_dsa_poly_uniform_eta(ml_dsa_params *params, **************************************************/ #define POLY_UNIFORM_GAMMA1_NBLOCKS ((ML_DSA_POLYZ_PACKEDBYTES_MAX + SHAKE256_RATE - 1) / SHAKE256_RATE) void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params, - poly *a, + ml_dsa_poly *a, const uint8_t seed[ML_DSA_CRHBYTES], uint16_t nonce) { @@ -469,7 +480,7 @@ void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params, * - poly *c: pointer to output polynomial * - const uint8_t mu[]: byte array containing seed of length CTILDEBYTES **************************************************/ -void ml_dsa_poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed) { +void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, const uint8_t *seed) { unsigned int i, b, pos; uint64_t signs; uint8_t buf[SHAKE256_RATE]; @@ -518,7 +529,7 @@ void ml_dsa_poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed) * POLYETA_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void ml_dsa_polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { +void ml_dsa_polyeta_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a) { unsigned int i; uint8_t t[8]; @@ -559,7 +570,7 @@ void ml_dsa_polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { * - poly *r: pointer to output polynomial * - const uint8_t *a: byte array with bit-packed polynomial **************************************************/ -void ml_dsa_polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { +void ml_dsa_polyeta_unpack(ml_dsa_params *params, ml_dsa_poly *r, const uint8_t *a) { unsigned int i; assert((params->eta == 2) || (params->eta == 4)); @@ -605,7 +616,7 @@ void ml_dsa_polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { * POLYT1_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void ml_dsa_polyt1_pack(uint8_t *r, const poly *a) { +void ml_dsa_polyt1_pack(uint8_t *r, const ml_dsa_poly *a) { unsigned int i; for(i = 0; i < ML_DSA_N/4; ++i) { @@ -626,7 +637,7 @@ void ml_dsa_polyt1_pack(uint8_t *r, const poly *a) { * Arguments: - poly *r: pointer to output polynomial * - const uint8_t *a: byte array with bit-packed polynomial **************************************************/ -void ml_dsa_polyt1_unpack(poly *r, const uint8_t *a) { +void ml_dsa_polyt1_unpack(ml_dsa_poly *r, const uint8_t *a) { unsigned int i; for(i = 0; i < ML_DSA_N/4; ++i) { @@ -646,7 +657,7 @@ void ml_dsa_polyt1_unpack(poly *r, const uint8_t *a) { * POLYT0_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void ml_dsa_polyt0_pack(uint8_t *r, const poly *a) { +void ml_dsa_polyt0_pack(uint8_t *r, const ml_dsa_poly *a) { unsigned int i; uint32_t t[8]; @@ -691,7 +702,7 @@ void ml_dsa_polyt0_pack(uint8_t *r, const poly *a) { * Arguments: - poly *r: pointer to output polynomial * - const uint8_t *a: byte array with bit-packed polynomial **************************************************/ -void ml_dsa_polyt0_unpack(poly *r, const uint8_t *a) { +void ml_dsa_polyt0_unpack(ml_dsa_poly *r, const uint8_t *a) { unsigned int i; for(i = 0; i < ML_DSA_N/8; ++i) { @@ -753,7 +764,7 @@ void ml_dsa_polyt0_unpack(poly *r, const uint8_t *a) { * POLYZ_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void ml_dsa_polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { +void ml_dsa_polyz_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a) { unsigned int i; uint32_t t[4]; @@ -806,7 +817,7 @@ void ml_dsa_polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { * - poly *r: pointer to output polynomial * - const uint8_t *a: byte array with bit-packed polynomial **************************************************/ -void ml_dsa_polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { +void ml_dsa_polyz_unpack(ml_dsa_params *params, ml_dsa_poly *r, const uint8_t *a) { unsigned int i; assert((params->gamma1 == (1 << 17)) || @@ -869,7 +880,7 @@ void ml_dsa_polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { * POLYW1_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void ml_dsa_polyw1_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { +void ml_dsa_polyw1_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a) { unsigned int i; if (params->gamma2 == (ML_DSA_Q-1)/88) { diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h index 6df0d3b9ac..fe8eee071c 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h @@ -6,69 +6,77 @@ typedef struct { int32_t coeffs[ML_DSA_N]; -} poly; +} ml_dsa_poly; -void ml_dsa_poly_reduce(poly *a); +void ml_dsa_poly_reduce(ml_dsa_poly *a); -void ml_dsa_poly_caddq(poly *a); +void ml_dsa_poly_caddq(ml_dsa_poly *a); -void ml_dsa_poly_add(poly *c, const poly *a, const poly *b); +void ml_dsa_poly_add(ml_dsa_poly *c, const ml_dsa_poly *a, const ml_dsa_poly *b); -void ml_dsa_poly_sub(poly *c, const poly *a, const poly *b); +void ml_dsa_poly_sub(ml_dsa_poly *c, const ml_dsa_poly *a, const ml_dsa_poly *b); -void ml_dsa_poly_shiftl(poly *a); +void ml_dsa_poly_shiftl(ml_dsa_poly *a); -void ml_dsa_poly_ntt(poly *a); +void ml_dsa_poly_ntt(ml_dsa_poly *a); -void ml_dsa_poly_invntt_tomont(poly *a); +void ml_dsa_poly_invntt_tomont(ml_dsa_poly *a); -void ml_dsa_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b); +void ml_dsa_poly_pointwise_montgomery(ml_dsa_poly *c, + const ml_dsa_poly *a, + const ml_dsa_poly *b); -void ml_dsa_poly_power2round(poly *a1, poly *a0, const poly *a); +void ml_dsa_poly_power2round(ml_dsa_poly *a1, ml_dsa_poly *a0, const ml_dsa_poly *a); -void ml_dsa_poly_decompose(ml_dsa_params *params, poly *a1, poly *a0, const poly *a); +void ml_dsa_poly_decompose(ml_dsa_params *params, + ml_dsa_poly *a1, + ml_dsa_poly *a0, + const ml_dsa_poly *a); unsigned int ml_dsa_poly_make_hint(ml_dsa_params *params, - poly *h, - const poly *a0, - const poly *a1); + ml_dsa_poly *h, + const ml_dsa_poly *a0, + const ml_dsa_poly *a1); -void ml_dsa_poly_use_hint(ml_dsa_params *params, poly *b, const poly *a, const poly *h); +void ml_dsa_poly_use_hint(ml_dsa_params *params, + ml_dsa_poly *b, + const ml_dsa_poly *a, + const ml_dsa_poly *h); -int ml_dsa_poly_chknorm(const poly *a, int32_t B); +int ml_dsa_poly_chknorm(const ml_dsa_poly *a, int32_t B); -void ml_dsa_poly_uniform(poly *a, +void ml_dsa_poly_uniform(ml_dsa_poly *a, const uint8_t seed[ML_DSA_SEEDBYTES], uint16_t nonce); void ml_dsa_poly_uniform_eta(ml_dsa_params *params, - poly *a, + ml_dsa_poly *a, const uint8_t seed[ML_DSA_CRHBYTES], uint16_t nonce); void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params, - poly *a, + ml_dsa_poly *a, const uint8_t seed[ML_DSA_CRHBYTES], uint16_t nonce); -void