diff --git a/.github/workflows/aws-lc-rs.yml b/.github/workflows/aws-lc-rs.yml index 6e4bf93a62..f5b39850cc 100644 --- a/.github/workflows/aws-lc-rs.yml +++ b/.github/workflows/aws-lc-rs.yml @@ -11,7 +11,7 @@ env: GOPROXY: https://proxy.golang.org,direct AWS_LC_SYS_CMAKE_BUILDER: 1 RUST_NIGHTLY_TOOLCHAIN: nightly - RUST_SCRIPT_NIGHTLY_TOOLCHAIN: nightly-2024-05-22 + RUST_SCRIPT_NIGHTLY_TOOLCHAIN: nightly jobs: aws-lc-rs-bindgen: if: github.repository_owner == 'aws' diff --git a/crypto/dilithium/ml_dsa.c b/crypto/dilithium/ml_dsa.c index 1c80a1a524..4aa5fe6683 100644 --- a/crypto/dilithium/ml_dsa.c +++ b/crypto/dilithium/ml_dsa.c @@ -27,7 +27,7 @@ int ml_dsa_44_keypair(uint8_t *public_key /* OUT */, uint8_t *private_key /* OUT */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return (crypto_sign_keypair(¶ms, public_key, private_key) == 0); + return (ml_dsa_keypair(¶ms, public_key, private_key) == 0); } int ml_dsa_44_keypair_internal(uint8_t *public_key /* OUT */, @@ -35,7 +35,7 @@ int ml_dsa_44_keypair_internal(uint8_t *public_key /* OUT */, const uint8_t *seed /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return crypto_sign_keypair_internal(¶ms, public_key, private_key, seed) == 0; + return ml_dsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; } int ml_dsa_44_sign(const uint8_t *private_key /* IN */, @@ -47,8 +47,8 @@ int ml_dsa_44_sign(const uint8_t *private_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return crypto_sign_signature(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return ml_dsa_sign(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, private_key) == 0; } int ml_dsa_44_sign_internal(const uint8_t *private_key /* IN */, @@ -61,8 +61,8 @@ int ml_dsa_44_sign_internal(const uint8_t *private_key /* IN */, uint8_t *rnd /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return crypto_sign_signature_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key) == 0; + return ml_dsa_sign_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, rnd, private_key) == 0; } int ml_dsa_44_verify(const uint8_t *public_key /* IN */, @@ -74,8 +74,8 @@ int ml_dsa_44_verify(const uint8_t *public_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return crypto_sign_verify(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, public_key) == 0; + return ml_dsa_verify(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, public_key) == 0; } int ml_dsa_44_verify_internal(const uint8_t *public_key /* IN */, @@ -87,15 +87,15 @@ int ml_dsa_44_verify_internal(const uint8_t *public_key /* IN */, size_t pre_len /* IN */) { ml_dsa_params params; ml_dsa_44_params_init(¶ms); - return crypto_sign_verify_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, public_key) == 0; + return ml_dsa_verify_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, public_key) == 0; } int ml_dsa_65_keypair(uint8_t *public_key /* OUT */, uint8_t *private_key /* OUT */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return (crypto_sign_keypair(¶ms, public_key, private_key) == 0); + return (ml_dsa_keypair(¶ms, public_key, private_key) == 0); } int ml_dsa_65_keypair_internal(uint8_t *public_key /* OUT */, @@ -103,7 +103,7 @@ int ml_dsa_65_keypair_internal(uint8_t *public_key /* OUT */, const uint8_t *seed /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return crypto_sign_keypair_internal(¶ms, public_key, private_key, seed) == 0; + return ml_dsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; } int ml_dsa_65_sign(const uint8_t *private_key /* IN */, @@ -115,8 +115,8 @@ int ml_dsa_65_sign(const uint8_t *private_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return crypto_sign_signature(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return ml_dsa_sign(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, private_key) == 0; } int ml_dsa_65_sign_internal(const uint8_t *private_key /* IN */, @@ -129,8 +129,8 @@ int ml_dsa_65_sign_internal(const uint8_t *private_key /* IN */, uint8_t *rnd /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return crypto_sign_signature_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key) == 0; + return ml_dsa_sign_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, rnd, private_key) == 0; } int ml_dsa_65_verify(const uint8_t *public_key /* IN */, @@ -142,8 +142,8 @@ int ml_dsa_65_verify(const uint8_t *public_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return crypto_sign_verify(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, public_key) == 0; + return ml_dsa_verify(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, public_key) == 0; } int ml_dsa_65_verify_internal(const uint8_t *public_key /* IN */, @@ -155,15 +155,15 @@ int ml_dsa_65_verify_internal(const uint8_t *public_key /* IN */, size_t pre_len /* IN */) { ml_dsa_params params; ml_dsa_65_params_init(¶ms); - return crypto_sign_verify_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, public_key) == 0; + return ml_dsa_verify_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, public_key) == 0; } int ml_dsa_87_keypair(uint8_t *public_key /* OUT */, uint8_t *private_key /* OUT */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return (crypto_sign_keypair(¶ms, public_key, private_key) == 0); + return (ml_dsa_keypair(¶ms, public_key, private_key) == 0); } int ml_dsa_87_keypair_internal(uint8_t *public_key /* OUT */, @@ -171,7 +171,7 @@ int ml_dsa_87_keypair_internal(uint8_t *public_key /* OUT */, const uint8_t *seed /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return crypto_sign_keypair_internal(¶ms, public_key, private_key, seed) == 0; + return ml_dsa_keypair_internal(¶ms, public_key, private_key, seed) == 0; } int ml_dsa_87_sign(const uint8_t *private_key /* IN */, @@ -183,8 +183,8 @@ int ml_dsa_87_sign(const uint8_t *private_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return crypto_sign_signature(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, private_key) == 0; + return ml_dsa_sign(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, private_key) == 0; } int ml_dsa_87_sign_internal(const uint8_t *private_key /* IN */, @@ -197,8 +197,8 @@ int ml_dsa_87_sign_internal(const uint8_t *private_key /* IN */, uint8_t *rnd /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return crypto_sign_signature_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, rnd, private_key) == 0; + return ml_dsa_sign_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, rnd, private_key) == 0; } int ml_dsa_87_verify(const uint8_t *public_key /* IN */, @@ -210,8 +210,8 @@ int ml_dsa_87_verify(const uint8_t *public_key /* IN */, size_t ctx_string_len /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return crypto_sign_verify(¶ms, sig, sig_len, message, message_len, - ctx_string, ctx_string_len, public_key) == 0; + return ml_dsa_verify(¶ms, sig, sig_len, message, message_len, + ctx_string, ctx_string_len, public_key) == 0; } int ml_dsa_87_verify_internal(const uint8_t *public_key /* IN */, @@ -223,7 +223,6 @@ int ml_dsa_87_verify_internal(const uint8_t *public_key /* IN */, size_t pre_len /* IN */) { ml_dsa_params params; ml_dsa_87_params_init(¶ms); - return crypto_sign_verify_internal(¶ms, sig, sig_len, message, message_len, - pre, pre_len, public_key) == 0; + return ml_dsa_verify_internal(¶ms, sig, sig_len, message, message_len, + pre, pre_len, public_key) == 0; } - diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c index b9260d6750..93a91e57c0 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c @@ -3,7 +3,7 @@ #include "ntt.h" #include "reduce.h" -static const int32_t zetas[N] = { +static const int32_t zetas[ML_DSA_N] = { 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, 1826347, 2353451, -359251, -2091905, 3119733, -2884855, 3111497, 2680103, 2725464, 1024112, -1079900, 3585928, -549488, -1119584, 2619752, -2108549, @@ -39,7 +39,7 @@ static const int32_t zetas[N] = { }; /************************************************* -* Name: ntt +* Name: ml_dsa_ntt * * Description: FIPS 204: Algorithm 41. * Forward NTT, in-place. No modular reduction is performed after @@ -47,16 +47,16 @@ static const int32_t zetas[N] = { * * Arguments: - uint32_t p[N]: input/output coefficient array **************************************************/ -void ntt(int32_t a[N]) { +void ml_dsa_ntt(int32_t a[ML_DSA_N]) { unsigned int len, start, j, k; int32_t zeta, t; k = 0; for(len = 128; len > 0; len >>= 1) { - for(start = 0; start < N; start = j + len) { + for(start = 0; start < ML_DSA_N; start = j + len) { zeta = zetas[++k]; for(j = start; j < start + len; ++j) { - t = fqmul(zeta, a[j + len]); + t = ml_dsa_fqmul(zeta, a[j + len]); a[j + len] = a[j] - t; a[j] = a[j] + t; } @@ -65,7 +65,7 @@ void ntt(int32_t a[N]) { } /************************************************* -* Name: invntt_tomont +* Name: ml_dsa_invntt_tomont * * Description: FIPS 204: Algorithm 42. * Inverse NTT and multiplication by Montgomery factor 2^32. @@ -76,25 +76,25 @@ void ntt(int32_t a[N]) { * * Arguments: - uint32_t p[N]: input/output coefficient array **************************************************/ -void invntt_tomont(int32_t a[N]) { +void ml_dsa_invntt_tomont(int32_t a[ML_DSA_N]) { unsigned int start, len, j, k; int32_t t, zeta; const int32_t f = 41978; // mont^2/256 k = 256; - for(len = 1; len < N; len <<= 1) { - for(start = 0; start < N; start = j + len) { + for(len = 1; len < ML_DSA_N; len <<= 1) { + for(start = 0; start < ML_DSA_N; start = j + len) { zeta = -zetas[--k]; for(j = start; j < start + len; ++j) { t = a[j]; a[j] = t + a[j + len]; a[j + len] = t - a[j + len]; - a[j + len] = fqmul(zeta, a[j + len]); + a[j + len] = ml_dsa_fqmul(zeta, a[j + len]); } } } - for(j = 0; j < N; ++j) { - a[j] = fqmul(f, a[j]); + for(j = 0; j < ML_DSA_N; ++j) { + a[j] = ml_dsa_fqmul(f, a[j]); } } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h index ecceb13941..108a8b1228 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.h @@ -1,11 +1,11 @@ -#ifndef NTT_H -#define NTT_H +#ifndef ML_DSA_NTT_H +#define ML_DSA_NTT_H #include #include "params.h" -void ntt(int32_t a[N]); +void ml_dsa_ntt(int32_t a[ML_DSA_N]); -void invntt_tomont(int32_t a[N]); +void ml_dsa_invntt_tomont(int32_t a[ML_DSA_N]); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.c index 4504a72ff4..5ee0b62529 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.c @@ -4,7 +4,7 @@ #include "poly.h" /************************************************* -* Name: pack_pk +* Name: ml_dsa_pack_pk * * Description: FIPS 204: Algorithm 22 pkEncode. * Bit-pack public key pk = (rho, t1). @@ -14,25 +14,25 @@ * - const uint8_t rho[]: byte array containing rho * - const polyveck *t1: pointer to vector t1 **************************************************/ -void pack_pk(ml_dsa_params *params, - uint8_t *pk, - const uint8_t rho[SEEDBYTES], - const polyveck *t1) +void ml_dsa_pack_pk(ml_dsa_params *params, + uint8_t *pk, + const uint8_t rho[ML_DSA_SEEDBYTES], + const polyveck *t1) { unsigned int i; - for(i = 0; i < SEEDBYTES; ++i) { + for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { pk[i] = rho[i]; } - pk += SEEDBYTES; + pk += ML_DSA_SEEDBYTES; for(i = 0; i < params->k; ++i) { - polyt1_pack(pk + i*POLYT1_PACKEDBYTES, &t1->vec[i]); + ml_dsa_polyt1_pack(pk + i * ML_DSA_POLYT1_PACKEDBYTES, &t1->vec[i]); } } /************************************************* -* Name: unpack_pk +* Name: ml_dsa_unpack_pk * * Description: FIPS 204: Algorithm 23 pkDecode. * Unpack public key pk = (rho, t1). @@ -42,25 +42,25 @@ void pack_pk(ml_dsa_params *params, * - const polyveck *t1: pointer to output vector t1 * - uint8_t pk[]: pointer to byte array containing bit-packed pk **************************************************/ -void unpack_pk(ml_dsa_params *params, - uint8_t rho[SEEDBYTES], - polyveck *t1, - const uint8_t *pk) +void ml_dsa_unpack_pk(ml_dsa_params *params, + uint8_t rho[ML_DSA_SEEDBYTES], + polyveck *t1, + const uint8_t *pk) { unsigned int i; - for(i = 0; i < SEEDBYTES; ++i) { + for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { rho[i] = pk[i]; } - pk += SEEDBYTES; + pk += ML_DSA_SEEDBYTES; for(i = 0; i < params->k; ++i) { - polyt1_unpack(&t1->vec[i], pk + i*POLYT1_PACKEDBYTES); + ml_dsa_polyt1_unpack(&t1->vec[i], pk + i * ML_DSA_POLYT1_PACKEDBYTES); } } /************************************************* -* Name: pack_sk +* Name: ml_dsa_pack_sk * * Description: FIPS 204: Algorithm 24 skEncode. * Bit-pack secret key sk = (rho, tr, key, t0, s1, s2). @@ -74,49 +74,49 @@ void unpack_pk(ml_dsa_params *params, * - const polyvecl *s1: pointer to vector s1 * - const polyveck *s2: pointer to vector s2 **************************************************/ -void pack_sk(ml_dsa_params *params, - uint8_t *sk, - const uint8_t rho[SEEDBYTES], - const uint8_t tr[TRBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2) +void ml_dsa_pack_sk(ml_dsa_params *params, + uint8_t *sk, + const uint8_t rho[ML_DSA_SEEDBYTES], + const uint8_t tr[ML_DSA_TRBYTES], + const uint8_t key[ML_DSA_SEEDBYTES], + const polyveck *t0, + const polyvecl *s1, + const polyveck *s2) { unsigned int i; - for(i = 0; i < SEEDBYTES; ++i) { + for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { sk[i] = rho[i]; } - sk += SEEDBYTES; + sk += ML_DSA_SEEDBYTES; - for(i = 0; i < SEEDBYTES; ++i) { + for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { sk[i] = key[i]; } - sk += SEEDBYTES; + sk += ML_DSA_SEEDBYTES; - for(i = 0; i < TRBYTES; ++i) { + for(i = 0; i < ML_DSA_TRBYTES; ++i) { sk[i] = tr[i]; } - sk += TRBYTES; + sk += ML_DSA_TRBYTES; for(i = 0; i < params->l; ++i) { - polyeta_pack(params, sk + i * params->poly_eta_packed_bytes, &s1->vec[i]); + ml_dsa_polyeta_pack(params, sk + i * params->poly_eta_packed_bytes, &s1->vec[i]); } sk += params->l * params->poly_eta_packed_bytes; for(i = 0; i < params->k; ++i) { - polyeta_pack(params,sk + i * params->poly_eta_packed_bytes, &s2->vec[i]); + ml_dsa_polyeta_pack(params,sk + i * params->poly_eta_packed_bytes, &s2->vec[i]); } sk += params->k * params->poly_eta_packed_bytes; for(i = 0; i < params->k; ++i) { - polyt0_pack(sk + i * POLYT0_PACKEDBYTES, &t0->vec[i]); + ml_dsa_polyt0_pack(sk + i * ML_DSA_POLYT0_PACKEDBYTES, &t0->vec[i]); } } /************************************************* -* Name: unpack_sk +* Name: ml_dsa_unpack_sk * * Description: FIPS 204: Algorithm 25 skDecode. * Unpack secret key sk = (rho, tr, key, t0, s1, s2). @@ -130,49 +130,49 @@ void pack_sk(ml_dsa_params *params, * - const polyveck *s2: pointer to output vector s2 * - uint8_t sk[]: pointer to byte array containing bit-packed sk **************************************************/ -void unpack_sk(ml_dsa_params *params, - uint8_t rho[SEEDBYTES], - uint8_t tr[TRBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t *sk) +void ml_dsa_unpack_sk(ml_dsa_params *params, + uint8_t rho[ML_DSA_SEEDBYTES], + uint8_t tr[ML_DSA_TRBYTES], + uint8_t key[ML_DSA_SEEDBYTES], + polyveck *t0, + polyvecl *s1, + polyveck *s2, + const uint8_t *sk) { unsigned int i; - for(i = 0; i < SEEDBYTES; ++i) { + for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { rho[i] = sk[i]; } - sk += SEEDBYTES; + sk += ML_DSA_SEEDBYTES; - for(i = 0; i < SEEDBYTES; ++i) { + for(i = 0; i < ML_DSA_SEEDBYTES; ++i) { key[i] = sk[i]; } - sk += SEEDBYTES; + sk += ML_DSA_SEEDBYTES; - for(i = 0; i < TRBYTES; ++i) { + for(i = 0; i < ML_DSA_TRBYTES; ++i) { tr[i] = sk[i]; } - sk += TRBYTES; + sk += ML_DSA_TRBYTES; for(i=0; i < params->l; ++i) { - polyeta_unpack(params, &s1->vec[i], sk + i * params->poly_eta_packed_bytes); + ml_dsa_polyeta_unpack(params, &s1->vec[i], sk + i * params->poly_eta_packed_bytes); } sk += params->l * params->poly_eta_packed_bytes; for(i=0; i < params->k; ++i) { - polyeta_unpack(params, &s2->vec[i], sk + i * params->poly_eta_packed_bytes); + ml_dsa_polyeta_unpack(params, &s2->vec[i], sk + i * params->poly_eta_packed_bytes); } sk += params->k * params->poly_eta_packed_bytes; for(i=0; i < params->k; ++i) { - polyt0_unpack(&t0->vec[i], sk + i * POLYT0_PACKEDBYTES); + ml_dsa_polyt0_unpack(&t0->vec[i], sk + i * ML_DSA_POLYT0_PACKEDBYTES); } } /************************************************* -* Name: pack_sig +* Name: ml_dsa_pack_sig * * Description: FIPS 204: Algorithm 26 sigEncode. * Bit-pack signature sig = (c, z, h). @@ -183,11 +183,11 @@ void unpack_sk(ml_dsa_params *params, * - const polyvecl *z: pointer to vector z * - const polyveck *h: pointer to hint vector h **************************************************/ -void pack_sig(ml_dsa_params *params, - uint8_t *sig, - const uint8_t *c, - const polyvecl *z, - const polyveck *h) +void ml_dsa_pack_sig(ml_dsa_params *params, + uint8_t *sig, + const uint8_t *c, + const polyvecl *z, + const polyveck *h) { unsigned int i, j, k; @@ -197,7 +197,7 @@ void pack_sig(ml_dsa_params *params, sig += params->c_tilde_bytes; for(i = 0; i < params->l; ++i) { - polyz_pack(params, sig + i * params->poly_z_packed_bytes, &z->vec[i]); + ml_dsa_polyz_pack(params, sig + i * params->poly_z_packed_bytes, &z->vec[i]); } sig += params->l * params->poly_z_packed_bytes; @@ -208,7 +208,7 @@ void pack_sig(ml_dsa_params *params, k = 0; for(i = 0; i < params->k; ++i) { - for(j = 0; j < N; ++j) { + for(j = 0; j < ML_DSA_N; ++j) { if(h->vec[i].coeffs[j] != 0) { sig[k++] = j; } @@ -219,7 +219,7 @@ void pack_sig(ml_dsa_params *params, } /************************************************* -* Name: unpack_sig +* Name: ml_dsa_unpack_sig * * Description: FIPS 204: Algorithm 27 sigDecode. * Unpack signature sig = (c, z, h). @@ -233,11 +233,11 @@ void pack_sig(ml_dsa_params *params, * * Returns 1 in case of malformed signature; otherwise 0. **************************************************/ -int unpack_sig(ml_dsa_params *params, - uint8_t *c, - polyvecl *z, - polyveck *h, - const uint8_t *sig) +int ml_dsa_unpack_sig(ml_dsa_params *params, + uint8_t *c, + polyvecl *z, + polyveck *h, + const uint8_t *sig) { unsigned int i, j, k; @@ -247,14 +247,14 @@ int unpack_sig(ml_dsa_params *params, sig += params->c_tilde_bytes; for(i = 0; i < params->l; ++i) { - polyz_unpack(params, &z->vec[i], sig + i * params->poly_z_packed_bytes); + ml_dsa_polyz_unpack(params, &z->vec[i], sig + i * params->poly_z_packed_bytes); } sig += params->l * params->poly_z_packed_bytes; /* Decode h */ k = 0; for(i = 0; i < params->k; ++i) { - for(j = 0; j < N; ++j) { + for(j = 0; j < ML_DSA_N; ++j) { h->vec[i].coeffs[j] = 0; } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.h index f9fd3bf1fe..a8d525d3d0 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/packing.h @@ -1,48 +1,48 @@ -#ifndef PACKING_H -#define PACKING_H +#ifndef ML_DSA_PACKING_H +#define ML_DSA_PACKING_H #include #include "params.h" #include "polyvec.h" -void pack_pk(ml_dsa_params *params, - uint8_t *pk, - const uint8_t rho[SEEDBYTES], - const polyveck *t1); - -void pack_sk(ml_dsa_params *params, - uint8_t *sk, - const uint8_t rho[SEEDBYTES], - const uint8_t tr[TRBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2); - -void pack_sig(ml_dsa_params *params, - uint8_t *sig, - const uint8_t *c, - const polyvecl *z, - const polyveck *h); - -void unpack_pk(ml_dsa_params *params, - uint8_t rho[SEEDBYTES], - polyveck *t1, - const uint8_t *pk); - -void unpack_sk(ml_dsa_params *params, - uint8_t rho[SEEDBYTES], - uint8_t tr[TRBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t *sk); - -int unpack_sig(ml_dsa_params *params, - uint8_t *c, - polyvecl *z, - polyveck *h, - const uint8_t *sig); +void ml_dsa_pack_pk(ml_dsa_params *params, + uint8_t *pk, + const uint8_t rho[ML_DSA_SEEDBYTES], + const polyveck *t1); + +void ml_dsa_pack_sk(ml_dsa_params *params, + uint8_t *sk, + const uint8_t rho[ML_DSA_SEEDBYTES], + const uint8_t tr[ML_DSA_TRBYTES], + const uint8_t key[ML_DSA_SEEDBYTES], + const polyveck *t0, + const polyvecl *s1, + const polyveck *s2); + +void ml_dsa_pack_sig(ml_dsa_params *params, + uint8_t *sig, + const uint8_t *c, + const polyvecl *z, + const polyveck *h); + +void ml_dsa_unpack_pk(ml_dsa_params *params, + uint8_t rho[ML_DSA_SEEDBYTES], + polyveck *t1, + const uint8_t *pk); + +void ml_dsa_unpack_sk(ml_dsa_params *params, + uint8_t rho[ML_DSA_SEEDBYTES], + uint8_t tr[ML_DSA_TRBYTES], + uint8_t key[ML_DSA_SEEDBYTES], + polyveck *t0, + polyvecl *s1, + polyveck *s2, + const uint8_t *sk); + +int ml_dsa_unpack_sig(ml_dsa_params *params, + uint8_t *c, + polyvecl *z, + polyveck *h, + const uint8_t *sig); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.c index 9d28db175c..8eae29af76 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.c @@ -16,7 +16,7 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->omega = 80; params->c_tilde_bytes = 32; params->gamma1 = (1 << 17); - params->gamma2 = (Q-1)/88; + params->gamma2 = (ML_DSA_Q-1)/88; params->eta = 2; params->poly_z_packed_bytes = 576; params->poly_w1_packed_bytes = 192; @@ -24,9 +24,14 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->poly_vech_packed_bytes = (params->omega + params->k); // Sizes for ML-DSA-44 keys and signatures from Table 2. FIPS-204. - params->public_key_bytes = (SEEDBYTES + params->k * POLYT1_PACKEDBYTES); - params->secret_key_bytes = (2 * SEEDBYTES + TRBYTES + params->l * params->poly_eta_packed_bytes + params->k * params->poly_eta_packed_bytes + params->k * POLYT0_PACKEDBYTES); - params->bytes = (params->c_tilde_bytes + params->l * params->poly_z_packed_bytes + params->poly_vech_packed_bytes); + params->public_key_bytes = (ML_DSA_SEEDBYTES + params->k * ML_DSA_POLYT1_PACKEDBYTES); + params->secret_key_bytes = (2 * ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + + params->l * params->poly_eta_packed_bytes + + params->k * params->poly_eta_packed_bytes + + params->k * ML_DSA_POLYT0_PACKEDBYTES); + params->bytes = (params->c_tilde_bytes + + params->l * params->poly_z_packed_bytes + + params->poly_vech_packed_bytes); } else if (k == 3) { // Parameters for ML-DSA-65 from Table 1. FIPS-204: ML-DSA Parameter Sets. @@ -38,7 +43,7 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->omega = 55; params->c_tilde_bytes = 48; params->gamma1 = (1 << 19); - params->gamma2 = (Q-1)/32; + params->gamma2 = (ML_DSA_Q-1)/32; params->eta = 4; params->poly_z_packed_bytes = 640; params->poly_w1_packed_bytes = 128; @@ -46,9 +51,14 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->poly_vech_packed_bytes = (params->omega + params->k); // Sizes for ML-DSA-65 keys and signatures from Table 2. FIPS-204. - params->public_key_bytes = (SEEDBYTES + params->k * POLYT1_PACKEDBYTES); - params->secret_key_bytes = (2 * SEEDBYTES + TRBYTES + params->l * params->poly_eta_packed_bytes + params->k * params->poly_eta_packed_bytes + params->k * POLYT0_PACKEDBYTES); - params->bytes = (params->c_tilde_bytes + params->l * params->poly_z_packed_bytes + params->poly_vech_packed_bytes); + params->public_key_bytes = (ML_DSA_SEEDBYTES + params->k * ML_DSA_POLYT1_PACKEDBYTES); + params->secret_key_bytes = (2 * ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + + params->l * params->poly_eta_packed_bytes + + params->k * params->poly_eta_packed_bytes + + params->k * ML_DSA_POLYT0_PACKEDBYTES); + params->bytes = (params->c_tilde_bytes + + params->l * params->poly_z_packed_bytes + + params->poly_vech_packed_bytes); } else { // Parameters for ML-DSA-87 from Table 1. FIPS-204: ML-DSA Parameter Sets. @@ -60,7 +70,7 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->omega = 75; params->c_tilde_bytes = 64; params->gamma1 = (1 << 19); - params->gamma2 = (Q-1)/32; + params->gamma2 = (ML_DSA_Q-1)/32; params->eta = 2; params->poly_z_packed_bytes = 640; params->poly_w1_packed_bytes = 128; @@ -68,9 +78,14 @@ static void ml_dsa_params_init(ml_dsa_params *params, size_t k) { params->poly_vech_packed_bytes = (params->omega + params->k); // Sizes for ML-DSA-87 keys and signatures from Table 2. FIPS-204. - params->public_key_bytes = (SEEDBYTES + params->k * POLYT1_PACKEDBYTES); - params->secret_key_bytes = (2 * SEEDBYTES + TRBYTES + params->l * params->poly_eta_packed_bytes + params->k * params->poly_eta_packed_bytes + params->k * POLYT0_PACKEDBYTES); - params->bytes = (params->c_tilde_bytes + params->l * params->poly_z_packed_bytes + params->poly_vech_packed_bytes); + params->public_key_bytes = (ML_DSA_SEEDBYTES + params->k * ML_DSA_POLYT1_PACKEDBYTES); + params->secret_key_bytes = (2 * ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + + params->l * params->poly_eta_packed_bytes + + params->k * params->poly_eta_packed_bytes + + params->k * ML_DSA_POLYT0_PACKEDBYTES); + params->bytes = (params->c_tilde_bytes + + params->l * params->poly_z_packed_bytes + + params->poly_vech_packed_bytes); } } @@ -83,4 +98,3 @@ void ml_dsa_65_params_init(ml_dsa_params *params) { void ml_dsa_87_params_init(ml_dsa_params *params) { ml_dsa_params_init(params, 5); } - diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h index 2cdbaad391..f67d751664 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/params.h @@ -1,20 +1,19 @@ -#ifndef PARAMS_H -#define PARAMS_H +#ifndef ML_DSA_PARAMS_H +#define ML_DSA_PARAMS_H // The only defined parameters are those that don't depend // on the parameter set. All other parameters are specified // in ml_dsa_params structure that is unique for each parameter // set (ML-DSA 44/65/87). -#define SEEDBYTES 32 -#define CRHBYTES 64 -#define TRBYTES 64 -#define RNDBYTES 32 -#define N 256 -#define Q 8380417 -#define D 13 -#define ROOT_OF_UNITY 1753 -#define POLYT1_PACKEDBYTES 320 -#define POLYT0_PACKEDBYTES 416 +#define ML_DSA_SEEDBYTES 32 +#define ML_DSA_CRHBYTES 64 +#define ML_DSA_TRBYTES 64 +#define ML_DSA_RNDBYTES 32 +#define ML_DSA_N 256 +#define ML_DSA_Q 8380417 +#define ML_DSA_D 13 +#define ML_DSA_POLYT1_PACKEDBYTES 320 +#define ML_DSA_POLYT0_PACKEDBYTES 416 // Structure for ML-DSA parameters that depend on the parameter set. typedef struct { @@ -38,12 +37,12 @@ typedef struct { // We define max values for some parameters because they are used // for static allocation. -#define DILITHIUM_K_MAX (8) -#define DILITHIUM_L_MAX (7) -#define DILITHIUM_C_TILDE_BYTES_MAX (64) -#define DILITHIUM_POLYW1_PACKEDBYTES_MAX (192) -#define DILITHIUM_POLY_UNIFORM_ETA_NBLOCKS_MAX ((227 + SHAKE256_RATE - 1)/SHAKE256_RATE) -#define DILITHIUM_POLYZ_PACKEDBYTES_MAX (576) +#define ML_DSA_K_MAX (8) +#define ML_DSA_L_MAX (7) +#define ML_DSA_C_TILDE_BYTES_MAX (64) +#define ML_DSA_POLYW1_PACKEDBYTES_MAX (192) +#define ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX ((227 + SHAKE256_RATE - 1)/SHAKE256_RATE) +#define ML_DSA_POLYZ_PACKEDBYTES_MAX (576) void ml_dsa_44_params_init(ml_dsa_params *params); void ml_dsa_65_params_init(ml_dsa_params *params); diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c index ab257b71ac..063212864b 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c @@ -7,37 +7,37 @@ #include "../../fipsmodule/sha/internal.h" /************************************************* -* Name: poly_reduce +* Name: ml_dsa_poly_reduce * * Description: Inplace reduction of all coefficients of polynomial to * representative in [-6283009,6283007]. * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_reduce(poly *a) { +void ml_dsa_poly_reduce(ml_dsa_poly *a) { unsigned int i; - for(i = 0; i < N; ++i) { - a->coeffs[i] = reduce32(a->coeffs[i]); + for(i = 0; i < ML_DSA_N; ++i) { + a->coeffs[i] = ml_dsa_reduce32(a->coeffs[i]); } } /************************************************* -* Name: poly_caddq +* Name: ml_dsa_poly_caddq * * Description: For all coefficients of in/out polynomial add Q if * coefficient is negative. * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_caddq(poly *a) { +void ml_dsa_poly_caddq(ml_dsa_poly *a) { unsigned int i; - for(i = 0; i < N; ++i) { - a->coeffs[i] = caddq(a->coeffs[i]); + for(i = 0; i < ML_DSA_N; ++i) { + a->coeffs[i] = ml_dsa_caddq(a->coeffs[i]); } } /************************************************* -* Name: poly_add +* Name: ml_dsa_poly_add * * Description: Add polynomials. No modular reduction is performed. * @@ -45,15 +45,15 @@ void poly_caddq(poly *a) { * - const poly *a: pointer to first summand * - const poly *b: pointer to second summand **************************************************/ -void poly_add(poly *c, const poly *a, const poly *b) { +void ml_dsa_poly_add(ml_dsa_poly *c, const ml_dsa_poly *a, const ml_dsa_poly *b) { unsigned int i; - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = a->coeffs[i] + b->coeffs[i]; } } /************************************************* -* Name: poly_sub +* Name: ml_dsa_poly_sub * * Description: Subtract polynomials. No modular reduction is * performed. @@ -63,42 +63,42 @@ void poly_add(poly *c, const poly *a, const poly *b) { * - const poly *b: pointer to second input polynomial to be * subtraced from first input polynomial **************************************************/ -void poly_sub(poly *c, const poly *a, const poly *b) { +void ml_dsa_poly_sub(ml_dsa_poly *c, const ml_dsa_poly *a, const ml_dsa_poly *b) { unsigned int i; - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = a->coeffs[i] - b->coeffs[i]; } } /************************************************* -* Name: poly_shiftl +* Name: ml_dsa_poly_shiftl * * Description: Multiply polynomial by 2^D without modular reduction. Assumes * input coefficients to be less than 2^{31-D} in absolute value. * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_shiftl(poly *a) { +void ml_dsa_poly_shiftl(ml_dsa_poly *a) { unsigned int i; - for(i = 0; i < N; ++i) { - a->coeffs[i] <<= D; + for(i = 0; i < ML_DSA_N; ++i) { + a->coeffs[i] <<= ML_DSA_D; } } /************************************************* -* Name: poly_ntt +* Name: ml_dsa_poly_ntt * * Description: Inplace forward NTT. Coefficients can grow by * 8*Q in absolute value. * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_ntt(poly *a) { - ntt(a->coeffs); +void ml_dsa_poly_ntt(ml_dsa_poly *a) { + ml_dsa_ntt(a->coeffs); } /************************************************* -* Name: poly_invntt_tomont +* Name: ml_dsa_poly_invntt_tomont * * Description: Inplace inverse NTT and multiplication by 2^{32}. * Input coefficients need to be less than Q in absolute @@ -106,12 +106,12 @@ void poly_ntt(poly *a) { * * Arguments: - poly *a: pointer to input/output polynomial **************************************************/ -void poly_invntt_tomont(poly *a) { - invntt_tomont(a->coeffs); +void ml_dsa_poly_invntt_tomont(ml_dsa_poly *a) { + ml_dsa_invntt_tomont(a->coeffs); } /************************************************* -* Name: poly_pointwise_montgomery +* Name: ml_dsa_poly_pointwise_montgomery * * Description: Pointwise multiplication of polynomials in NTT domain * representation and multiplication of resulting polynomial @@ -121,15 +121,17 @@ void poly_invntt_tomont(poly *a) { * - const poly *a: pointer to first input polynomial * - const poly *b: pointer to second input polynomial **************************************************/ -void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { +void ml_dsa_poly_pointwise_montgomery(ml_dsa_poly *c, + const ml_dsa_poly *a, + const ml_dsa_poly *b) { unsigned int i; - for(i = 0; i < N; ++i) { - c->coeffs[i] = fqmul(a->coeffs[i], b->coeffs[i]); + for(i = 0; i < ML_DSA_N; ++i) { + c->coeffs[i] = ml_dsa_fqmul(a->coeffs[i], b->coeffs[i]); } } /************************************************* -* Name: poly_power2round +* Name: ml_dsa_poly_power2round * * Description: For all coefficients c of the input polynomial, * compute c0, c1 such that c mod Q = c1*2^D + c0 @@ -140,15 +142,15 @@ void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { * - poly *a0: pointer to output polynomial with coefficients c0 * - const poly *a: pointer to input polynomial **************************************************/ -void poly_power2round(poly *a1, poly *a0, const poly *a) { +void ml_dsa_poly_power2round(ml_dsa_poly *a1, ml_dsa_poly *a0, const ml_dsa_poly *a) { unsigned int i; - for(i = 0; i < N; ++i) { - a1->coeffs[i] = power2round(&a0->coeffs[i], a->coeffs[i]); + for(i = 0; i < ML_DSA_N; ++i) { + a1->coeffs[i] = ml_dsa_power2round(&a0->coeffs[i], a->coeffs[i]); } } /************************************************* -* Name: poly_decompose +* Name: ml_dsa_poly_decompose * * Description: For all coefficients c of the input polynomial, * compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0 @@ -161,15 +163,18 @@ void poly_power2round(poly *a1, poly *a0, const poly *a) { * - poly *a0: pointer to output polynomial with coefficients c0 * - const poly *a: pointer to input polynomial **************************************************/ -void poly_decompose(ml_dsa_params *params, poly *a1, poly *a0, const poly *a) { +void ml_dsa_poly_decompose(ml_dsa_params *params, + ml_dsa_poly *a1, + ml_dsa_poly *a0, + const ml_dsa_poly *a) { unsigned int i; - for(i = 0; i < N; ++i) { - a1->coeffs[i] = decompose(params, &a0->coeffs[i], a->coeffs[i]); + for(i = 0; i < ML_DSA_N; ++i) { + a1->coeffs[i] = ml_dsa_decompose(params, &a0->coeffs[i], a->coeffs[i]); } } /************************************************* -* Name: poly_make_hint +* Name: ml_dsa_poly_make_hint * * Description: Compute hint polynomial. The coefficients of which indicate * whether the low bits of the corresponding coefficient of @@ -182,17 +187,20 @@ void poly_decompose(ml_dsa_params *params, poly *a1, poly *a0, const poly *a) { * * Returns number of 1 bits. **************************************************/ -unsigned int poly_make_hint(ml_dsa_params *params, poly *h, const poly *a0, const poly *a1) { +unsigned int ml_dsa_poly_make_hint(ml_dsa_params *params, + ml_dsa_poly *h, + const ml_dsa_poly *a0, + const ml_dsa_poly *a1) { unsigned int i, s = 0; - for(i = 0; i < N; ++i) { - h->coeffs[i] = make_hint(params, a0->coeffs[i], a1->coeffs[i]); + for(i = 0; i < ML_DSA_N; ++i) { + h->coeffs[i] = ml_dsa_make_hint(params, a0->coeffs[i], a1->coeffs[i]); s += h->coeffs[i]; } return s; } /************************************************* -* Name: poly_use_hint +* Name: ml_dsa_poly_use_hint * * Description: Use hint polynomial to correct the high bits of a polynomial. * @@ -201,15 +209,18 @@ unsigned int poly_make_hint(ml_dsa_params *params, poly *h, const poly *a0, cons * - const poly *a: pointer to input polynomial * - const poly *h: pointer to input hint polynomial **************************************************/ -void poly_use_hint(ml_dsa_params *params, poly *b, const poly *a, const poly *h) { +void ml_dsa_poly_use_hint(ml_dsa_params *params, + ml_dsa_poly *b, + const ml_dsa_poly *a, + const ml_dsa_poly *h) { unsigned int i; - for(i = 0; i < N; ++i) { - b->coeffs[i] = use_hint(params, a->coeffs[i], h->coeffs[i]); + for(i = 0; i < ML_DSA_N; ++i) { + b->coeffs[i] = ml_dsa_use_hint(params, a->coeffs[i], h->coeffs[i]); } } /************************************************* -* Name: poly_chknorm +* Name: ml_dsa_poly_chknorm * * Description: Check infinity norm of polynomial against given bound. * Assumes input coefficients were reduced by reduce32(). @@ -219,18 +230,18 @@ void poly_use_hint(ml_dsa_params *params, poly *b, const poly *a, const poly *h) * * Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise. **************************************************/ -int poly_chknorm(const poly *a, int32_t B) { +int ml_dsa_poly_chknorm(const ml_dsa_poly *a, int32_t B) { unsigned int i; int32_t t; - if(B > (Q-1)/8) { + if(B > (ML_DSA_Q-1)/8) { return 1; } /* It is ok to leak which coefficient violates the bound since the probability for each coefficient is independent of secret data but we must not leak the sign of the centralized representative. */ - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { /* Absolute value */ t = a->coeffs[i] >> 31; t = a->coeffs[i] - (t & 2*a->coeffs[i]); @@ -243,7 +254,7 @@ int poly_chknorm(const poly *a, int32_t B) { } /************************************************* -* Name: rej_uniform +* Name: ml_dsa_rej_uniform * * Description: Sample uniformly random coefficients in [0, Q-1] by * performing rejection sampling on array of random bytes. @@ -256,10 +267,10 @@ int poly_chknorm(const poly *a, int32_t B) { * Returns number of sampled coefficients. Can be smaller than len if not enough * random bytes were given. **************************************************/ -static unsigned int rej_uniform(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) +static unsigned int ml_dsa_rej_uniform(int32_t *a, + unsigned int len, + const uint8_t *buf, + unsigned int buflen) { unsigned int ctr, pos; uint32_t t; @@ -271,7 +282,7 @@ static unsigned int rej_uniform(int32_t *a, t |= (uint32_t)buf[pos++] << 16; t &= 0x7FFFFF; - if(t < Q) { + if(t < ML_DSA_Q) { a[ctr++] = t; } } @@ -279,11 +290,11 @@ static unsigned int rej_uniform(int32_t *a, } /************************************************* -* Name: poly_uniform +* Name: ml_dsa_poly_uniform * * Description: FIPS 204: Algorithm 30 RejNTTPoly. * Sample polynomial with uniformly random coefficients -* in [0,Q-1] by performing rejection sampling on the +* in [0,ML_DSA_Q-1] by performing rejection sampling on the * output stream of SHAKE128(seed|nonce) * * Arguments: - poly *a: pointer to output polynomial @@ -291,8 +302,8 @@ static unsigned int rej_uniform(int32_t *a, * - uint16_t nonce: 2-byte nonce **************************************************/ #define POLY_UNIFORM_NBLOCKS ((768 + SHAKE128_RATE - 1)/ SHAKE128_RATE) -void poly_uniform(poly *a, - const uint8_t seed[SEEDBYTES], +void ml_dsa_poly_uniform(ml_dsa_poly *a, + const uint8_t seed[ML_DSA_SEEDBYTES], uint16_t nonce) { unsigned int i, ctr, off; @@ -305,20 +316,20 @@ void poly_uniform(poly *a, t[1] = nonce >> 8; SHAKE_Init(&state, SHAKE128_BLOCKSIZE); - SHA3_Update(&state, seed, SEEDBYTES); + SHA3_Update(&state, seed, ML_DSA_SEEDBYTES); SHA3_Update(&state, t, 2); SHAKE_Final(buf, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE); - ctr = rej_uniform(a->coeffs, N, buf, buflen); + ctr = ml_dsa_rej_uniform(a->coeffs, ML_DSA_N, buf, buflen); - while(ctr < N) { + while(ctr < ML_DSA_N) { off = buflen % 3; for(i = 0; i < off; ++i) buf[i] = buf[buflen - off + i]; SHAKE_Final(buf + off, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE); buflen = SHAKE128_RATE + off; - ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen); + ctr += ml_dsa_rej_uniform(a->coeffs + ctr, ML_DSA_N - ctr, buf, buflen); } /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(buf, sizeof(buf)); @@ -380,7 +391,7 @@ static unsigned int rej_eta(ml_dsa_params *params, } /************************************************* -* Name: poly_uniform_eta +* Name: ml_dsa_poly_uniform_eta * * Description: FIPS 204: Algorithm 31 RejBoundedPoly. * Sample polynomial with uniformly random coefficients @@ -392,14 +403,14 @@ static unsigned int rej_eta(ml_dsa_params *params, * - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 2-byte nonce **************************************************/ -void poly_uniform_eta(ml_dsa_params *params, - poly *a, - const uint8_t seed[CRHBYTES], +void ml_dsa_poly_uniform_eta(ml_dsa_params *params, + ml_dsa_poly *a, + const uint8_t seed[ML_DSA_CRHBYTES], uint16_t nonce) { unsigned int ctr; - unsigned int buflen = DILITHIUM_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_RATE; - uint8_t buf[DILITHIUM_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_RATE]; + unsigned int buflen = ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_RATE; + uint8_t buf[ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_RATE]; KECCAK1600_CTX state; uint8_t t[2]; @@ -407,15 +418,15 @@ void poly_uniform_eta(ml_dsa_params *params, t[1] = nonce >> 8; SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, seed, CRHBYTES); + SHA3_Update(&state, seed, ML_DSA_CRHBYTES); SHA3_Update(&state, t, 2); - SHAKE_Final(buf, &state, DILITHIUM_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE); + SHAKE_Final(buf, &state, ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE); - ctr = rej_eta(params, a->coeffs, N, buf, buflen); + ctr = rej_eta(params, a->coeffs, ML_DSA_N, buf, buflen); - while(ctr < N) { + while(ctr < ML_DSA_N) { SHAKE_Final(buf, &state, SHAKE256_BLOCKSIZE); - ctr += rej_eta(params, a->coeffs + ctr, N - ctr, buf, SHAKE256_RATE); + ctr += rej_eta(params, a->coeffs + ctr, ML_DSA_N - ctr, buf, SHAKE256_RATE); } /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(buf, sizeof(buf)); @@ -423,7 +434,7 @@ void poly_uniform_eta(ml_dsa_params *params, } /************************************************* -* Name: poly_uniform_gamma1 +* Name: ml_dsa_poly_uniform_gamma1 * * Description: Sample polynomial with uniformly random coefficients * in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream @@ -434,11 +445,11 @@ void poly_uniform_eta(ml_dsa_params *params, * - const uint8_t seed[]: byte array with seed of length CRHBYTES * - uint16_t nonce: 16-bit nonce **************************************************/ -#define POLY_UNIFORM_GAMMA1_NBLOCKS ((DILITHIUM_POLYZ_PACKEDBYTES_MAX + SHAKE256_RATE - 1) / SHAKE256_RATE) -void poly_uniform_gamma1(ml_dsa_params *params, - poly *a, - const uint8_t seed[CRHBYTES], - uint16_t nonce) +#define POLY_UNIFORM_GAMMA1_NBLOCKS ((ML_DSA_POLYZ_PACKEDBYTES_MAX + SHAKE256_RATE - 1) / SHAKE256_RATE) +void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params, + ml_dsa_poly *a, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce) { uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS * SHAKE256_RATE]; KECCAK1600_CTX state; @@ -448,18 +459,18 @@ void poly_uniform_gamma1(ml_dsa_params *params, t[1] = nonce >> 8; SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, seed, CRHBYTES); + SHA3_Update(&state, seed, ML_DSA_CRHBYTES); SHA3_Update(&state, t, 2); SHAKE_Final(buf, &state, POLY_UNIFORM_GAMMA1_NBLOCKS * SHAKE256_BLOCKSIZE); - polyz_unpack(params, a, buf); + ml_dsa_polyz_unpack(params, a, buf); /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(buf, sizeof(buf)); OPENSSL_cleanse(&state, sizeof(state)); } /************************************************* -* Name: poly_challenge +* Name: ml_dsa_poly_challenge * * Description: Implementation of H. Samples polynomial with TAU nonzero * coefficients in {-1,1} using the output stream of @@ -469,7 +480,7 @@ void poly_uniform_gamma1(ml_dsa_params *params, * - poly *c: pointer to output polynomial * - const uint8_t mu[]: byte array containing seed of length CTILDEBYTES **************************************************/ -void poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed) { +void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, const uint8_t *seed) { unsigned int i, b, pos; uint64_t signs; uint8_t buf[SHAKE256_RATE]; @@ -485,10 +496,10 @@ void poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed) { } pos = 8; - for(i = 0; i < N; ++i) { + for(i = 0; i < ML_DSA_N; ++i) { c->coeffs[i] = 0; } - for(i = N-params->tau; i < N; ++i) { + for(i = ML_DSA_N-params->tau; i < ML_DSA_N; ++i) { do { if(pos >= SHAKE256_RATE) { SHAKE_Final(buf, &state, SHAKE256_BLOCKSIZE); @@ -509,7 +520,7 @@ void poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed) { } /************************************************* -* Name: polyeta_pack +* Name: ml_dsa_polyeta_pack * * Description: Bit-pack polynomial with coefficients in [-ETA,ETA]. * @@ -518,7 +529,7 @@ void poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed) { * POLYETA_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { +void ml_dsa_polyeta_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a) { unsigned int i; uint8_t t[8]; @@ -526,7 +537,7 @@ void polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { (params->eta == 4)); if (params->eta == 2) { - for(i = 0; i < N/8; ++i) { + for(i = 0; i < ML_DSA_N/8; ++i) { t[0] = params->eta - a->coeffs[8*i+0]; t[1] = params->eta - a->coeffs[8*i+1]; t[2] = params->eta - a->coeffs[8*i+2]; @@ -542,7 +553,7 @@ void polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { } } else if (params->eta == 4) { - for(i = 0; i < N/2; ++i) { + for(i = 0; i < ML_DSA_N/2; ++i) { t[0] = params->eta - a->coeffs[2*i+0]; t[1] = params->eta - a->coeffs[2*i+1]; r[i] = t[0] | (t[1] << 4); @@ -551,7 +562,7 @@ void polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { } /************************************************* -* Name: polyeta_unpack +* Name: ml_dsa_polyeta_unpack * * Description: Unpack polynomial with coefficients in [-ETA,ETA]. * @@ -559,13 +570,13 @@ void polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { * - poly *r: pointer to output polynomial * - const uint8_t *a: byte array with bit-packed polynomial **************************************************/ -void polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { +void ml_dsa_polyeta_unpack(ml_dsa_params *params, ml_dsa_poly *r, const uint8_t *a) { unsigned int i; assert((params->eta == 2) || (params->eta == 4)); if (params->eta == 2) { - for(i = 0; i < N/8; ++i) { + for(i = 0; i < ML_DSA_N/8; ++i) { r->coeffs[8*i+0] = (a[3*i+0] >> 0) & 7; r->coeffs[8*i+1] = (a[3*i+0] >> 3) & 7; r->coeffs[8*i+2] = ((a[3*i+0] >> 6) | (a[3*i+1] << 2)) & 7; @@ -586,7 +597,7 @@ void polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { } } else if (params->eta == 4) { - for(i = 0; i < N/2; ++i) { + for(i = 0; i < ML_DSA_N/2; ++i) { r->coeffs[2*i+0] = a[i] & 0x0F; r->coeffs[2*i+1] = a[i] >> 4; r->coeffs[2*i+0] = params->eta - r->coeffs[2*i+0]; @@ -596,7 +607,7 @@ void polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { } /************************************************* -* Name: polyt1_pack +* Name: ml_dsa_polyt1_pack * * Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits. * Input coefficients are assumed to be standard representatives. @@ -605,10 +616,10 @@ void polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { * POLYT1_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyt1_pack(uint8_t *r, const poly *a) { +void ml_dsa_polyt1_pack(uint8_t *r, const ml_dsa_poly *a) { unsigned int i; - for(i = 0; i < N/4; ++i) { + for(i = 0; i < ML_DSA_N/4; ++i) { r[5*i+0] = (a->coeffs[4*i+0] >> 0); r[5*i+1] = (a->coeffs[4*i+0] >> 8) | (a->coeffs[4*i+1] << 2); r[5*i+2] = (a->coeffs[4*i+1] >> 6) | (a->coeffs[4*i+2] << 4); @@ -618,7 +629,7 @@ void polyt1_pack(uint8_t *r, const poly *a) { } /************************************************* -* Name: polyt1_unpack +* Name: ml_dsa_polyt1_unpack * * Description: Unpack polynomial t1 with 10-bit coefficients. * Output coefficients are standard representatives. @@ -626,10 +637,10 @@ void polyt1_pack(uint8_t *r, const poly *a) { * Arguments: - poly *r: pointer to output polynomial * - const uint8_t *a: byte array with bit-packed polynomial **************************************************/ -void polyt1_unpack(poly *r, const uint8_t *a) { +void ml_dsa_polyt1_unpack(ml_dsa_poly *r, const uint8_t *a) { unsigned int i; - for(i = 0; i < N/4; ++i) { + for(i = 0; i < ML_DSA_N/4; ++i) { r->coeffs[4*i+0] = ((a[5*i+0] >> 0) | ((uint32_t)a[5*i+1] << 8)) & 0x3FF; r->coeffs[4*i+1] = ((a[5*i+1] >> 2) | ((uint32_t)a[5*i+2] << 6)) & 0x3FF; r->coeffs[4*i+2] = ((a[5*i+2] >> 4) | ((uint32_t)a[5*i+3] << 4)) & 0x3FF; @@ -638,7 +649,7 @@ void polyt1_unpack(poly *r, const uint8_t *a) { } /************************************************* -* Name: polyt0_pack +* Name: ml_dsa_polyt0_pack * * Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. * @@ -646,19 +657,19 @@ void polyt1_unpack(poly *r, const uint8_t *a) { * POLYT0_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyt0_pack(uint8_t *r, const poly *a) { +void ml_dsa_polyt0_pack(uint8_t *r, const ml_dsa_poly *a) { unsigned int i; uint32_t t[8]; - for(i = 0; i < N/8; ++i) { - t[0] = (1 << (D-1)) - a->coeffs[8*i+0]; - t[1] = (1 << (D-1)) - a->coeffs[8*i+1]; - t[2] = (1 << (D-1)) - a->coeffs[8*i+2]; - t[3] = (1 << (D-1)) - a->coeffs[8*i+3]; - t[4] = (1 << (D-1)) - a->coeffs[8*i+4]; - t[5] = (1 << (D-1)) - a->coeffs[8*i+5]; - t[6] = (1 << (D-1)) - a->coeffs[8*i+6]; - t[7] = (1 << (D-1)) - a->coeffs[8*i+7]; + for(i = 0; i < ML_DSA_N/8; ++i) { + t[0] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+0]; + t[1] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+1]; + t[2] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+2]; + t[3] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+3]; + t[4] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+4]; + t[5] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+5]; + t[6] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+6]; + t[7] = (1 << (ML_DSA_D-1)) - a->coeffs[8*i+7]; r[13*i+ 0] = t[0]; r[13*i+ 1] = t[0] >> 8; @@ -684,17 +695,17 @@ void polyt0_pack(uint8_t *r, const poly *a) { } /************************************************* -* Name: polyt0_unpack +* Name: ml_dsa_polyt0_unpack * * Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. * * Arguments: - poly *r: pointer to output polynomial * - const uint8_t *a: byte array with bit-packed polynomial **************************************************/ -void polyt0_unpack(poly *r, const uint8_t *a) { +void ml_dsa_polyt0_unpack(ml_dsa_poly *r, const uint8_t *a) { unsigned int i; - for(i = 0; i < N/8; ++i) { + for(i = 0; i < ML_DSA_N/8; ++i) { r->coeffs[8*i+0] = a[13*i+0]; r->coeffs[8*i+0] |= (uint32_t)a[13*i+1] << 8; r->coeffs[8*i+0] &= 0x1FFF; @@ -731,19 +742,19 @@ void polyt0_unpack(poly *r, const uint8_t *a) { r->coeffs[8*i+7] |= (uint32_t)a[13*i+12] << 5; r->coeffs[8*i+7] &= 0x1FFF; - r->coeffs[8*i+0] = (1 << (D-1)) - r->coeffs[8*i+0]; - r->coeffs[8*i+1] = (1 << (D-1)) - r->coeffs[8*i+1]; - r->coeffs[8*i+2] = (1 << (D-1)) - r->coeffs[8*i+2]; - r->coeffs[8*i+3] = (1 << (D-1)) - r->coeffs[8*i+3]; - r->coeffs[8*i+4] = (1 << (D-1)) - r->coeffs[8*i+4]; - r->coeffs[8*i+5] = (1 << (D-1)) - r->coeffs[8*i+5]; - r->coeffs[8*i+6] = (1 << (D-1)) - r->coeffs[8*i+6]; - r->coeffs[8*i+7] = (1 << (D-1)) - r->coeffs[8*i+7]; + r->coeffs[8*i+0] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+0]; + r->coeffs[8*i+1] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+1]; + r->coeffs[8*i+2] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+2]; + r->coeffs[8*i+3] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+3]; + r->coeffs[8*i+4] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+4]; + r->coeffs[8*i+5] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+5]; + r->coeffs[8*i+6] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+6]; + r->coeffs[8*i+7] = (1 << (ML_DSA_D-1)) - r->coeffs[8*i+7]; } } /************************************************* -* Name: polyz_pack +* Name: ml_dsa_polyz_pack * * Description: Bit-pack polynomial with coefficients * in [-(GAMMA1 - 1), GAMMA1]. @@ -753,7 +764,7 @@ void polyt0_unpack(poly *r, const uint8_t *a) { * POLYZ_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { +void ml_dsa_polyz_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a) { unsigned int i; uint32_t t[4]; @@ -761,7 +772,7 @@ void polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { (params->gamma1 == (1 << 19))); if (params->gamma1 == (1 << 17)) { - for(i = 0; i < N/4; ++i) { + for(i = 0; i < ML_DSA_N/4; ++i) { t[0] = params->gamma1 - a->coeffs[4*i+0]; t[1] = params->gamma1 - a->coeffs[4*i+1]; t[2] = params->gamma1 - a->coeffs[4*i+2]; @@ -782,7 +793,7 @@ void polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { } } else if (params->gamma1 == (1 << 19)) { - for(i = 0; i < N/2; ++i) { + for(i = 0; i < ML_DSA_N/2; ++i) { t[0] = params->gamma1 - a->coeffs[2*i+0]; t[1] = params->gamma1 - a->coeffs[2*i+1]; @@ -797,7 +808,7 @@ void polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { } /************************************************* -* Name: polyz_unpack +* Name: ml_dsa_polyz_unpack * * Description: Unpack polynomial z with coefficients * in [-(GAMMA1 - 1), GAMMA1]. @@ -806,14 +817,14 @@ void polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { * - poly *r: pointer to output polynomial * - const uint8_t *a: byte array with bit-packed polynomial **************************************************/ -void polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { +void ml_dsa_polyz_unpack(ml_dsa_params *params, ml_dsa_poly *r, const uint8_t *a) { unsigned int i; assert((params->gamma1 == (1 << 17)) || (params->gamma1 == (1 << 19))); if (params->gamma1 == (1 << 17)) { - for(i = 0; i < N/4; ++i) { + for(i = 0; i < ML_DSA_N/4; ++i) { r->coeffs[4*i+0] = a[9*i+0]; r->coeffs[4*i+0] |= (uint32_t)a[9*i+1] << 8; r->coeffs[4*i+0] |= (uint32_t)a[9*i+2] << 16; @@ -841,7 +852,7 @@ void polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { } } else if (params->gamma1 == (1 << 19)) { - for(i = 0; i < N/2; ++i) { + for(i = 0; i < ML_DSA_N/2; ++i) { r->coeffs[2*i+0] = a[5*i+0]; r->coeffs[2*i+0] |= (uint32_t)a[5*i+1] << 8; r->coeffs[2*i+0] |= (uint32_t)a[5*i+2] << 16; @@ -859,7 +870,7 @@ void polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { } /************************************************* -* Name: polyw1_pack +* Name: ml_dsa_polyw1_pack * * Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43]. * Input coefficients are assumed to be standard representatives. @@ -869,11 +880,11 @@ void polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a) { * POLYW1_PACKEDBYTES bytes * - const poly *a: pointer to input polynomial **************************************************/ -void polyw1_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { +void ml_dsa_polyw1_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a) { unsigned int i; - if (params->gamma2 == (Q-1)/88) { - for(i = 0; i < N/4; ++i) { + if (params->gamma2 == (ML_DSA_Q-1)/88) { + for(i = 0; i < ML_DSA_N/4; ++i) { r[3*i+0] = a->coeffs[4*i+0]; r[3*i+0] |= a->coeffs[4*i+1] << 6; r[3*i+1] = a->coeffs[4*i+1] >> 2; @@ -882,8 +893,8 @@ void polyw1_pack(ml_dsa_params *params, uint8_t *r, const poly *a) { r[3*i+2] |= a->coeffs[4*i+3] << 2; } } - else if (params->gamma2 == (Q-1)/32) { - for(i = 0; i < N/2; ++i) + else if (params->gamma2 == (ML_DSA_Q-1)/32) { + for(i = 0; i < ML_DSA_N/2; ++i) r[i] = a->coeffs[2*i+0] | (a->coeffs[2*i+1] << 4); } } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h index 3fc65a1be5..fe8eee071c 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.h @@ -1,74 +1,82 @@ -#ifndef POLY_H -#define POLY_H +#ifndef ML_DSA_POLY_H +#define ML_DSA_POLY_H #include #include "params.h" typedef struct { - int32_t coeffs[N]; -} poly; + int32_t coeffs[ML_DSA_N]; +} ml_dsa_poly; -void poly_reduce(poly *a); +void ml_dsa_poly_reduce(ml_dsa_poly *a); -void poly_caddq(poly *a); +void ml_dsa_poly_caddq(ml_dsa_poly *a); -void poly_add(poly *c, const poly *a, const poly *b); +void ml_dsa_poly_add(ml_dsa_poly *c, const ml_dsa_poly *a, const ml_dsa_poly *b); -void poly_sub(poly *c, const poly *a, const poly *b); +void ml_dsa_poly_sub(ml_dsa_poly *c, const ml_dsa_poly *a, const ml_dsa_poly *b); -void poly_shiftl(poly *a); +void ml_dsa_poly_shiftl(ml_dsa_poly *a); -void poly_ntt(poly *a); +void ml_dsa_poly_ntt(ml_dsa_poly *a); -void poly_invntt_tomont(poly *a); +void ml_dsa_poly_invntt_tomont(ml_dsa_poly *a); -void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b); +void ml_dsa_poly_pointwise_montgomery(ml_dsa_poly *c, + const ml_dsa_poly *a, + const ml_dsa_poly *b); -void poly_power2round(poly *a1, poly *a0, const poly *a); +void ml_dsa_poly_power2round(ml_dsa_poly *a1, ml_dsa_poly *a0, const ml_dsa_poly *a); -void poly_decompose(ml_dsa_params *params, poly *a1, poly *a0, const poly *a); +void ml_dsa_poly_decompose(ml_dsa_params *params, + ml_dsa_poly *a1, + ml_dsa_poly *a0, + const ml_dsa_poly *a); -unsigned int poly_make_hint(ml_dsa_params *params, - poly *h, - const poly *a0, - const poly *a1); +unsigned int ml_dsa_poly_make_hint(ml_dsa_params *params, + ml_dsa_poly *h, + const ml_dsa_poly *a0, + const ml_dsa_poly *a1); -void poly_use_hint(ml_dsa_params *params, poly *b, const poly *a, const poly *h); +void ml_dsa_poly_use_hint(ml_dsa_params *params, + ml_dsa_poly *b, + const ml_dsa_poly *a, + const ml_dsa_poly *h); -int poly_chknorm(const poly *a, int32_t B); +int ml_dsa_poly_chknorm(const ml_dsa_poly *a, int32_t