ml_dsa_poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed); +void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, const uint8_t *seed); -void ml_dsa_polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a); +void ml_dsa_polyeta_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a); -void ml_dsa_polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a); +void ml_dsa_polyeta_unpack(ml_dsa_params *params, ml_dsa_poly *r, const uint8_t *a); -void ml_dsa_polyt1_pack(uint8_t *r, const poly *a); +void ml_dsa_polyt1_pack(uint8_t *r, const ml_dsa_poly *a); -void ml_dsa_polyt1_unpack(poly *r, const uint8_t *a); +void ml_dsa_polyt1_unpack(ml_dsa_poly *r, const uint8_t *a); -void ml_dsa_polyt0_pack(uint8_t *r, const poly *a); +void ml_dsa_polyt0_pack(uint8_t *r, const ml_dsa_poly *a); -void ml_dsa_polyt0_unpack(poly *r, const uint8_t *a); +void ml_dsa_polyt0_unpack(ml_dsa_poly *r, const uint8_t *a); -void ml_dsa_polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a); +void ml_dsa_polyz_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a); -void ml_dsa_polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a); +void ml_dsa_polyz_unpack(ml_dsa_params *params, ml_dsa_poly *r, const uint8_t *a); -void ml_dsa_polyw1_pack(ml_dsa_params *params, uint8_t *r, const poly *a); +void ml_dsa_polyw1_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c index 406b34d5b1..2041e754d3 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c @@ -178,7 +178,7 @@ void ml_dsa_polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v) { **************************************************/ void ml_dsa_polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, polyvecl *r, - const poly *a, + const ml_dsa_poly *a, const polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { @@ -199,12 +199,12 @@ void ml_dsa_polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, * - const polyvecl *v: pointer to second input vector **************************************************/ void ml_dsa_polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, - poly *w, + ml_dsa_poly *w, const polyvecl *u, const polyvecl *v) { unsigned int i; - poly t; + ml_dsa_poly t; ml_dsa_poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]); for(i = 1; i < params->l; ++i) { ml_dsa_poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]); @@ -399,7 +399,7 @@ void ml_dsa_polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v) { **************************************************/ void ml_dsa_polyveck_pointwise_poly_montgomery(ml_dsa_params *params, polyveck *r, - const poly *a, + const ml_dsa_poly *a, const polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h index f76fffa382..dccf6b976e 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h @@ -7,7 +7,7 @@ /* Vectors of polynomials of length L */ typedef struct { - poly vec[ML_DSA_L_MAX]; + ml_dsa_poly vec[ML_DSA_L_MAX]; } polyvecl; void ml_dsa_polyvecl_uniform_eta(ml_dsa_params *params, @@ -33,18 +33,18 @@ void ml_dsa_polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v); void ml_dsa_polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, polyvecl *r, - const poly *a, + const ml_dsa_poly *a, const polyvecl *v); void ml_dsa_polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, - poly *w, + ml_dsa_poly *w, const polyvecl *u, const polyvecl *v); int ml_dsa_polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t B); typedef struct { - poly vec[ML_DSA_K_MAX]; + ml_dsa_poly vec[ML_DSA_K_MAX]; } polyveck; void ml_dsa_polyveck_uniform_eta(ml_dsa_params *params, @@ -74,7 +74,7 @@ void ml_dsa_polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v); void ml_dsa_polyveck_pointwise_poly_montgomery(ml_dsa_params *params, polyveck *r, - const poly *a, + const ml_dsa_poly *a, const polyveck *v); int ml_dsa_polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t B); diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c index a63c6c2a65..5f69a380dd 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c @@ -140,7 +140,7 @@ int mldsa_signature_internal(ml_dsa_params *params, uint16_t nonce = 0; polyvecl mat[ML_DSA_K_MAX], s1, y, z; polyveck t0, s2, w1, w0, h; - poly cp; + ml_dsa_poly cp; KECCAK1600_CTX state; rho = seedbuf; @@ -371,7 +371,7 @@ int mldsa_verify_internal(ml_dsa_params *params, uint8_t tr[ML_DSA_TRBYTES]; uint8_t c[ML_DSA_C_TILDE_BYTES_MAX]; uint8_t c2[ML_DSA_C_TILDE_BYTES_MAX]; - poly cp; + ml_dsa_poly cp; polyvecl mat[ML_DSA_K_MAX], z; polyveck t1, w1, h; KECCAK1600_CTX state; From 436dde3013aeb8db9edf45ae96a58da0618834a9 Mon Sep 17 00:00:00 2001 From: Jake Massimo Date: Tue, 24 Dec 2024 11:22:09 -0800 Subject: [PATCH 08/12] consistency in naming --- crypto/dilithium/ml_dsa.c | 60 ++++---- .../pqcrystals_dilithium_ref_common/sign.c | 134 +++++++++--------- .../pqcrystals_dilithium_ref_common/sign.h | 84 +++++------ 3 files changed, 139 insertions(+), 139 deletions(-) diff --git a/crypto/dilithium/ml_dsa.c b/crypto/dilithium/ml_dsa.c index 6bc2f53ae5..96be7a035f 100644 --- a/crypto/dilithium/ml_dsa.c +++ b/crypto/dilithium/ml_dsa.c @@ -27,7 +27,7 @@ int ml_dsa_44_keypair(uint8_t *public_key /* OUT */, uint8_t *private_key /* OUT */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return (mldsa_keypair(¶ms, public_key, private_key) == 0); + return (ml_dsa_keypair(¶ms, public_key, private_key) == 0); } int ml_dsa_44_keypair_internal(uint8_t *public_key /* OUT */, @@ -35,7 +35,7 @@ int ml_dsa_44_keypair_internal(uint8_t *public_key /* OUT */, const uint8_t *seed /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return mldsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; + return ml_dsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; } int ml_dsa_44_sign(const uint8_t *private_key /* IN */, @@ -47,8 +47,8 @@ int ml_dsa_44_sign(const uint8_t *private_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return mldsa_signature(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return ml_dsa_signature(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, private_key) == 0; } int ml_dsa_44_sign_internal(const uint8_t *private_key /* IN */, @@ -61,8 +61,8 @@ int ml_dsa_44_sign_internal(const uint8_t *private_key /* IN */, uint8_t *rnd /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return mldsa_signature_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key) == 0; + return ml_dsa_signature_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, rnd, private_key) == 0; } int ml_dsa_44_verify(const uint8_t *public_key /* IN */, @@ -74,8 +74,8 @@ int ml_dsa_44_verify(const uint8_t *public_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return mldsa_verify(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, public_key) == 0; + return ml_dsa_verify(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, public_key) == 0; } int ml_dsa_44_verify_internal(const uint8_t *public_key /* IN */, @@ -87,15 +87,15 @@ int ml_dsa_44_verify_internal(const uint8_t *public_key /* IN */, size_t pre_len /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return mldsa_verify_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, public_key) == 0; + return ml_dsa_verify_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, public_key) == 0; } int ml_dsa_65_keypair(uint8_t *public_key /* OUT */, uint8_t *private_key /* OUT */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return (mldsa_keypair(¶ms, public_key, private_key) == 0); + return (ml_dsa_keypair(¶ms, public_key, private_key) == 0); } int ml_dsa_65_keypair_internal(uint8_t *public_key /* OUT */, @@ -103,7 +103,7 @@ int ml_dsa_65_keypair_internal(uint8_t *public_key /* OUT */, const uint8_t *seed /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return mldsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; + return ml_dsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; } int ml_dsa_65_sign(const uint8_t *private_key /* IN */, @@ -115,8 +115,8 @@ int ml_dsa_65_sign(const uint8_t *private_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return mldsa_signature(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return ml_dsa_signature(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, private_key) == 0; } int ml_dsa_65_sign_internal(const uint8_t *private_key /* IN */, @@ -129,8 +129,8 @@ int ml_dsa_65_sign_internal(const uint8_t *private_key /* IN */, uint8_t *rnd /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return mldsa_signature_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key) == 0; + return ml_dsa_signature_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, rnd, private_key) == 0; } int ml_dsa_65_verify(const uint8_t *public_key /* IN */, @@ -142,8 +142,8 @@ int ml_dsa_65_verify(const uint8_t *public_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return mldsa_verify(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, public_key) == 0; + return ml_dsa_verify(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, public_key) == 0; } int ml_dsa_65_verify_internal(const uint8_t *public_key /* IN */, @@ -155,15 +155,15 @@ int ml_dsa_65_verify_internal(const uint8_t *public_key /* IN */, size_t pre_len /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return mldsa_verify_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, public_key) == 0; + return ml_dsa_verify_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, public_key) == 0; } int ml_dsa_87_keypair(uint8_t *public_key /* OUT */, uint8_t *private_key /* OUT */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return (mldsa_keypair(¶ms, public_key, private_key) == 0); + return (ml_dsa_keypair(¶ms, public_key, private_key) == 0); } int ml_dsa_87_keypair_internal(uint8_t *public_key /* OUT */, @@ -171,7 +171,7 @@ int ml_dsa_87_keypair_internal(uint8_t *public_key /* OUT */, const uint8_t *seed /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return mldsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; + return ml_dsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; } int ml_dsa_87_sign(const uint8_t *private_key /* IN */, @@ -183,8 +183,8 @@ int ml_dsa_87_sign(const uint8_t *private_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return mldsa_signature(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return ml_dsa_signature(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, private_key) == 0; } int ml_dsa_87_sign_internal(const uint8_t *private_key /* IN */, @@ -197,8 +197,8 @@ int ml_dsa_87_sign_internal(const uint8_t *private_key /* IN */, uint8_t *rnd /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return mldsa_signature_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key) == 0; + return ml_dsa_signature_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, rnd, private_key) == 0; } int ml_dsa_87_verify(const uint8_t *public_key /* IN */, @@ -210,8 +210,8 @@ int ml_dsa_87_verify(const uint8_t *public_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return mldsa_verify(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, public_key) == 0; + return ml_dsa_verify(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, public_key) == 0; } int ml_dsa_87_verify_internal(const uint8_t *public_key /* IN */, @@ -223,6 +223,6 @@ int ml_dsa_87_verify_internal(const uint8_t *public_key /* IN */, size_t pre_len /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return mldsa_verify_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, public_key) == 0; + return ml_dsa_verify_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, public_key) == 0; } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c index 5f69a380dd..1d31c58340 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c @@ -9,7 +9,7 @@ /************************************************* - * Name: mldsa_keypair_internal + * Name: ml_dsa_keypair_internal * * Description: FIPS 204: Algorithm 6 ML-DSA.KeyGen_internal. * Generates public and private key. Internal API. @@ -23,10 +23,10 @@ * * Returns 0 (success) **************************************************/ -int mldsa_keypair_internal(ml_dsa_params *params, - uint8_t *pk, - uint8_t *sk, - const uint8_t *seed) { +int ml_dsa_keypair_internal(ml_dsa_params *params, + uint8_t *pk, + uint8_t *sk, + const uint8_t *seed) { uint8_t seedbuf[2 * ML_DSA_SEEDBYTES + ML_DSA_CRHBYTES]; uint8_t tr[ML_DSA_TRBYTES]; const uint8_t *rho, *rhoprime, *key; @@ -83,7 +83,7 @@ int mldsa_keypair_internal(ml_dsa_params *params, } /************************************************* -* Name: mldsa_keypair +* Name: ml_dsa_keypair * * Description: FIPS 204: Algorithm 1 ML-DSA.KeyGen * Generates public and private key. @@ -96,18 +96,18 @@ int mldsa_keypair_internal(ml_dsa_params *params, * * Returns 0 (success) -1 on failure **************************************************/ -int mldsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { +int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { uint8_t seed[ML_DSA_SEEDBYTES]; if (!RAND_bytes(seed, ML_DSA_SEEDBYTES)) { return -1; } - mldsa_keypair_internal(params, pk, sk, seed); + ml_dsa_keypair_internal(params, pk, sk, seed); OPENSSL_cleanse(seed, sizeof(seed)); return 0; } /************************************************* -* Name: mldsa_signature_internal +* Name: ml_dsa_signature_internal * * Description: FIPS 204: Algorithm 7 ML-DSA.Sign_internal. * Computes signature. Internal API. @@ -124,15 +124,15 @@ int mldsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { * * Returns 0 (success) or -1 (context string too long) **************************************************/ -int mldsa_signature_internal(ml_dsa_params *params, - uint8_t *sig, - size_t *siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *pre, - size_t prelen, - const uint8_t *rnd, - const uint8_t *sk) +int ml_dsa_signature_internal(ml_dsa_params *params, + uint8_t *sig, + size_t *siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *pre, + size_t prelen, + const uint8_t *rnd, + const uint8_t *sk) { unsigned int n; uint8_t seedbuf[2*ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + 2*ML_DSA_CRHBYTES]; @@ -253,7 +253,7 @@ int mldsa_signature_internal(ml_dsa_params *params, } /************************************************* -* Name: mldsa_signature +* Name: ml_dsa_signature * * Description: FIPS 204: Algorithm 2 ML-DSA.Sign. * Computes signature in hedged mode. @@ -268,14 +268,14 @@ int mldsa_signature_internal(ml_dsa_params *params, * * Returns 0 (success) or -1 (context string too long) **************************************************/ -int mldsa_signature(ml_dsa_params *params, - uint8_t *sig, - size_t *siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *sk) +int ml_dsa_signature(ml_dsa_params *params, + uint8_t *sig, + size_t *siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *ctx, + size_t ctxlen, + const uint8_t *sk) { uint8_t pre[257]; uint8_t rnd[ML_DSA_RNDBYTES]; @@ -291,7 +291,7 @@ int mldsa_signature(ml_dsa_params *params, if (!RAND_bytes(rnd, ML_DSA_RNDBYTES)) { return -1; } - mldsa_signature_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, rnd, sk); + ml_dsa_signature_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, rnd, sk); /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(pre, sizeof(pre)); @@ -300,7 +300,7 @@ int mldsa_signature(ml_dsa_params *params, } /************************************************* -* Name: mldsa_sign_message +* Name: ml_dsa_sign_message * * Description: Compute signed message. * @@ -318,14 +318,14 @@ int mldsa_signature(ml_dsa_params *params, * * Returns 0 (success) or -1 (context string too long) **************************************************/ -int mldsa_sign_message(ml_dsa_params *params, - uint8_t *sm, - size_t *smlen, - const uint8_t *m, - size_t mlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *sk) +int ml_dsa_sign_message(ml_dsa_params *params, + uint8_t *sm, + size_t *smlen, + const uint8_t *m, + size_t mlen, + const uint8_t *ctx, + size_t ctxlen, + const uint8_t *sk) { int ret; size_t i; @@ -333,13 +333,13 @@ int mldsa_sign_message(ml_dsa_params *params, for(i = 0; i < mlen; ++i) { sm[params->bytes + mlen - 1 - i] = m[mlen - 1 - i]; } - ret = mldsa_signature(params, sm, smlen, sm + params->bytes, mlen, ctx, ctxlen, sk); + ret = ml_dsa_signature(params, sm, smlen, sm + params->bytes, mlen, ctx, ctxlen, sk); *smlen += mlen; return ret; } /************************************************* -* Name: mldsa_verify_internal +* Name: ml_dsa_verify_internal * * Description: FIPS 204: Algorithm 8 ML-DSA.Verify_internal. * Verifies signature. Internal API. @@ -355,14 +355,14 @@ int mldsa_sign_message(ml_dsa_params *params, * * Returns 0 if signature could be verified correctly and -1 otherwise **************************************************/ -int mldsa_verify_internal(ml_dsa_params *params, - const uint8_t *sig, - size_t siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *pre, - size_t prelen, - const uint8_t *pk) +int ml_dsa_verify_internal(ml_dsa_params *params, + const uint8_t *sig, + size_t siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *pre, + size_t prelen, + const uint8_t *pk) { unsigned int i; uint8_t buf[ML_DSA_K_MAX*ML_DSA_POLYW1_PACKEDBYTES_MAX]; @@ -449,7 +449,7 @@ int mldsa_verify_internal(ml_dsa_params *params, } /************************************************* -* Name: mldsa_verify +* Name: ml_dsa_verify * * Description: FIPS 204: Algorithm 3 ML-DSA.Verify. * Verifies signature. @@ -465,14 +465,14 @@ int mldsa_verify_internal(ml_dsa_params *params, * * Returns 0 if signature could be verified correctly and -1 otherwise **************************************************/ -int mldsa_verify(ml_dsa_params *params, - const uint8_t *sig, - size_t siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *pk) +int ml_dsa_verify(ml_dsa_params *params, + const uint8_t *sig, + size_t siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *ctx, + size_t ctxlen, + const uint8_t *pk) { uint8_t pre[257]; @@ -483,11 +483,11 @@ int mldsa_verify(ml_dsa_params *params, pre[0] = 0; pre[1] = ctxlen; OPENSSL_memcpy(pre + 2 , ctx, ctxlen); - return mldsa_verify_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, pk); + return ml_dsa_verify_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, pk); } /************************************************* -* Name: mldsa_verify_message +* Name: ml_dsa_verify_message * * Description: Verify signed message. * @@ -503,14 +503,14 @@ int mldsa_verify(ml_dsa_params *params, * * Returns 0 if signed message could be verified correctly and -1 otherwise **************************************************/ -int mldsa_verify_message(ml_dsa_params *params, - uint8_t *m, - size_t *mlen, - const uint8_t *sm, - size_t smlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *pk) +int ml_dsa_verify_message(ml_dsa_params *params, + uint8_t *m, + size_t *mlen, + const uint8_t *sm, + size_t smlen, + const uint8_t *ctx, + size_t ctxlen, + const uint8_t *pk) { if(smlen < params->bytes) { @@ -518,7 +518,7 @@ int mldsa_verify_message(ml_dsa_params *params, } *mlen = smlen - params->bytes; - if(mldsa_verify(params,sm, params->bytes, sm + params->bytes, *mlen, ctx, ctxlen, pk)) { + if(ml_dsa_verify(params,sm, params->bytes, sm + params->bytes, *mlen, ctx, ctxlen, pk)) { goto badsig; } else { diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h index c04e85ba23..bc21a45bd1 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h @@ -5,48 +5,48 @@ #include #include "params.h" -int mldsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk); - -int mldsa_keypair_internal(ml_dsa_params *params, - uint8_t *pk, - uint8_t *sk, - const uint8_t *seed); - -int mldsa_signature(ml_dsa_params *params, - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *sk); - -int mldsa_signature_internal(ml_dsa_params *params, - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pre, size_t prelen, - const uint8_t *rnd, - const uint8_t *sk); - -int mldsa_sign_message(ml_dsa_params *params, - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *sk); - -int mldsa_verify(ml_dsa_params *params, - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *pk); - -int mldsa_verify_internal(ml_dsa_params *params, - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pre, size_t prelen, +int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk); + +int ml_dsa_keypair_internal(ml_dsa_params *params, + uint8_t *pk, + uint8_t *sk, + const uint8_t *seed); + +int ml_dsa_signature(ml_dsa_params *params, + uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t *sk); + +int ml_dsa_signature_internal(ml_dsa_params *params, + uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, + const uint8_t *pre, size_t prelen, + const uint8_t *rnd, + const uint8_t *sk); + +int ml_dsa_sign_message(ml_dsa_params *params, + uint8_t *sm, size_t *smlen, + const uint8_t *m, size_t mlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t *sk); + +int ml_dsa_verify(ml_dsa_params *params, + const uint8_t *sig, size_t siglen, + const uint8_t *m, size_t mlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t *pk); + +int ml_dsa_verify_internal(ml_dsa_params *params, + const uint8_t *sig, size_t siglen, + const uint8_t *m, size_t mlen, + const uint8_t *pre, size_t prelen, + const uint8_t *pk); + +int ml_dsa_verify_message(ml_dsa_params *params, + uint8_t *m, size_t *mlen, + const uint8_t *sm, size_t smlen, + const uint8_t *ctx, size_t ctxlen, const uint8_t *pk); -int mldsa_verify_message(ml_dsa_params *params, - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *pk); - #endif From 88d660254e4814f9fa9a0480d338f91f3bbf05fa Mon Sep 17 00:00:00 2001 From: Jake Massimo Date: Tue, 24 Dec 2024 13:48:15 -0800 Subject: [PATCH 09/12] renamed signature to sign --- crypto/dilithium/ml_dsa.c | 24 +++++------ .../pqcrystals_dilithium_ref_common/sign.c | 42 +++++++++---------- .../pqcrystals_dilithium_ref_common/sign.h | 24 +++++------ 3 files changed, 45 insertions(+), 45 deletions(-) diff --git a/crypto/dilithium/ml_dsa.c b/crypto/dilithium/ml_dsa.c index 96be7a035f..4aa5fe6683 100644 --- a/crypto/dilithium/ml_dsa.c +++ b/crypto/dilithium/ml_dsa.c @@ -47,8 +47,8 @@ int ml_dsa_44_sign(const uint8_t *private_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return ml_dsa_signature(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return ml_dsa_sign(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, private_key) == 0; } int ml_dsa_44_sign_internal(const uint8_t *private_key /* IN */, @@ -61,8 +61,8 @@ int ml_dsa_44_sign_internal(const uint8_t *private_key /* IN */, uint8_t *rnd /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return ml_dsa_signature_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key) == 0; + return ml_dsa_sign_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, rnd, private_key) == 0; } int ml_dsa_44_verify(const uint8_t *public_key /* IN */, @@ -115,8 +115,8 @@ int ml_dsa_65_sign(const uint8_t *private_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return ml_dsa_signature(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return ml_dsa_sign(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, private_key) == 0; } int ml_dsa_65_sign_internal(const uint8_t *private_key /* IN */, @@ -129,8 +129,8 @@ int ml_dsa_65_sign_internal(const uint8_t *private_key /* IN */, uint8_t *rnd /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return ml_dsa_signature_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key) == 0; + return ml_dsa_sign_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, rnd, private_key) == 0; } int ml_dsa_65_verify(const uint8_t *public_key /* IN */, @@ -183,8 +183,8 @@ int ml_dsa_87_sign(const uint8_t *private_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return ml_dsa_signature(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return ml_dsa_sign(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, private_key) == 0; } int ml_dsa_87_sign_internal(const uint8_t *private_key /* IN */, @@ -197,8 +197,8 @@ int ml_dsa_87_sign_internal(const uint8_t *private_key /* IN */, uint8_t *rnd /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return ml_dsa_signature_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key) == 0; + return ml_dsa_sign_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, rnd, private_key) == 0; } int ml_dsa_87_verify(const uint8_t *public_key /* IN */, diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c index 1d31c58340..cdc772f72a 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c @@ -107,7 +107,7 @@ int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { } /************************************************* -* Name: ml_dsa_signature_internal +* Name: ml_dsa_sign_internal * * Description: FIPS 204: Algorithm 7 ML-DSA.Sign_internal. * Computes signature. Internal API. @@ -124,15 +124,15 @@ int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { * * Returns 0 (success) or -1 (context string too long) **************************************************/ -int ml_dsa_signature_internal(ml_dsa_params *params, - uint8_t *sig, - size_t *siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *pre, - size_t prelen, - const uint8_t *rnd, - const uint8_t *sk) +int ml_dsa_sign_internal(ml_dsa_params *params, + uint8_t *sig, + size_t *siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *pre, + size_t prelen, + const uint8_t *rnd, + const uint8_t *sk) { unsigned int n; uint8_t seedbuf[2*ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + 2*ML_DSA_CRHBYTES]; @@ -253,7 +253,7 @@ int ml_dsa_signature_internal(ml_dsa_params *params, } /************************************************* -* Name: ml_dsa_signature +* Name: ml_dsa_sign * * Description: FIPS 204: Algorithm 2 ML-DSA.Sign. * Computes signature in hedged mode. @@ -268,14 +268,14 @@ int ml_dsa_signature_internal(ml_dsa_params *params, * * Returns 0 (success) or -1 (context string too long) **************************************************/ -int ml_dsa_signature(ml_dsa_params *params, - uint8_t *sig, - size_t *siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *sk) +int ml_dsa_sign(ml_dsa_params *params, + uint8_t *sig, + size_t *siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *ctx, + size_t ctxlen, + const uint8_t *sk) { uint8_t pre[257]; uint8_t rnd[ML_DSA_RNDBYTES]; @@ -291,7 +291,7 @@ int ml_dsa_signature(ml_dsa_params *params, if (!RAND_bytes(rnd, ML_DSA_RNDBYTES)) { return -1; } - ml_dsa_signature_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, rnd, sk); + ml_dsa_sign_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, rnd, sk); /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(pre, sizeof(pre)); @@ -333,7 +333,7 @@ int ml_dsa_sign_message(ml_dsa_params *params, for(i = 0; i < mlen; ++i) { sm[params->bytes + mlen - 1 - i] = m[mlen - 1 - i]; } - ret = ml_dsa_signature(params, sm, smlen, sm + params->bytes, mlen, ctx, ctxlen, sk); + ret = ml_dsa_sign(params, sm, smlen, sm + params->bytes, mlen, ctx, ctxlen, sk); *smlen += mlen; return ret; } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h index bc21a45bd1..fc32be0dd7 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h @@ -12,18 +12,18 @@ int ml_dsa_keypair_internal(ml_dsa_params *params, uint8_t *sk, const uint8_t *seed); -int ml_dsa_signature(ml_dsa_params *params, - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *sk); - -int ml_dsa_signature_internal(ml_dsa_params *params, - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pre, size_t prelen, - const uint8_t *rnd, - const uint8_t *sk); +int ml_dsa_sign(ml_dsa_params *params, + uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t *sk); + +int ml_dsa_sign_internal(ml_dsa_params *params, + uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, + const uint8_t *pre, size_t prelen, + const uint8_t *rnd, + const uint8_t *sk); int ml_dsa_sign_message(ml_dsa_params *params, uint8_t *sm, size_t *smlen, From 03dcaf5b76281ee7da4478c85bb9d23e695d5900 Mon Sep 17 00:00:00 2001 From: Jake Massimo Date: Thu, 26 Dec 2024 11:43:42 -0800 Subject: [PATCH 10/12] remove enable_dilithium flag --- crypto/CMakeLists.txt | 13 ++----------- crypto/dilithium/p_pqdsa_test.cc | 13 ------------- crypto/evp_extra/evp_asn1.c | 3 +-- crypto/evp_extra/evp_extra_test.cc | 8 -------- crypto/evp_extra/internal.h | 2 -- crypto/evp_extra/p_methods.c | 2 -- crypto/evp_extra/print.c | 10 ---------- crypto/fipsmodule/bcm.c | 4 ---- crypto/fipsmodule/evp/evp_ctx.c | 2 -- crypto/fipsmodule/evp/internal.h | 9 --------- crypto/x509/algorithm.c | 14 +++----------- crypto/x509/x509_test.cc | 7 ------- include/openssl/evp.h | 18 +++++++++--------- include/openssl/pem.h | 4 ---- tool/speed.cc | 4 ++-- 15 files changed, 17 insertions(+), 96 deletions(-) diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt index a503186815..ea68155366 100644 --- a/crypto/CMakeLists.txt +++ b/crypto/CMakeLists.txt @@ -324,16 +324,6 @@ else() file(COPY ${GENERATE_CODE_ROOT}/err_data.c DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/) endif() -set(DILITHIUM_SOURCES) -if(ENABLE_DILITHIUM) - set( - DILITHIUM_SOURCES - - evp_extra/p_pqdsa_asn1.c - dilithium/ml_dsa.c - ) -endif() - set(CRYPTO_ARCH_OBJECTS "") if (ARCH STREQUAL "aarch64" AND CMAKE_GENERATOR MATCHES "Visual Studio") msbuild_aarch64_asm(TARGET crypto_objects ASM_FILES ${CRYPTO_ARCH_SOURCES} OUTPUT_OBJECTS CRYPTO_ARCH_OBJECTS) @@ -411,7 +401,7 @@ add_library( dh_extra/params.c dh_extra/dh_asn1.c digest_extra/digest_extra.c - ${DILITHIUM_SOURCES} + dilithium/ml_dsa.c dsa/dsa.c dsa/dsa_asn1.c ecdh_extra/ecdh_extra.c @@ -431,6 +421,7 @@ add_library( evp_extra/p_ed25519_asn1.c evp_extra/p_hmac_asn1.c evp_extra/p_kem_asn1.c + evp_extra/p_pqdsa_asn1.c evp_extra/p_rsa_asn1.c evp_extra/p_x25519.c evp_extra/p_x25519_asn1.c diff --git a/crypto/dilithium/p_pqdsa_test.cc b/crypto/dilithium/p_pqdsa_test.cc index 4d1dfec2b6..6cad6bd12c 100644 --- a/crypto/dilithium/p_pqdsa_test.cc +++ b/crypto/dilithium/p_pqdsa_test.cc @@ -13,9 +13,6 @@ #include "../fipsmodule/evp/internal.h" #include "../internal.h" #include "../fipsmodule/pqdsa/internal.h" - -#ifdef ENABLE_DILITHIUM - #include "../test/file_test.h" #include "../test/test_util.h" #include "ml_dsa.h" @@ -1518,13 +1515,3 @@ TEST_P(PQDSAParameterTest, ParsePublicKey) { bssl::UniquePtr pkey_from_der(EVP_parse_public_key(&cbs)); ASSERT_TRUE(pkey_from_der); } - -#else - -TEST(PQDSATest, EvpDisabled) { - ASSERT_EQ(nullptr, EVP_PKEY_CTX_new_id(EVP_PKEY_NONE, nullptr)); - bssl::UniquePtr pkey(EVP_PKEY_new()); - ASSERT_FALSE(EVP_PKEY_set_type(pkey.get(), EVP_PKEY_NONE)); -} - -#endif diff --git a/crypto/evp_extra/evp_asn1.c b/crypto/evp_extra/evp_asn1.c index 5537af6aba..1801d5abd2 100644 --- a/crypto/evp_extra/evp_asn1.c +++ b/crypto/evp_extra/evp_asn1.c @@ -99,7 +99,7 @@ static const EVP_PKEY_ASN1_METHOD *parse_key_type(CBS *cbs) { if (OBJ_cbs2nid(&oid) == NID_rsa) { return &rsa_asn1_meth; } -#ifdef ENABLE_DILITHIUM + // The pkey_id for the pqdsa_asn1_meth is EVP_PKEY_PQDSA, as this holds all // asn1 functions for pqdsa types. However, the incoming CBS has the OID for // the specific algorithm. So we must search explicitly for the algorithm. @@ -113,7 +113,6 @@ static const EVP_PKEY_ASN1_METHOD *parse_key_type(CBS *cbs) { return ret; } } -#endif return NULL; } diff --git a/crypto/evp_extra/evp_extra_test.cc b/crypto/evp_extra/evp_extra_test.cc index 6d85556c3d..42437c0efe 100644 --- a/crypto/evp_extra/evp_extra_test.cc +++ b/crypto/evp_extra/evp_extra_test.cc @@ -697,8 +697,6 @@ static const uint8_t kInvalidPrivateKey[] = { 0x48, 0x30, 0x01, 0xaa, 0x02, 0x86, 0xc0, 0x30, 0xdf, 0xe9, 0x80, }; -#ifdef ENABLE_DILITHIUM - // kExampleMLDSA65KeyDER is a ML-DSA private key in ASN.1, DER format. // Of course, you should never use this key anywhere but in an example. static const uint8_t kExampleMLDSA65KeyDER[] = { @@ -1015,8 +1013,6 @@ static const uint8_t kExampleMLDSA65KeyDER[] = { 0xE3, 0x1D, 0xF6, 0xF7, 0xEE, 0x9F, 0xA, 0xC5, 0x91, 0x14, 0x33, 0x4B, 0xDB, 0xC4, 0xEE, 0xC, 0xFB, 0xE4, 0xD1, 0x43, 0xC2, 0x1B, 0xC3, 0x2, 0x9B, 0x6B }; -#endif - static bssl::UniquePtr LoadExampleRSAKey() { bssl::UniquePtr rsa(RSA_private_key_from_bytes(kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER))); @@ -1493,12 +1489,8 @@ TEST(EVPExtraTest, d2i_PrivateKey) { sizeof(kExampleRSAPSSKeyPKCS8))); EXPECT_TRUE( ParsePrivateKey(EVP_PKEY_EC, kExampleECKeyDER, sizeof(kExampleECKeyDER))); - -#ifdef ENABLE_DILITHIUM EXPECT_TRUE(ParsePrivateKey(EVP_PKEY_PQDSA, kExampleMLDSA65KeyDER, sizeof(kExampleMLDSA65KeyDER))); -#endif - EXPECT_FALSE(ParsePrivateKey(EVP_PKEY_EC, kExampleBadECKeyDER, sizeof(kExampleBadECKeyDER))); ERR_clear_error(); diff --git a/crypto/evp_extra/internal.h b/crypto/evp_extra/internal.h index 8be477feb6..6f1de293fb 100644 --- a/crypto/evp_extra/internal.h +++ b/crypto/evp_extra/internal.h @@ -27,9 +27,7 @@ extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meth; extern const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth; extern const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth; extern const EVP_PKEY_ASN1_METHOD x25519_asn1_meth; -#ifdef ENABLE_DILITHIUM extern const EVP_PKEY_ASN1_METHOD pqdsa_asn1_meth; -#endif extern const EVP_PKEY_ASN1_METHOD kem_asn1_meth; extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth; extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth; diff --git a/crypto/evp_extra/p_methods.c b/crypto/evp_extra/p_methods.c index bed85d9168..1899e2b6a8 100644 --- a/crypto/evp_extra/p_methods.c +++ b/crypto/evp_extra/p_methods.c @@ -20,9 +20,7 @@ const EVP_PKEY_ASN1_METHOD *const asn1_evp_pkey_methods[] = { &dsa_asn1_meth, &ed25519_asn1_meth, &x25519_asn1_meth, -#ifdef ENABLE_DILITHIUM &pqdsa_asn1_meth, -#endif &kem_asn1_meth, &hmac_asn1_meth, &dh_asn1_meth diff --git a/crypto/evp_extra/print.c b/crypto/evp_extra/print.c index 0eb6d46268..d446ab3aa1 100644 --- a/crypto/evp_extra/print.c +++ b/crypto/evp_extra/print.c @@ -64,12 +64,8 @@ #include "../internal.h" #include "../fipsmodule/evp/internal.h" #include "../fipsmodule/rsa/internal.h" - -#ifdef ENABLE_DILITHIUM #include "../dilithium/ml_dsa.h" #include "../fipsmodule/pqdsa/internal.h" -#endif - static int print_hex(BIO *bp, const uint8_t *data, size_t len, int off) { for (size_t i = 0; i < len; i++) { @@ -312,8 +308,6 @@ static int eckey_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent) { return do_EC_KEY_print(bp, EVP_PKEY_get0_EC_KEY(pkey), indent, 2); } -#ifdef ENABLE_DILITHIUM - // MLDSA keys. static int do_mldsa_65_print(BIO *bp, const EVP_PKEY *pkey, int off, int ptype) { @@ -357,8 +351,6 @@ static int mldsa_65_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent) { return do_mldsa_65_print(bp, pkey, indent, 2); } -#endif - typedef struct { int type; int (*pub_print)(BIO *out, const EVP_PKEY *pkey, int indent); @@ -385,14 +377,12 @@ static EVP_PKEY_PRINT_METHOD kPrintMethods[] = { eckey_priv_print, eckey_param_print, }, -#ifdef ENABLE_DILITHIUM { EVP_PKEY_PQDSA, mldsa_65_pub_print, mldsa_65_priv_print, NULL /* param_print */, }, -#endif }; static size_t kPrintMethodsLen = OPENSSL_ARRAY_SIZE(kPrintMethods); diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c index d26e042e79..ee16ef2ac1 100644 --- a/crypto/fipsmodule/bcm.c +++ b/crypto/fipsmodule/bcm.c @@ -119,9 +119,7 @@ #include "evp/p_hkdf.c" #include "evp/p_hmac.c" #include "evp/p_kem.c" -#ifdef ENABLE_DILITHIUM #include "evp/p_pqdsa.c" -#endif #include "evp/p_rsa.c" #include "hkdf/hkdf.c" #include "hmac/hmac.c" @@ -140,9 +138,7 @@ #include "modes/xts.c" #include "modes/polyval.c" #include "pbkdf/pbkdf.c" -#ifdef ENABLE_DILITHIUM #include "pqdsa/pqdsa.c" -#endif #include "rand/ctrdrbg.c" #include "rand/fork_detect.c" #include "rand/rand.c" diff --git a/crypto/fipsmodule/evp/evp_ctx.c b/crypto/fipsmodule/evp/evp_ctx.c index f30cc7d249..310d7ec674 100644 --- a/crypto/fipsmodule/evp/evp_ctx.c +++ b/crypto/fipsmodule/evp/evp_ctx.c @@ -75,9 +75,7 @@ DEFINE_LOCAL_DATA(struct fips_evp_pkey_methods, AWSLC_fips_evp_pkey_methods) { out->methods[4] = EVP_PKEY_hmac_pkey_meth(); out->methods[5] = EVP_PKEY_ed25519_pkey_meth(); out->methods[6] = EVP_PKEY_kem_pkey_meth(); -#ifdef ENABLE_DILITHIUM out->methods[7] = EVP_PKEY_pqdsa_pkey_meth(); -#endif } static const EVP_PKEY_METHOD *evp_pkey_meth_find(int type) { diff --git a/crypto/fipsmodule/evp/internal.h b/crypto/fipsmodule/evp/internal.h index c65391cbc7..d5186af738 100644 --- a/crypto/fipsmodule/evp/internal.h +++ b/crypto/fipsmodule/evp/internal.h @@ -381,16 +381,9 @@ typedef struct { void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx); #define ED25519_PUBLIC_KEY_OFFSET 32 - -#ifdef ENABLE_DILITHIUM #define FIPS_EVP_PKEY_METHODS 8 #define NON_FIPS_EVP_PKEY_METHODS 3 #define ASN1_EVP_PKEY_METHODS 10 -#else -#define FIPS_EVP_PKEY_METHODS 7 -#define NON_FIPS_EVP_PKEY_METHODS 3 -#define ASN1_EVP_PKEY_METHODS 9 -#endif struct fips_evp_pkey_methods { const EVP_PKEY_METHOD * methods[FIPS_EVP_PKEY_METHODS]; @@ -403,9 +396,7 @@ const EVP_PKEY_METHOD *EVP_PKEY_hkdf_pkey_meth(void); const EVP_PKEY_METHOD *EVP_PKEY_hmac_pkey_meth(void); const EVP_PKEY_METHOD *EVP_PKEY_ed25519_pkey_meth(void); const EVP_PKEY_METHOD *EVP_PKEY_kem_pkey_meth(void); -#ifdef ENABLE_DILITHIUM const EVP_PKEY_METHOD *EVP_PKEY_pqdsa_pkey_meth(void); -#endif #if defined(__cplusplus) } // extern C diff --git a/crypto/x509/algorithm.c b/crypto/x509/algorithm.c index 88da490b82..13e34c7f5a 100644 --- a/crypto/x509/algorithm.c +++ b/crypto/x509/algorithm.c @@ -98,11 +98,9 @@ int x509_digest_sign_algorithm(EVP_MD_CTX *ctx, X509_ALGOR *algor) { return X509_ALGOR_set0(algor, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL); } -#ifdef ENABLE_DILITHIUM if (EVP_PKEY_id(pkey) == EVP_PKEY_PQDSA) { return X509_ALGOR_set0(algor, OBJ_nid2obj(pkey->pkey.pqdsa_key->pqdsa->nid), V_ASN1_UNDEF, NULL); } -#endif // Default behavior: look up the OID for the algorithm/hash pair and encode // that. @@ -143,12 +141,10 @@ int x509_digest_verify_init(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg, // when |sigalg_nid| is |NID_rsassaPss|. if (pkey_nid != EVP_PKEY_id(pkey) && !(sigalg_nid == NID_rsassaPss && pkey_nid == NID_rsaEncryption && - EVP_PKEY_id(pkey) == EVP_PKEY_RSA_PSS) -#ifdef ENABLE_DILITHIUM - && !(sigalg_nid == NID_MLDSA65 && pkey_nid == NID_MLDSA65 && + EVP_PKEY_id(pkey) == EVP_PKEY_RSA_PSS) && + !(sigalg_nid == NID_MLDSA65 && pkey_nid == NID_MLDSA65 && EVP_PKEY_id(pkey) == EVP_PKEY_PQDSA) -#endif - ) { + ) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_PUBLIC_KEY_TYPE); return 0; } @@ -164,11 +160,7 @@ int x509_digest_verify_init(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg, if (sigalg_nid == NID_rsassaPss) { return x509_rsa_pss_to_ctx(ctx, sigalg, pkey); } -#ifdef ENABLE_DILITHIUM if (sigalg_nid == NID_ED25519 || sigalg_nid == NID_MLDSA65) { -#else - if (sigalg_nid == NID_ED25519) { -#endif if (sigalg->parameter != NULL) { OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PARAMETER); return 0; diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc index 9286f88122..7fda8f0c58 100644 --- a/crypto/x509/x509_test.cc +++ b/crypto/x509/x509_test.cc @@ -576,7 +576,6 @@ w1AH9efZBw== -----END CERTIFICATE----- )"; -#ifdef ENABLE_DILITHIUM // This certificate is the example certificate provided in section 3 of //https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ static const char kMLDSA65Cert[] = R"( @@ -946,8 +945,6 @@ DhQcIi8= -----END CERTIFICATE----- )"; -#endif - // kSANTypesLeaf is a leaf certificate (signed by |kSANTypesRoot|) which // contains SANS for example.com, test@example.com, 127.0.0.1, and // https://example.com/. (The latter is useless for now since crypto/x509 @@ -2923,8 +2920,6 @@ TEST(X509Test, Ed25519Sign) { ASSERT_TRUE(SignatureRoundTrips(md_ctx.get(), pub.get())); } -#ifdef ENABLE_DILITHIUM - TEST(X509Test, MLDSA65SignVerifyCert) { // This test generates a MLDSA65 keypair, generates and signs a // certificate, then verifies the certificate's signature. @@ -2995,8 +2990,6 @@ TEST(X509Test, TestBadParamsMLDSA65) { ERR_clear_error(); } -#endif - static bool PEMToDER(bssl::UniquePtr *out, size_t *out_len, const char *pem) { bssl::UniquePtr bio(BIO_new_mem_buf(pem, strlen(pem))); diff --git a/include/openssl/evp.h b/include/openssl/evp.h index e09b68ffd7..bb35b3dc4f 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -198,11 +198,7 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int #define EVP_PKEY_HKDF NID_hkdf #define EVP_PKEY_HMAC NID_hmac #define EVP_PKEY_DH NID_dhKeyAgreement - -#ifdef ENABLE_DILITHIUM #define EVP_PKEY_PQDSA NID_PQDSA -#endif - #define EVP_PKEY_KEM NID_kem // EVP_PKEY_set_type sets the type of |pkey| to |type|. It returns one if @@ -944,24 +940,28 @@ OPENSSL_EXPORT int EVP_PKEY_kem_check_key(EVP_PKEY *key); // PQDSA specific functions. -#ifdef ENABLE_DILITHIUM // EVP_PKEY_CTX_pqdsa_set_params sets in |ctx| the parameters associated with // the signature scheme defined by the given |nid|. It returns one on success -// and zero on error. +// and zero on error. This API is marked as EXPERIMENTAL (using the deprecated +// warning) to indicate that this API may change as the standards around the +// signature schemes finalize. OPENSSL_EXPORT int EVP_PKEY_CTX_pqdsa_set_params(EVP_PKEY_CTX *ctx, int nid); // EVP_PKEY_pqdsa_new_raw_public_key generates a new EVP_PKEY object of type // EVP_PKEY_PQDSA, initializes the PQDSA key based on |nid| and populates the // public key part of the PQDSA key with the contents of |in|. It returns the -// pointer to the allocated PKEY on sucess and NULL on error. +// pointer to the allocated PKEY on sucess and NULL on error. This API is marked +// as EXPERIMENTAL to indicate that this API may change as the standards around +// the signature schemes finalize. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_pqdsa_new_raw_public_key(int nid, const uint8_t *in, size_t len); // EVP_PKEY_pqdsa_new_raw_private_key generates a new EVP_PKEY object of type // EVP_PKEY_PQDSA, initializes the PQDSA key based on |nid| and populates the // secret key part of the PQDSA key with the contents of |in|. It returns the -// pointer to the allocated PKEY on sucess and NULL on error. + // pointer to the allocated PKEY on sucess and NULL on error. This API is marked +// as EXPERIMENTAL to indicate that this API may change as the standards around +// the signature schemes finalize. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_pqdsa_new_raw_private_key(int nid, const uint8_t *in, size_t len); -#endif // Diffie-Hellman-specific control functions. diff --git a/include/openssl/pem.h b/include/openssl/pem.h index f560bad33b..b499a4a8fc 100644 --- a/include/openssl/pem.h +++ b/include/openssl/pem.h @@ -88,12 +88,8 @@ extern "C" { #define PEM_STRING_PUBLIC "PUBLIC KEY" #define PEM_STRING_RSA "RSA PRIVATE KEY" #define PEM_STRING_RSA_PUBLIC "RSA PUBLIC KEY" - -#ifdef ENABLE_DILITHIUM #define PEM_STRING_DILITHIUM3 "DILITHIUM3 PRIVATE KEY" #define PEM_STRING_DILITHIUM3_PUBLIC "DILITHIUM3 PUBLIC KEY" -#endif - #define PEM_STRING_DSA "DSA PRIVATE KEY" #define PEM_STRING_DSA_PUBLIC "DSA PUBLIC KEY" #define PEM_STRING_EC "EC PRIVATE KEY" diff --git a/tool/speed.cc b/tool/speed.cc index a0e4915472..26a7f65d44 100644 --- a/tool/speed.cc +++ b/tool/speed.cc @@ -867,7 +867,7 @@ static bool SpeedKEM(std::string selected) { SpeedSingleKEM("Kyber1024_R3", NID_KYBER1024_R3, selected); } -#if defined(ENABLE_DILITHIUM) && AWSLC_API_VERSION > 31 +#if AWSLC_API_VERSION > 31 static bool SpeedDigestSignNID(const std::string &name, int nid, const std::string &selected) { @@ -2866,7 +2866,7 @@ bool Speed(const std::vector &args) { #if AWSLC_API_VERSION > 16 !SpeedKEM(selected) || #endif -#if defined(ENABLE_DILITHIUM) && AWSLC_API_VERSION > 31 +#if AWSLC_API_VERSION > 31 !SpeedDigestSign(selected) || #endif !SpeedAEADSeal(EVP_aead_aes_128_gcm(), "AEAD-AES-128-GCM", kTLSADLen, selected) || From 2261a5aa697dbc02fad96e540f64586ee6c4962e Mon Sep 17 00:00:00 2001 From: Jake Massimo Date: Tue, 31 Dec 2024 15:18:34 -0800 Subject: [PATCH 11/12] clean up comment double brace --- include/openssl/evp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/openssl/evp.h b/include/openssl/evp.h index bb35b3dc4f..8865a5a065 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -958,7 +958,7 @@ OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_pqdsa_new_raw_public_key(int nid, const uint8_ // EVP_PKEY_pqdsa_new_raw_private_key generates a new EVP_PKEY object of type // EVP_PKEY_PQDSA, initializes the PQDSA key based on |nid| and populates the // secret key part of the PQDSA key with the contents of |in|. It returns the - // pointer to the allocated PKEY on sucess and NULL on error. This API is marked +// pointer to the allocated PKEY on sucess and NULL on error. This API is marked // as EXPERIMENTAL to indicate that this API may change as the standards around // the signature schemes finalize. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_pqdsa_new_raw_private_key(int nid, const uint8_t *in, size_t len); From 3c9fde88fcf6ba11630b567249245199e33f3d71 Mon Sep 17 00:00:00 2001 From: Jake Massimo Date: Thu, 2 Jan 2025 10:03:12 -0800 Subject: [PATCH 12/12] removed unused dilithium pem string --- include/openssl/pem.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/openssl/pem.h b/include/openssl/pem.h index b499a4a8fc..5402a5509b 100644 --- a/include/openssl/pem.h +++ b/include/openssl/pem.h @@ -88,8 +88,6 @@ extern "C" { #define PEM_STRING_PUBLIC "PUBLIC KEY" #define PEM_STRING_RSA "RSA PRIVATE KEY" #define PEM_STRING_RSA_PUBLIC "RSA PUBLIC KEY" -#define PEM_STRING_DILITHIUM3 "DILITHIUM3 PRIVATE KEY" -#define PEM_STRING_DILITHIUM3_PUBLIC "DILITHIUM3 PUBLIC KEY" #define PEM_STRING_DSA "DSA PRIVATE KEY" #define PEM_STRING_DSA_PUBLIC "DSA PUBLIC KEY" #define PEM_STRING_EC "EC PRIVATE KEY"