B); -void poly_uniform(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce); +void ml_dsa_poly_uniform(ml_dsa_poly *a, + const uint8_t seed[ML_DSA_SEEDBYTES], + uint16_t nonce); -void poly_uniform_eta(ml_dsa_params *params, - poly *a, - const uint8_t seed[CRHBYTES], - uint16_t nonce); +void ml_dsa_poly_uniform_eta(ml_dsa_params *params, + ml_dsa_poly *a, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce); -void poly_uniform_gamma1(ml_dsa_params *params, - poly *a, - const uint8_t seed[CRHBYTES], - uint16_t nonce); +void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params, + ml_dsa_poly *a, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce); -void poly_challenge(ml_dsa_params *params, poly *c, const uint8_t *seed); +void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, const uint8_t *seed); -void polyeta_pack(ml_dsa_params *params, uint8_t *r, const poly *a); +void ml_dsa_polyeta_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a); -void polyeta_unpack(ml_dsa_params *params, poly *r, const uint8_t *a); +void ml_dsa_polyeta_unpack(ml_dsa_params *params, ml_dsa_poly *r, const uint8_t *a); -void polyt1_pack(uint8_t *r, const poly *a); +void ml_dsa_polyt1_pack(uint8_t *r, const ml_dsa_poly *a); -void polyt1_unpack(poly *r, const uint8_t *a); +void ml_dsa_polyt1_unpack(ml_dsa_poly *r, const uint8_t *a); -void polyt0_pack(uint8_t *r, const poly *a); +void ml_dsa_polyt0_pack(uint8_t *r, const ml_dsa_poly *a); -void polyt0_unpack(poly *r, const uint8_t *a); +void ml_dsa_polyt0_unpack(ml_dsa_poly *r, const uint8_t *a); -void polyz_pack(ml_dsa_params *params, uint8_t *r, const poly *a); +void ml_dsa_polyz_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a); -void polyz_unpack(ml_dsa_params *params, poly *r, const uint8_t *a); +void ml_dsa_polyz_unpack(ml_dsa_params *params, ml_dsa_poly *r, const uint8_t *a); -void polyw1_pack(ml_dsa_params *params, uint8_t *r, const poly *a); +void ml_dsa_polyw1_pack(ml_dsa_params *params, uint8_t *r, const ml_dsa_poly *a); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c index ddf6072813..2041e754d3 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.c @@ -4,7 +4,7 @@ #include "poly.h" /************************************************* -* Name: polyvec_matrix_expand +* Name: ml_dsa_polyvec_matrix_expand * * Description: FIPS 204: Algorithm 32 ExpandA. * Generates matrix A with uniformly @@ -15,19 +15,19 @@ * - polyvecl mat: pointer to output matrix * - const uint8_t rho[]: byte array containing seed rho **************************************************/ -void polyvec_matrix_expand(ml_dsa_params *params, - polyvecl *mat, - const uint8_t rho[SEEDBYTES]) { +void ml_dsa_polyvec_matrix_expand(ml_dsa_params *params, + polyvecl *mat, + const uint8_t rho[ML_DSA_SEEDBYTES]) { unsigned int i, j; for(i = 0; i < params->k; ++i) { for(j = 0; j < params->l; ++j) { - poly_uniform(&mat[i].vec[j], rho, (i << 8) + j); + ml_dsa_poly_uniform(&mat[i].vec[j], rho, (i << 8) + j); } } } /************************************************* -* Name: polyvec_matrix_pointwise_montgomery +* Name: ml_dsa_polyvec_matrix_pointwise_montgomery * * Description: Pointwise multiply vectors of polynomials of length K, * wrapper for polyvecl_pointwise_acc_montgomery. @@ -37,13 +37,13 @@ void polyvec_matrix_expand(ml_dsa_params *params, * - polyvecl mat: pointer to first input vector * - polyvecl v: pointer to second input vector **************************************************/ -void polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, - polyveck *t, - const polyvecl *mat, - const polyvecl *v) { +void ml_dsa_polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, + polyveck *t, + const polyvecl *mat, + const polyvecl *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - polyvecl_pointwise_acc_montgomery(params, &t->vec[i], &mat[i], v); + ml_dsa_polyvecl_pointwise_acc_montgomery(params, &t->vec[i], &mat[i], v); } } @@ -52,7 +52,7 @@ void polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, /**************************************************************/ /************************************************* -* Name: polyvecl_uniform_eta +* Name: ml_dsa_polyvecl_uniform_eta * * Description: FIPS 204: Algorithm 33 ExpandS (for vectors l). * Samples vector v with polynomial coordinates whose @@ -63,17 +63,17 @@ void polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, * - const uint8_t seed: byte array containing seed * - uint16_t nonce: 2-byte nonce **************************************************/ -void polyvecl_uniform_eta(ml_dsa_params *params, - polyvecl *v, - const uint8_t seed[CRHBYTES], - uint16_t nonce) { +void ml_dsa_polyvecl_uniform_eta(ml_dsa_params *params, + polyvecl *v, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce) { unsigned int i; for(i = 0; i < params->l; ++i) - poly_uniform_eta(params, &v->vec[i], seed, nonce++); + ml_dsa_poly_uniform_eta(params, &v->vec[i], seed, nonce++); } /************************************************* -* Name: polyvecl_uniform_gamma1 +* Name: ml_dsa_polyvecl_uniform_gamma1 * * Description: FIPS 204: Algorithm 34 ExpandMask. * Samples vector v with polynomial coordinates whose @@ -84,18 +84,18 @@ void polyvecl_uniform_eta(ml_dsa_params *params, * - const uint8_t seed: byte array containing seed * - uint16_t nonce: 2-byte nonce **************************************************/ -void polyvecl_uniform_gamma1(ml_dsa_params *params, - polyvecl *v, - const uint8_t seed[CRHBYTES], - uint16_t nonce) { +void ml_dsa_polyvecl_uniform_gamma1(ml_dsa_params *params, + polyvecl *v, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce) { unsigned int i; for(i = 0; i < params->l; ++i) { - poly_uniform_gamma1(params, &v->vec[i], seed, params->l*nonce + i); + ml_dsa_poly_uniform_gamma1(params, &v->vec[i], seed, params->l*nonce + i); } } /************************************************* -* Name: polyvecl_reduce +* Name: ml_dsa_polyvecl_reduce * * Description: Reduce coefficients of polynomials in vector of length L * to representatives in [-6283009,6283007]. @@ -103,15 +103,15 @@ void polyvecl_uniform_gamma1(ml_dsa_params *params, * Arguments: - ml_dsa_params: parameter struct * - polyveck *v: pointer to input/output vector **************************************************/ -void polyvecl_reduce(ml_dsa_params *params, polyvecl *v) { +void ml_dsa_polyvecl_reduce(ml_dsa_params *params, polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { - poly_reduce(&v->vec[i]); + ml_dsa_poly_reduce(&v->vec[i]); } } /************************************************* -* Name: polyvecl_add +* Name: ml_dsa_polyvecl_add * * Description: Add vectors of polynomials of length L. * No modular reduction is performed. @@ -121,18 +121,18 @@ void polyvecl_reduce(ml_dsa_params *params, polyvecl *v) { * - const polyvecl *u: pointer to first summand * - const polyvecl *v: pointer to second summand **************************************************/ -void polyvecl_add(ml_dsa_params *params, - polyvecl *w, - const polyvecl *u, - const polyvecl *v) { +void ml_dsa_polyvecl_add(ml_dsa_params *params, + polyvecl *w, + const polyvecl *u, + const polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { - poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); + ml_dsa_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); } } /************************************************* -* Name: polyvecl_ntt +* Name: ml_dsa_polyvecl_ntt * * Description: Forward NTT of all polynomials in vector of length L. Output * coefficients can be up to 16*Q larger than input coefficients. @@ -140,15 +140,15 @@ void polyvecl_add(ml_dsa_params *params, * Arguments: - ml_dsa_params: parameter struct * - polyvecl *v: pointer to input/output vector **************************************************/ -void polyvecl_ntt(ml_dsa_params *params, polyvecl *v) { +void ml_dsa_polyvecl_ntt(ml_dsa_params *params, polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { - poly_ntt(&v->vec[i]); + ml_dsa_poly_ntt(&v->vec[i]); } } /************************************************* -* Name: polyvecl_invntt_tomont +* Name: ml_dsa_polyvecl_invntt_tomont * * Description: Inverse NTT and multiplication by 2^{32} of polynomials * in vector of length l. Input coefficients need to be less @@ -157,15 +157,15 @@ void polyvecl_ntt(ml_dsa_params *params, polyvecl *v) { * Arguments: - ml_dsa_params: parameter struct * - polyvecl *v: pointer to input/output vector **************************************************/ -void polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v) { +void ml_dsa_polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { - poly_invntt_tomont(&v->vec[i]); + ml_dsa_poly_invntt_tomont(&v->vec[i]); } } /************************************************* -* Name: polyvecl_pointwise_poly_montgomery +* Name: ml_dsa_polyvecl_pointwise_poly_montgomery * * Description: Pointwise multiplication of polynomials in NTT domain * representation and multiplication of resulting polynomial @@ -176,18 +176,18 @@ void polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v) { * - const poly *a: pointer to input polynomial * - const polyvecl *v: pointer to input vector **************************************************/ -void polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, - polyvecl *r, - const poly *a, - const polyvecl *v) { +void ml_dsa_polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, + polyvecl *r, + const ml_dsa_poly *a, + const polyvecl *v) { unsigned int i; for(i = 0; i < params->l; ++i) { - poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); + ml_dsa_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); } } /************************************************* -* Name: polyvecl_pointwise_acc_montgomery +* Name: ml_dsa_polyvecl_pointwise_acc_montgomery * * Description: Pointwise multiply vectors of polynomials of length L, multiply * resulting vector by 2^{-32} and add (accumulate) polynomials @@ -198,22 +198,22 @@ void polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, * - const polyvecl *u: pointer to first input vector * - const polyvecl *v: pointer to second input vector **************************************************/ -void polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, - poly *w, - const polyvecl *u, - const polyvecl *v) +void ml_dsa_polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, + ml_dsa_poly *w, + const polyvecl *u, + const polyvecl *v) { unsigned int i; - poly t; - poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]); + ml_dsa_poly t; + ml_dsa_poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]); for(i = 1; i < params->l; ++i) { - poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]); - poly_add(w, w, &t); + ml_dsa_poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]); + ml_dsa_poly_add(w, w, &t); } } /************************************************* -* Name: polyvecl_chknorm +* Name: ml_dsa_polyvecl_chknorm * * Description: Check infinity norm of polynomials in vector of length L. * Assumes input polyvecl to be reduced by polyvecl_reduce(). @@ -225,10 +225,10 @@ void polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, * Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8 * and 1 otherwise. **************************************************/ -int polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t bound) { +int ml_dsa_polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t bound) { unsigned int i; for(i = 0; i < params->l; ++i) { - if(poly_chknorm(&v->vec[i], bound)) { + if(ml_dsa_poly_chknorm(&v->vec[i], bound)) { return 1; } } @@ -240,7 +240,7 @@ int polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t bound) { /**************************************************************/ /************************************************* -* Name: polyvecl_uniform_eta +* Name: ml_dsa_polyvecl_uniform_eta * * Description: FIPS 204: Algorithm 33 ExpandS (for vectors k). * Samples vector v with polynomial coordinates whose @@ -251,18 +251,18 @@ int polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t bound) { * - const uint8_t seed: byte array containing seed * - uint16_t nonce: 2-byte nonce **************************************************/ -void polyveck_uniform_eta(ml_dsa_params *params, - polyveck *v, - const uint8_t seed[CRHBYTES], - uint16_t nonce) { +void ml_dsa_polyveck_uniform_eta(ml_dsa_params *params, + polyveck *v, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_uniform_eta(params, &v->vec[i], seed, nonce++); + ml_dsa_poly_uniform_eta(params, &v->vec[i], seed, nonce++); } } /************************************************* -* Name: polyveck_reduce +* Name: ml_dsa_polyveck_reduce * * Description: Reduce coefficients of polynomials in vector of length K * to representatives in [-6283009,6283007]. @@ -270,15 +270,15 @@ void polyveck_uniform_eta(ml_dsa_params *params, * Arguments: - ml_dsa_params: parameter struct * - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_reduce(ml_dsa_params *params, polyveck *v) { +void ml_dsa_polyveck_reduce(ml_dsa_params *params, polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_reduce(&v->vec[i]); + ml_dsa_poly_reduce(&v->vec[i]); } } /************************************************* -* Name: polyveck_caddq +* Name: ml_dsa_polyveck_caddq * * Description: For all coefficients of polynomials in vector of length K * add Q if coefficient is negative. @@ -286,15 +286,15 @@ void polyveck_reduce(ml_dsa_params *params, polyveck *v) { * Arguments: - ml_dsa_params: parameter struct * - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_caddq(ml_dsa_params *params, polyveck *v) { +void ml_dsa_polyveck_caddq(ml_dsa_params *params, polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_caddq(&v->vec[i]); + ml_dsa_poly_caddq(&v->vec[i]); } } /************************************************* -* Name: polyveck_add +* Name: ml_dsa_polyveck_add * * Description: Add vectors of polynomials of length K. * No modular reduction is performed. @@ -304,18 +304,18 @@ void polyveck_caddq(ml_dsa_params *params, polyveck *v) { * - const polyveck *u: pointer to first summand * - const polyveck *v: pointer to second summand **************************************************/ -void polyveck_add(ml_dsa_params *params, - polyveck *w, - const polyveck *u, - const polyveck *v) { +void ml_dsa_polyveck_add(ml_dsa_params *params, + polyveck *w, + const polyveck *u, + const polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); + ml_dsa_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); } } /************************************************* -* Name: polyveck_sub +* Name: ml_dsa_polyveck_sub * * Description: Subtract vectors of polynomials of length K. * No modular reduction is performed. @@ -326,18 +326,18 @@ void polyveck_add(ml_dsa_params *params, * - const polyveck *v: pointer to second input vector to be * subtracted from first input vector **************************************************/ -void polyveck_sub(ml_dsa_params *params, - polyveck *w, - const polyveck *u, - const polyveck *v) { +void ml_dsa_polyveck_sub(ml_dsa_params *params, + polyveck *w, + const polyveck *u, + const polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]); + ml_dsa_poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]); } } /************************************************* -* Name: polyveck_shiftl +* Name: ml_dsa_polyveck_shiftl * * Description: Multiply vector of polynomials of Length K by 2^D without modular * reduction. Assumes input coefficients to be less than 2^{31-D}. @@ -345,15 +345,15 @@ void polyveck_sub(ml_dsa_params *params, * Arguments: - ml_dsa_params: parameter struct * - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_shiftl(ml_dsa_params *params, polyveck *v) { +void ml_dsa_polyveck_shiftl(ml_dsa_params *params, polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_shiftl(&v->vec[i]); + ml_dsa_poly_shiftl(&v->vec[i]); } } /************************************************* -* Name: polyveck_ntt +* Name: ml_dsa_polyveck_ntt * * Description: Forward NTT of all polynomials in vector of length K. Output * coefficients can be up to 16*Q larger than input coefficients. @@ -361,15 +361,15 @@ void polyveck_shiftl(ml_dsa_params *params, polyveck *v) { * Arguments: - ml_dsa_params: parameter struct * - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_ntt(ml_dsa_params *params, polyveck *v) { +void ml_dsa_polyveck_ntt(ml_dsa_params *params, polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_ntt(&v->vec[i]); + ml_dsa_poly_ntt(&v->vec[i]); } } /************************************************* -* Name: polyveck_invntt_tomont +* Name: ml_dsa_polyveck_invntt_tomont * * Description: Inverse NTT and multiplication by 2^{32} of polynomials * in vector of length K. Input coefficients need to be less @@ -378,15 +378,15 @@ void polyveck_ntt(ml_dsa_params *params, polyveck *v) { * Arguments: - ml_dsa_params: parameter struct * - polyveck *v: pointer to input/output vector **************************************************/ -void polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v) { +void ml_dsa_polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_invntt_tomont(&v->vec[i]); + ml_dsa_poly_invntt_tomont(&v->vec[i]); } } /************************************************* -* Name: polyveck_pointwise_poly_montgomery +* Name: ml_dsa_polyveck_pointwise_poly_montgomery * * Description: Pointwise multiplication of polynomials in NTT domain * representation and multiplication of resulting polynomial @@ -397,18 +397,18 @@ void polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v) { * - const poly *a: pointer to input polynomial * - const polyveck *v: pointer to input vector **************************************************/ -void polyveck_pointwise_poly_montgomery(ml_dsa_params *params, - polyveck *r, - const poly *a, - const polyveck *v) { +void ml_dsa_polyveck_pointwise_poly_montgomery(ml_dsa_params *params, + polyveck *r, + const ml_dsa_poly *a, + const polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); + ml_dsa_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); } } /************************************************* -* Name: polyveck_chknorm +* Name: ml_dsa_polyveck_chknorm * * Description: Check infinity norm of polynomials in vector of length K. * Assumes input polyveck to be reduced by polyveck_reduce(). @@ -420,10 +420,10 @@ void polyveck_pointwise_poly_montgomery(ml_dsa_params *params, * Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8 * and 1 otherwise. **************************************************/ -int polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t bound) { +int ml_dsa_polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t bound) { unsigned int i; for(i = 0; i < params->k; ++i) { - if(poly_chknorm(&v->vec[i], bound)) { + if(ml_dsa_poly_chknorm(&v->vec[i], bound)) { return 1; } } @@ -431,7 +431,7 @@ int polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t bound) { } /************************************************* -* Name: polyveck_power2round +* Name: ml_dsa_polyveck_power2round * * Description: For all coefficients a of polynomials in vector of length K, * compute a0, a1 such that a mod^+ Q = a1*2^D + a0 @@ -445,18 +445,18 @@ int polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t bound) { * coefficients a0 * - const polyveck *v: pointer to input vector **************************************************/ -void polyveck_power2round(ml_dsa_params *params, - polyveck *v1, - polyveck *v0, - const polyveck *v) { +void ml_dsa_polyveck_power2round(ml_dsa_params *params, + polyveck *v1, + polyveck *v0, + const polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]); + ml_dsa_poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]); } } /************************************************* -* Name: polyveck_decompose +* Name: ml_dsa_polyveck_decompose * * Description: For all coefficients a of polynomials in vector of length K, * compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0 @@ -471,18 +471,18 @@ void polyveck_power2round(ml_dsa_params *params, * coefficients a0 * - const polyveck *v: pointer to input vector **************************************************/ -void polyveck_decompose(ml_dsa_params *params, - polyveck *v1, - polyveck *v0, - const polyveck *v) { +void ml_dsa_polyveck_decompose(ml_dsa_params *params, + polyveck *v1, + polyveck *v0, + const polyveck *v) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_decompose(params, &v1->vec[i], &v0->vec[i], &v->vec[i]); + ml_dsa_poly_decompose(params, &v1->vec[i], &v0->vec[i], &v->vec[i]); } } /************************************************* -* Name: polyveck_make_hint +* Name: ml_dsa_polyveck_make_hint * * Description: Compute hint vector. * @@ -493,20 +493,20 @@ void polyveck_decompose(ml_dsa_params *params, * * Returns number of 1 bits. **************************************************/ -unsigned int polyveck_make_hint(ml_dsa_params *params, - polyveck *h, - const polyveck *v0, - const polyveck *v1) +unsigned int ml_dsa_polyveck_make_hint(ml_dsa_params *params, + polyveck *h, + const polyveck *v0, + const polyveck *v1) { unsigned int i, s = 0; for(i = 0; i < params->k; ++i) { - s += poly_make_hint(params, &h->vec[i], &v0->vec[i], &v1->vec[i]); + s += ml_dsa_poly_make_hint(params, &h->vec[i], &v0->vec[i], &v1->vec[i]); } return s; } /************************************************* -* Name: polyveck_use_hint +* Name: ml_dsa_polyveck_use_hint * * Description: Use hint vector to correct the high bits of input vector. * @@ -516,18 +516,18 @@ unsigned int polyveck_make_hint(ml_dsa_params *params, * - const polyveck *u: pointer to input vector * - const polyveck *h: pointer to input hint vector **************************************************/ -void polyveck_use_hint(ml_dsa_params *params, - polyveck *w, - const polyveck *u, - const polyveck *h) { +void ml_dsa_polyveck_use_hint(ml_dsa_params *params, + polyveck *w, + const polyveck *u, + const polyveck *h) { unsigned int i; for(i = 0; i < params->k; ++i) { - poly_use_hint(params, &w->vec[i], &u->vec[i], &h->vec[i]); + ml_dsa_poly_use_hint(params, &w->vec[i], &u->vec[i], &h->vec[i]); } } /************************************************* -* Name: polyveck_pack_w1 +* Name: ml_dsa_polyveck_pack_w1 * * Description: FIPS 204: Algorithm 28 w1Encode. * Encodes a polynomial vector |w1| into a byte string. @@ -537,11 +537,11 @@ void polyveck_use_hint(ml_dsa_params *params, * POLYW1_PACKEDBYTES bytes * - const polyvecl *w1: pointer to vector w1 **************************************************/ -void polyveck_pack_w1(ml_dsa_params *params, - uint8_t *r, - const polyveck *w1) { +void ml_dsa_polyveck_pack_w1(ml_dsa_params *params, + uint8_t *r, + const polyveck *w1) { unsigned int i; for(i = 0; i < params->k; ++i) { - polyw1_pack(params, &r[i*params->poly_w1_packed_bytes], &w1->vec[i]); + ml_dsa_polyw1_pack(params, &r[i*params->poly_w1_packed_bytes], &w1->vec[i]); } } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h index f6d467fa12..dccf6b976e 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/polyvec.h @@ -1,5 +1,5 @@ -#ifndef POLYVEC_H -#define POLYVEC_H +#ifndef ML_DSA_POLYVEC_H +#define ML_DSA_POLYVEC_H #include #include "params.h" @@ -7,109 +7,109 @@ /* Vectors of polynomials of length L */ typedef struct { - poly vec[DILITHIUM_L_MAX]; + ml_dsa_poly vec[ML_DSA_L_MAX]; } polyvecl; -void polyvecl_uniform_eta(ml_dsa_params *params, - polyvecl *v, - const uint8_t seed[CRHBYTES], - uint16_t nonce); +void ml_dsa_polyvecl_uniform_eta(ml_dsa_params *params, + polyvecl *v, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce); -void polyvecl_uniform_gamma1(ml_dsa_params *params, - polyvecl *v, - const uint8_t seed[CRHBYTES], - uint16_t nonce); +void ml_dsa_polyvecl_uniform_gamma1(ml_dsa_params *params, + polyvecl *v, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce); -void polyvecl_reduce(ml_dsa_params *params, polyvecl *v); +void ml_dsa_polyvecl_reduce(ml_dsa_params *params, polyvecl *v); -void polyvecl_add(ml_dsa_params *params, - polyvecl *w, - const polyvecl *u, - const polyvecl *v); +void ml_dsa_polyvecl_add(ml_dsa_params *params, + polyvecl *w, + const polyvecl *u, + const polyvecl *v); -void polyvecl_ntt(ml_dsa_params *params, polyvecl *v); +void ml_dsa_polyvecl_ntt(ml_dsa_params *params, polyvecl *v); -void polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v); +void ml_dsa_polyvecl_invntt_tomont(ml_dsa_params *params, polyvecl *v); -void polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, - polyvecl *r, - const poly *a, - const polyvecl *v); +void ml_dsa_polyvecl_pointwise_poly_montgomery(ml_dsa_params *params, + polyvecl *r, + const ml_dsa_poly *a, + const polyvecl *v); -void polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, - poly *w, - const polyvecl *u, - const polyvecl *v); +void ml_dsa_polyvecl_pointwise_acc_montgomery(ml_dsa_params *params, + ml_dsa_poly *w, + const polyvecl *u, + const polyvecl *v); -int polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t B); +int ml_dsa_polyvecl_chknorm(ml_dsa_params *params, const polyvecl *v, int32_t B); typedef struct { - poly vec[DILITHIUM_K_MAX]; + ml_dsa_poly vec[ML_DSA_K_MAX]; } polyveck; -void polyveck_uniform_eta(ml_dsa_params *params, - polyveck *v, - const uint8_t seed[CRHBYTES], - uint16_t nonce); +void ml_dsa_polyveck_uniform_eta(ml_dsa_params *params, + polyveck *v, + const uint8_t seed[ML_DSA_CRHBYTES], + uint16_t nonce); -void polyveck_reduce(ml_dsa_params *params, polyveck *v); +void ml_dsa_polyveck_reduce(ml_dsa_params *params, polyveck *v); -void polyveck_caddq(ml_dsa_params *params, polyveck *v); +void ml_dsa_polyveck_caddq(ml_dsa_params *params, polyveck *v); -void polyveck_add(ml_dsa_params *params, - polyveck *w, - const polyveck *u, - const polyveck *v); +void ml_dsa_polyveck_add(ml_dsa_params *params, + polyveck *w, + const polyveck *u, + const polyveck *v); -void polyveck_sub(ml_dsa_params *params, - polyveck *w, - const polyveck *u, - const polyveck *v); +void ml_dsa_polyveck_sub(ml_dsa_params *params, + polyveck *w, + const polyveck *u, + const polyveck *v); -void polyveck_shiftl(ml_dsa_params *params, polyveck *v); +void ml_dsa_polyveck_shiftl(ml_dsa_params *params, polyveck *v); -void polyveck_ntt(ml_dsa_params *params, polyveck *v); +void ml_dsa_polyveck_ntt(ml_dsa_params *params, polyveck *v); -void polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v); +void ml_dsa_polyveck_invntt_tomont(ml_dsa_params *params, polyveck *v); -void polyveck_pointwise_poly_montgomery(ml_dsa_params *params, - polyveck *r, - const poly *a, - const polyveck *v); +void ml_dsa_polyveck_pointwise_poly_montgomery(ml_dsa_params *params, + polyveck *r, + const ml_dsa_poly *a, + const polyveck *v); -int polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t B); +int ml_dsa_polyveck_chknorm(ml_dsa_params *params, const polyveck *v, int32_t B); -void polyveck_power2round(ml_dsa_params *params, - polyveck *v1, - polyveck *v0, - const polyveck *v); +void ml_dsa_polyveck_power2round(ml_dsa_params *params, + polyveck *v1, + polyveck *v0, + const polyveck *v); -void polyveck_decompose(ml_dsa_params *params, - polyveck *v1, - polyveck *v0, - const polyveck *v); +void ml_dsa_polyveck_decompose(ml_dsa_params *params, + polyveck *v1, + polyveck *v0, + const polyveck *v); -unsigned int polyveck_make_hint(ml_dsa_params *params, - polyveck *h, - const polyveck *v0, - const polyveck *v1); +unsigned int ml_dsa_polyveck_make_hint(ml_dsa_params *params, + polyveck *h, + const polyveck *v0, + const polyveck *v1); -void polyveck_use_hint(ml_dsa_params *params, - polyveck *w, - const polyveck *v, - const polyveck *h); +void ml_dsa_polyveck_use_hint(ml_dsa_params *params, + polyveck *w, + const polyveck *v, + const polyveck *h); -void polyveck_pack_w1(ml_dsa_params *params, - uint8_t *r, - const polyveck *w1); +void ml_dsa_polyveck_pack_w1(ml_dsa_params *params, + uint8_t *r, + const polyveck *w1); -void polyvec_matrix_expand(ml_dsa_params *params, - polyvecl *mat, - const uint8_t rho[SEEDBYTES]); +void ml_dsa_polyvec_matrix_expand(ml_dsa_params *params, + polyvecl *mat, + const uint8_t rho[ML_DSA_SEEDBYTES]); -void polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, - polyveck *t, - const polyvecl *mat, - const polyvecl *v); +void ml_dsa_polyvec_matrix_pointwise_montgomery(ml_dsa_params *params, + polyveck *t, + const polyvecl *mat, + const polyvecl *v); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c index 8d2ed54c47..5a1eee8fd6 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c @@ -3,7 +3,7 @@ #include "reduce.h" /************************************************* -* Name: fqmul +* Name: ml_dsa_fqmul * * Description: Multiplication followed by Montgomery reduction * For finite field element a with -2^{31}Q <= a <= Q*2^31, @@ -14,18 +14,18 @@ * * Returns r. **************************************************/ -int64_t fqmul(int32_t a, int32_t b) { +int64_t ml_dsa_fqmul(int32_t a, int32_t b) { int64_t s; int32_t t; s = (int64_t)a*b; - t = (int64_t)(int32_t)s*QINV; - t = (s - (int64_t)t*Q) >> 32; + t = (int64_t)(int32_t)s * ML_DSA_QINV; + t = (s - (int64_t)t * ML_DSA_Q) >> 32; return t; } /************************************************* -* Name: reduce32 +* Name: ml_dsa_reduce32 * * Description: For finite field element a with a <= 2^{31} - 2^{22} - 1, * compute r \equiv a (mod Q) such that -6283009 <= r <= 6283008. @@ -34,16 +34,16 @@ int64_t fqmul(int32_t a, int32_t b) { * * Returns r. **************************************************/ -int32_t reduce32(int32_t a) { +int32_t ml_dsa_reduce32(int32_t a) { int32_t t; t = (a + (1 << 22)) >> 23; - t = a - t*Q; + t = a - t * ML_DSA_Q; return t; } /************************************************* -* Name: caddq +* Name: ml_dsa_caddq * * Description: Add Q if input coefficient is negative. * @@ -51,13 +51,13 @@ int32_t reduce32(int32_t a) { * * Returns r. **************************************************/ -int32_t caddq(int32_t a) { - a += (a >> 31) & Q; +int32_t ml_dsa_caddq(int32_t a) { + a += (a >> 31) & ML_DSA_Q; return a; } /************************************************* -* Name: freeze +* Name: ml_dsa_freeze * * Description: For finite field element a, compute standard * representative r = a mod^+ Q. @@ -66,8 +66,8 @@ int32_t caddq(int32_t a) { * * Returns r. **************************************************/ -int32_t freeze(int32_t a) { - a = reduce32(a); - a = caddq(a); +int32_t ml_dsa_freeze(int32_t a) { + a = ml_dsa_reduce32(a); + a = ml_dsa_caddq(a); return a; } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h index 9de2cd7e25..ab52ff3488 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h @@ -1,18 +1,17 @@ -#ifndef REDUCE_H -#define REDUCE_H +#ifndef ML_DSA_REDUCE_H +#define ML_DSA_REDUCE_H #include #include "params.h" -#define MONT -4186625 // 2^32 % Q -#define QINV 58728449 // q^(-1) mod 2^32 +#define ML_DSA_QINV 58728449 // q^(-1) mod 2^32 -int64_t fqmul(int32_t a, int32_t b); +int64_t ml_dsa_fqmul(int32_t a, int32_t b); -int32_t reduce32(int32_t a); +int32_t ml_dsa_reduce32(int32_t a); -int32_t caddq(int32_t a); +int32_t ml_dsa_caddq(int32_t a); -int32_t freeze(int32_t a); +int32_t ml_dsa_freeze(int32_t a); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.c index 4bff538887..d087520812 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.c @@ -3,7 +3,7 @@ #include "rounding.h" /************************************************* -* Name: power2round +* Name: ml_dsa_power2round * * Description: FIPS 204: Algorithm 35. * For finite field element a, compute a0, a1 such that @@ -15,16 +15,16 @@ * * Returns a1. **************************************************/ -int32_t power2round(int32_t *a0, int32_t a) { +int32_t ml_dsa_power2round(int32_t *a0, int32_t a) { int32_t a1; - a1 = (a + (1 << (D-1)) - 1) >> D; - *a0 = a - (a1 << D); + a1 = (a + (1 << (ML_DSA_D-1)) - 1) >> ML_DSA_D; + *a0 = a - (a1 << ML_DSA_D); return a1; } /************************************************* -* Name: decompose +* Name: ml_dsa_decompose * * Description: FIPS 204: Algorithm 36. * For finite field element a, compute high and low bits a0, a1 such @@ -39,27 +39,27 @@ int32_t power2round(int32_t *a0, int32_t a) { * * Returns a1. **************************************************/ -int32_t decompose(ml_dsa_params *params, int32_t *a0, int32_t a) { - assert((params->gamma2 == (Q-1)/32) || (params->gamma2 == (Q-1)/88)); +int32_t ml_dsa_decompose(ml_dsa_params *params, int32_t *a0, int32_t a) { + assert((params->gamma2 == (ML_DSA_Q-1)/32) || (params->gamma2 == (ML_DSA_Q-1)/88)); int32_t a1; a1 = (a + 127) >> 7; - if (params->gamma2 == (Q-1)/32) { + if (params->gamma2 == (ML_DSA_Q-1)/32) { a1 = (a1*1025 + (1 << 21)) >> 22; a1 &= 15; } - if (params->gamma2 == (Q-1)/88) { + if (params->gamma2 == (ML_DSA_Q-1)/88) { a1 = (a1*11275 + (1 << 23)) >> 24; a1 ^= ((43 - a1) >> 31) & a1; } *a0 = a - a1*2*params->gamma2; - *a0 -= (((Q-1)/2 - *a0) >> 31) & Q; + *a0 -= (((ML_DSA_Q-1)/2 - *a0) >> 31) & ML_DSA_Q; return a1; } /************************************************* -* Name: make_hint +* Name: ml_dsa_make_hint * * Description: FIPS 204: Algorithm 39 MakeHint. * Compute hint bit indicating whether the low bits of the @@ -71,7 +71,7 @@ int32_t decompose(ml_dsa_params *params, int32_t *a0, int32_t a) { * * Returns 1 if overflow. **************************************************/ -unsigned int make_hint(ml_dsa_params *params, int32_t a0, int32_t a1) { +unsigned int ml_dsa_make_hint(ml_dsa_params *params, int32_t a0, int32_t a1) { if(a0 > (params->gamma2) || a0 < -(params->gamma2) || (a0 == -(params->gamma2) && a1 != 0)) { return 1; @@ -80,7 +80,7 @@ unsigned int make_hint(ml_dsa_params *params, int32_t a0, int32_t a1) { } /************************************************* -* Name: use_hint +* Name: ml_dsa_use_hint * * Description: FIPS 204: Algorithm 40 UseHint. * Correct high bits according to hint. @@ -91,17 +91,17 @@ unsigned int make_hint(ml_dsa_params *params, int32_t a0, int32_t a1) { * * Returns corrected high bits. **************************************************/ -int32_t use_hint(ml_dsa_params *params, int32_t a, unsigned int hint) { +int32_t ml_dsa_use_hint(ml_dsa_params *params, int32_t a, unsigned int hint) { int32_t a0, a1; - assert((params->gamma2 == (Q-1)/32) || (params->gamma2 == (Q-1)/88)); + assert((params->gamma2 == (ML_DSA_Q-1)/32) || (params->gamma2 == (ML_DSA_Q-1)/88)); - a1 = decompose(params, &a0, a); + a1 = ml_dsa_decompose(params, &a0, a); if(hint == 0) { return a1; } - if (params->gamma2 == (Q-1)/32) { + if (params->gamma2 == (ML_DSA_Q-1)/32) { if(a0 > 0) { return (a1 + 1) & 15; } diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.h index 5345f64b95..11519cb571 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/rounding.h @@ -1,15 +1,15 @@ -#ifndef ROUNDING_H -#define ROUNDING_H +#ifndef ML_DSA_ROUNDING_H +#define ML_DSA_ROUNDING_H #include #include "params.h" -int32_t power2round(int32_t *a0, int32_t a); +int32_t ml_dsa_power2round(int32_t *a0, int32_t a); -int32_t decompose(ml_dsa_params *params, int32_t *a0, int32_t a); +int32_t ml_dsa_decompose(ml_dsa_params *params, int32_t *a0, int32_t a); -unsigned int make_hint(ml_dsa_params *params, int32_t a0, int32_t a1); +unsigned int ml_dsa_make_hint(ml_dsa_params *params, int32_t a0, int32_t a1); -int32_t use_hint(ml_dsa_params *params, int32_t a, unsigned int hint); +int32_t ml_dsa_use_hint(ml_dsa_params *params, int32_t a, unsigned int hint); #endif diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c index 3b5b2d20df..cdc772f72a 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c @@ -9,7 +9,7 @@ /************************************************* - * Name: crypto_sign_keypair_internal + * Name: ml_dsa_keypair_internal * * Description: FIPS 204: Algorithm 6 ML-DSA.KeyGen_internal. * Generates public and private key. Internal API. @@ -23,52 +23,52 @@ * * Returns 0 (success) **************************************************/ -int crypto_sign_keypair_internal(ml_dsa_params *params, - uint8_t *pk, - uint8_t *sk, - const uint8_t *seed) { - uint8_t seedbuf[2*SEEDBYTES + CRHBYTES]; - uint8_t tr[TRBYTES]; +int ml_dsa_keypair_internal(ml_dsa_params *params, + uint8_t *pk, + uint8_t *sk, + const uint8_t *seed) { + uint8_t seedbuf[2 * ML_DSA_SEEDBYTES + ML_DSA_CRHBYTES]; + uint8_t tr[ML_DSA_TRBYTES]; const uint8_t *rho, *rhoprime, *key; - polyvecl mat[DILITHIUM_K_MAX]; + polyvecl mat[ML_DSA_K_MAX]; polyvecl s1 = {{{{0}}}}; polyvecl s1hat; polyveck s2, t1, t0; - OPENSSL_memcpy(seedbuf, seed, SEEDBYTES); - seedbuf[SEEDBYTES+0] = params->k; - seedbuf[SEEDBYTES+1] = params->l; - SHAKE256(seedbuf, SEEDBYTES + 2, seedbuf, 2 * SEEDBYTES + CRHBYTES); + OPENSSL_memcpy(seedbuf, seed, ML_DSA_SEEDBYTES); + seedbuf[ML_DSA_SEEDBYTES + 0] = params->k; + seedbuf[ML_DSA_SEEDBYTES + 1] = params->l; + SHAKE256(seedbuf, ML_DSA_SEEDBYTES + 2, seedbuf, 2 * ML_DSA_SEEDBYTES + ML_DSA_CRHBYTES); rho = seedbuf; - rhoprime = rho + SEEDBYTES; - key = rhoprime + CRHBYTES; + rhoprime = rho + ML_DSA_SEEDBYTES; + key = rhoprime + ML_DSA_CRHBYTES; /* FIPS 204: line 3 Expand matrix */ - polyvec_matrix_expand(params, mat, rho); + ml_dsa_polyvec_matrix_expand(params, mat, rho); /* FIPS 204: line 4 Sample short vectors s1 and s2 */ - polyvecl_uniform_eta(params, &s1, rhoprime, 0); - polyveck_uniform_eta(params, &s2, rhoprime, params->l); + ml_dsa_polyvecl_uniform_eta(params, &s1, rhoprime, 0); + ml_dsa_polyveck_uniform_eta(params, &s2, rhoprime, params->l); /* FIPS 204: line 5 Matrix-vector multiplication */ s1hat = s1; - polyvecl_ntt(params, &s1hat); - polyvec_matrix_pointwise_montgomery(params, &t1, mat, &s1hat); - polyveck_reduce(params, &t1); - polyveck_invntt_tomont(params, &t1); + ml_dsa_polyvecl_ntt(params, &s1hat); + ml_dsa_polyvec_matrix_pointwise_montgomery(params, &t1, mat, &s1hat); + ml_dsa_polyveck_reduce(params, &t1); + ml_dsa_polyveck_invntt_tomont(params, &t1); /* Add error vector s2 */ - polyveck_add(params, &t1, &t1, &s2); + ml_dsa_polyveck_add(params, &t1, &t1, &s2); /* FIPS 204: line 6 Extract t1 and write public key */ - polyveck_caddq(params, &t1); - polyveck_power2round(params, &t1, &t0, &t1); + ml_dsa_polyveck_caddq(params, &t1); + ml_dsa_polyveck_power2round(params, &t1, &t0, &t1); /* FIPS 204: line 8 */ - pack_pk(params, pk, rho, &t1); + ml_dsa_pack_pk(params, pk, rho, &t1); /* FIPS 204: line 9 Compute H(rho, t1) and line 10 write secret key */ - SHAKE256(pk, params->public_key_bytes, tr, TRBYTES); - pack_sk(params, sk, rho, tr, key, &t0, &s1, &s2); + SHAKE256(pk, params->public_key_bytes, tr, ML_DSA_TRBYTES); + ml_dsa_pack_sk(params, sk, rho, tr, key, &t0, &s1, &s2); /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(seedbuf, sizeof(seedbuf)); @@ -83,7 +83,7 @@ int crypto_sign_keypair_internal(ml_dsa_params *params, } /************************************************* -* Name: crypto_sign_keypair +* Name: ml_dsa_keypair * * Description: FIPS 204: Algorithm 1 ML-DSA.KeyGen * Generates public and private key. @@ -96,18 +96,18 @@ int crypto_sign_keypair_internal(ml_dsa_params *params, * * Returns 0 (success) -1 on failure **************************************************/ -int crypto_sign_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { - uint8_t seed[SEEDBYTES]; - if (!RAND_bytes(seed, SEEDBYTES)) { +int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { + uint8_t seed[ML_DSA_SEEDBYTES]; + if (!RAND_bytes(seed, ML_DSA_SEEDBYTES)) { return -1; } - crypto_sign_keypair_internal(params, pk, sk, seed); + ml_dsa_keypair_internal(params, pk, sk, seed); OPENSSL_cleanse(seed, sizeof(seed)); return 0; } /************************************************* -* Name: crypto_sign_signature_internal +* Name: ml_dsa_sign_internal * * Description: FIPS 204: Algorithm 7 ML-DSA.Sign_internal. * Computes signature. Internal API. @@ -124,115 +124,115 @@ int crypto_sign_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { * * Returns 0 (success) or -1 (context string too long) **************************************************/ -int crypto_sign_signature_internal(ml_dsa_params *params, - uint8_t *sig, - size_t *siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *pre, - size_t prelen, - const uint8_t *rnd, - const uint8_t *sk) +int ml_dsa_sign_internal(ml_dsa_params *params, + uint8_t *sig, + size_t *siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *pre, + size_t prelen, + const uint8_t *rnd, + const uint8_t *sk) { unsigned int n; - uint8_t seedbuf[2*SEEDBYTES + TRBYTES + 2*CRHBYTES]; + uint8_t seedbuf[2*ML_DSA_SEEDBYTES + ML_DSA_TRBYTES + 2*ML_DSA_CRHBYTES]; uint8_t *rho, *tr, *key, *mu, *rhoprime; uint16_t nonce = 0; - polyvecl mat[DILITHIUM_K_MAX], s1, y, z; + polyvecl mat[ML_DSA_K_MAX], s1, y, z; polyveck t0, s2, w1, w0, h; - poly cp; + ml_dsa_poly cp; KECCAK1600_CTX state; rho = seedbuf; - tr = rho + SEEDBYTES; - key = tr + TRBYTES; - mu = key + SEEDBYTES; - rhoprime = mu + CRHBYTES; + tr = rho + ML_DSA_SEEDBYTES; + key = tr + ML_DSA_TRBYTES; + mu = key + ML_DSA_SEEDBYTES; + rhoprime = mu + ML_DSA_CRHBYTES; /* FIPS 204: line 1 */ - unpack_sk(params, rho, tr, key, &t0, &s1, &s2, sk); + ml_dsa_unpack_sk(params, rho, tr, key, &t0, &s1, &s2, sk); /* FIPS 204: line 6 Compute mu = CRH(tr, pre, msg) */ // This differs from FIPS 204 line 6 that performs mu = CRH(tr, M') and the // processing of M' in the external function. However, as M' = (pre, msg), // mu = CRH(tr, M') = CRH(tr, pre, msg). SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, tr, TRBYTES); + SHA3_Update(&state, tr, ML_DSA_TRBYTES); SHA3_Update(&state, pre, prelen); SHA3_Update(&state, m, mlen); - SHAKE_Final(mu, &state, CRHBYTES); + SHAKE_Final(mu, &state, ML_DSA_CRHBYTES); /* FIPS 204: line 7 Compute rhoprime = CRH(key, rnd, mu) */ SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, key, SEEDBYTES); - SHA3_Update(&state, rnd, RNDBYTES); - SHA3_Update(&state, mu, CRHBYTES); - SHAKE_Final(rhoprime, &state, CRHBYTES); + SHA3_Update(&state, key, ML_DSA_SEEDBYTES); + SHA3_Update(&state, rnd, ML_DSA_RNDBYTES); + SHA3_Update(&state, mu, ML_DSA_CRHBYTES); + SHAKE_Final(rhoprime, &state, ML_DSA_CRHBYTES); /* FIPS 204: line 5 Expand matrix and transform vectors */ - polyvec_matrix_expand(params, mat, rho); - polyvecl_ntt(params, &s1); - polyveck_ntt(params, &s2); - polyveck_ntt(params, &t0); + ml_dsa_polyvec_matrix_expand(params, mat, rho); + ml_dsa_polyvecl_ntt(params, &s1); + ml_dsa_polyveck_ntt(params, &s2); + ml_dsa_polyveck_ntt(params, &t0); rej: /* FIPS 204: line 11 Sample intermediate vector y */ - polyvecl_uniform_gamma1(params, &y, rhoprime, nonce++); + ml_dsa_polyvecl_uniform_gamma1(params, &y, rhoprime, nonce++); /* FIPS 204: line 12 Matrix-vector multiplication */ z = y; - polyvecl_ntt(params, &z); - polyvec_matrix_pointwise_montgomery(params, &w1, mat, &z); - polyveck_reduce(params, &w1); - polyveck_invntt_tomont(params, &w1); + ml_dsa_polyvecl_ntt(params, &z); + ml_dsa_polyvec_matrix_pointwise_montgomery(params, &w1, mat, &z); + ml_dsa_polyveck_reduce(params, &w1); + ml_dsa_polyveck_invntt_tomont(params, &w1); /* FIPS 204: line 13 - 14 Decompose w and call the random oracle */ - polyveck_caddq(params, &w1); - polyveck_decompose(params, &w1, &w0, &w1); - polyveck_pack_w1(params, sig, &w1); + ml_dsa_polyveck_caddq(params, &w1); + ml_dsa_polyveck_decompose(params, &w1, &w0, &w1); + ml_dsa_polyveck_pack_w1(params, sig, &w1); SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, mu, CRHBYTES); + SHA3_Update(&state, mu, ML_DSA_CRHBYTES); SHA3_Update(&state, sig, params->k * params->poly_w1_packed_bytes); SHAKE_Final(sig, &state, params->c_tilde_bytes); - poly_challenge(params, &cp, sig); - poly_ntt(&cp); + ml_dsa_poly_challenge(params, &cp, sig); + ml_dsa_poly_ntt(&cp); /* FIPS 204: line 20 Compute z, reject if it reveals secret */ - polyvecl_pointwise_poly_montgomery(params, &z, &cp, &s1); - polyvecl_invntt_tomont(params, &z); - polyvecl_add(params, &z, &z, &y); - polyvecl_reduce(params, &z); - if(polyvecl_chknorm(params, &z, params->gamma1 - params->beta)) { + ml_dsa_polyvecl_pointwise_poly_montgomery(params, &z, &cp, &s1); + ml_dsa_polyvecl_invntt_tomont(params, &z); + ml_dsa_polyvecl_add(params, &z, &z, &y); + ml_dsa_polyvecl_reduce(params, &z); + if(ml_dsa_polyvecl_chknorm(params, &z, params->gamma1 - params->beta)) { goto rej; } /* FIPS 204: line 21 Check that subtracting cs2 does not change high bits of w and low bits * do not reveal secret information */ - polyveck_pointwise_poly_montgomery(params, &h, &cp, &s2); - polyveck_invntt_tomont(params, &h); - polyveck_sub(params, &w0, &w0, &h); - polyveck_reduce(params, &w0); - if(polyveck_chknorm(params, &w0, params->gamma2 - params->beta)) { + ml_dsa_polyveck_pointwise_poly_montgomery(params, &h, &cp, &s2); + ml_dsa_polyveck_invntt_tomont(params, &h); + ml_dsa_polyveck_sub(params, &w0, &w0, &h); + ml_dsa_polyveck_reduce(params, &w0); + if(ml_dsa_polyveck_chknorm(params, &w0, params->gamma2 - params->beta)) { goto rej; } /* FIPS 204: line 25 */ - polyveck_pointwise_poly_montgomery(params, &h, &cp, &t0); - polyveck_invntt_tomont(params, &h); - polyveck_reduce(params, &h); - if(polyveck_chknorm(params, &h, params->gamma2)) { + ml_dsa_polyveck_pointwise_poly_montgomery(params, &h, &cp, &t0); + ml_dsa_polyveck_invntt_tomont(params, &h); + ml_dsa_polyveck_reduce(params, &h); + if(ml_dsa_polyveck_chknorm(params, &h, params->gamma2)) { goto rej; } /* FIPS 204: line 26 Compute signer's hint */ - polyveck_add(params, &w0, &w0, &h); - n = polyveck_make_hint(params, &h, &w0, &w1); + ml_dsa_polyveck_add(params, &w0, &w0, &h); + n = ml_dsa_polyveck_make_hint(params, &h, &w0, &w1); if(n > params->omega) { goto rej; } /* FIPS 204: line 33 Write signature */ - pack_sig(params, sig, sig, &z, &h); + ml_dsa_pack_sig(params, sig, sig, &z, &h); *siglen = params->bytes; /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ @@ -253,7 +253,7 @@ int crypto_sign_signature_internal(ml_dsa_params *params, } /************************************************* -* Name: crypto_sign_signature +* Name: ml_dsa_sign * * Description: FIPS 204: Algorithm 2 ML-DSA.Sign. * Computes signature in hedged mode. @@ -268,17 +268,17 @@ int crypto_sign_signature_internal(ml_dsa_params *params, * * Returns 0 (success) or -1 (context string too long) **************************************************/ -int crypto_sign_signature(ml_dsa_params *params, - uint8_t *sig, - size_t *siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *sk) +int ml_dsa_sign(ml_dsa_params *params, + uint8_t *sig, + size_t *siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *ctx, + size_t ctxlen, + const uint8_t *sk) { uint8_t pre[257]; - uint8_t rnd[RNDBYTES]; + uint8_t rnd[ML_DSA_RNDBYTES]; if(ctxlen > 255) { return -1; @@ -288,10 +288,10 @@ int crypto_sign_signature(ml_dsa_params *params, pre[1] = ctxlen; OPENSSL_memcpy(pre + 2 , ctx, ctxlen); - if (!RAND_bytes(rnd, RNDBYTES)) { + if (!RAND_bytes(rnd, ML_DSA_RNDBYTES)) { return -1; } - crypto_sign_signature_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, rnd, sk); + ml_dsa_sign_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, rnd, sk); /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ OPENSSL_cleanse(pre, sizeof(pre)); @@ -300,7 +300,7 @@ int crypto_sign_signature(ml_dsa_params *params, } /************************************************* -* Name: crypto_sign +* Name: ml_dsa_sign_message * * Description: Compute signed message. * @@ -318,14 +318,14 @@ int crypto_sign_signature(ml_dsa_params *params, * * Returns 0 (success) or -1 (context string too long) **************************************************/ -int crypto_sign(ml_dsa_params *params, - uint8_t *sm, - size_t *smlen, - const uint8_t *m, - size_t mlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *sk) +int ml_dsa_sign_message(ml_dsa_params *params, + uint8_t *sm, + size_t *smlen, + const uint8_t *m, + size_t mlen, + const uint8_t *ctx, + size_t ctxlen, + const uint8_t *sk) { int ret; size_t i; @@ -333,13 +333,13 @@ int crypto_sign(ml_dsa_params *params, for(i = 0; i < mlen; ++i) { sm[params->bytes + mlen - 1 - i] = m[mlen - 1 - i]; } - ret = crypto_sign_signature(params, sm, smlen, sm + params->bytes, mlen, ctx, ctxlen, sk); + ret = ml_dsa_sign(params, sm, smlen, sm + params->bytes, mlen, ctx, ctxlen, sk); *smlen += mlen; return ret; } /************************************************* -* Name: crypto_sign_verify_internal +* Name: ml_dsa_verify_internal * * Description: FIPS 204: Algorithm 8 ML-DSA.Verify_internal. * Verifies signature. Internal API. @@ -355,24 +355,24 @@ int crypto_sign(ml_dsa_params *params, * * Returns 0 if signature could be verified correctly and -1 otherwise **************************************************/ -int crypto_sign_verify_internal(ml_dsa_params *params, - const uint8_t *sig, - size_t siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *pre, - size_t prelen, - const uint8_t *pk) +int ml_dsa_verify_internal(ml_dsa_params *params, + const uint8_t *sig, + size_t siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *pre, + size_t prelen, + const uint8_t *pk) { unsigned int i; - uint8_t buf[DILITHIUM_K_MAX*DILITHIUM_POLYW1_PACKEDBYTES_MAX]; - uint8_t rho[SEEDBYTES]; - uint8_t mu[CRHBYTES]; - uint8_t tr[TRBYTES]; - uint8_t c[DILITHIUM_C_TILDE_BYTES_MAX]; - uint8_t c2[DILITHIUM_C_TILDE_BYTES_MAX]; - poly cp; - polyvecl mat[DILITHIUM_K_MAX], z; + uint8_t buf[ML_DSA_K_MAX*ML_DSA_POLYW1_PACKEDBYTES_MAX]; + uint8_t rho[ML_DSA_SEEDBYTES]; + uint8_t mu[ML_DSA_CRHBYTES]; + uint8_t tr[ML_DSA_TRBYTES]; + uint8_t c[ML_DSA_C_TILDE_BYTES_MAX]; + uint8_t c2[ML_DSA_C_TILDE_BYTES_MAX]; + ml_dsa_poly cp; + polyvecl mat[ML_DSA_K_MAX], z; polyveck t1, w1, h; KECCAK1600_CTX state; @@ -380,50 +380,50 @@ int crypto_sign_verify_internal(ml_dsa_params *params, return -1; } /* FIPS 204: line 1 */ - unpack_pk(params, rho, &t1, pk); + ml_dsa_unpack_pk(params, rho, &t1, pk); /* FIPS 204: line 2 */ - if(unpack_sig(params, c, &z, &h, sig)) { + if(ml_dsa_unpack_sig(params, c, &z, &h, sig)) { return -1; } - if(polyvecl_chknorm(params, &z, params->gamma1 - params->beta)) { + if(ml_dsa_polyvecl_chknorm(params, &z, params->gamma1 - params->beta)) { return -1; } /* FIPS 204: line 6 Compute tr */ - SHAKE256(pk, params->public_key_bytes, tr, TRBYTES); + SHAKE256(pk, params->public_key_bytes, tr, ML_DSA_TRBYTES); /* FIPS 204: line 7 Compute mu = H(BytesToBits(tr) || M', 64) */ // Like crypto_sign_signature_internal, the processing of M' is performed // here, as opposed to within the external function. SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, tr, TRBYTES); + SHA3_Update(&state, tr, ML_DSA_TRBYTES); SHA3_Update(&state, pre, prelen); SHA3_Update(&state, m, mlen); - SHAKE_Final(mu, &state, CRHBYTES); + SHAKE_Final(mu, &state, ML_DSA_CRHBYTES); /* FIPS 204: line 9 Matrix-vector multiplication; compute Az - c2^dt1 */ - poly_challenge(params, &cp, c); - polyvec_matrix_expand(params, mat, rho); + ml_dsa_poly_challenge(params, &cp, c); + ml_dsa_polyvec_matrix_expand(params, mat, rho); - polyvecl_ntt(params, &z); - polyvec_matrix_pointwise_montgomery(params, &w1, mat, &z); + ml_dsa_polyvecl_ntt(params, &z); + ml_dsa_polyvec_matrix_pointwise_montgomery(params, &w1, mat, &z); - poly_ntt(&cp); - polyveck_shiftl(params, &t1); - polyveck_ntt(params, &t1); - polyveck_pointwise_poly_montgomery(params, &t1, &cp, &t1); + ml_dsa_poly_ntt(&cp); + ml_dsa_polyveck_shiftl(params, &t1); + ml_dsa_polyveck_ntt(params, &t1); + ml_dsa_polyveck_pointwise_poly_montgomery(params, &t1, &cp, &t1); - polyveck_sub(params, &w1, &w1, &t1); - polyveck_reduce(params, &w1); - polyveck_invntt_tomont(params, &w1); + ml_dsa_polyveck_sub(params, &w1, &w1, &t1); + ml_dsa_polyveck_reduce(params, &w1); + ml_dsa_polyveck_invntt_tomont(params, &w1); /* FIPS 204: line 10 Reconstruct w1 */ - polyveck_caddq(params, &w1); - polyveck_use_hint(params, &w1, &w1, &h); - polyveck_pack_w1(params, buf, &w1); + ml_dsa_polyveck_caddq(params, &w1); + ml_dsa_polyveck_use_hint(params, &w1, &w1, &h); + ml_dsa_polyveck_pack_w1(params, buf, &w1); /* FIPS 204: line 12 Call random oracle and verify challenge */ SHAKE_Init(&state, SHAKE256_BLOCKSIZE); - SHA3_Update(&state, mu, CRHBYTES); + SHA3_Update(&state, mu, ML_DSA_CRHBYTES); SHA3_Update(&state, buf, params->k * params->poly_w1_packed_bytes); SHAKE_Final(c2, &state, params->c_tilde_bytes); for(i = 0; i < params->c_tilde_bytes; ++i) { @@ -449,7 +449,7 @@ int crypto_sign_verify_internal(ml_dsa_params *params, } /************************************************* -* Name: crypto_sign_verify +* Name: ml_dsa_verify * * Description: FIPS 204: Algorithm 3 ML-DSA.Verify. * Verifies signature. @@ -465,14 +465,14 @@ int crypto_sign_verify_internal(ml_dsa_params *params, * * Returns 0 if signature could be verified correctly and -1 otherwise **************************************************/ -int crypto_sign_verify(ml_dsa_params *params, - const uint8_t *sig, - size_t siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *pk) +int ml_dsa_verify(ml_dsa_params *params, + const uint8_t *sig, + size_t siglen, + const uint8_t *m, + size_t mlen, + const uint8_t *ctx, + size_t ctxlen, + const uint8_t *pk) { uint8_t pre[257]; @@ -483,11 +483,11 @@ int crypto_sign_verify(ml_dsa_params *params, pre[0] = 0; pre[1] = ctxlen; OPENSSL_memcpy(pre + 2 , ctx, ctxlen); - return crypto_sign_verify_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, pk); + return ml_dsa_verify_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, pk); } /************************************************* -* Name: crypto_sign_open +* Name: ml_dsa_verify_message * * Description: Verify signed message. * @@ -503,14 +503,14 @@ int crypto_sign_verify(ml_dsa_params *params, * * Returns 0 if signed message could be verified correctly and -1 otherwise **************************************************/ -int crypto_sign_open(ml_dsa_params *params, - uint8_t *m, - size_t *mlen, - const uint8_t *sm, - size_t smlen, - const uint8_t *ctx, - size_t ctxlen, - const uint8_t *pk) +int ml_dsa_verify_message(ml_dsa_params *params, + uint8_t *m, + size_t *mlen, + const uint8_t *sm, + size_t smlen, + const uint8_t *ctx, + size_t ctxlen, + const uint8_t *pk) { if(smlen < params->bytes) { @@ -518,7 +518,7 @@ int crypto_sign_open(ml_dsa_params *params, } *mlen = smlen - params->bytes; - if(crypto_sign_verify(params,sm, params->bytes, sm + params->bytes, *mlen, ctx, ctxlen, pk)) { + if(ml_dsa_verify(params,sm, params->bytes, sm + params->bytes, *mlen, ctx, ctxlen, pk)) { goto badsig; } else { diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h index 9110d6e793..fc32be0dd7 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.h @@ -1,52 +1,52 @@ -#ifndef SIGN_H -#define SIGN_H +#ifndef ML_DSA_SIGN_H +#define ML_DSA_SIGN_H #include #include #include "params.h" -int crypto_sign_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk); +int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk); -int crypto_sign_keypair_internal(ml_dsa_params *params, - uint8_t *pk, - uint8_t *sk, - const uint8_t *seed); +int ml_dsa_keypair_internal(ml_dsa_params *params, + uint8_t *pk, + uint8_t *sk, + const uint8_t *seed); -int crypto_sign_signature(ml_dsa_params *params, - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *sk); - -int crypto_sign_signature_internal(ml_dsa_params *params, - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pre, size_t prelen, - const uint8_t *rnd, - const uint8_t *sk); - -int crypto_sign(ml_dsa_params *params, - uint8_t *sm, size_t *smlen, +int ml_dsa_sign(ml_dsa_params *params, + uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *ctx, size_t ctxlen, const uint8_t *sk); -int crypto_sign_verify(ml_dsa_params *params, - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *pk); - -int crypto_sign_verify_internal(ml_dsa_params *params, - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pre, size_t prelen, - const uint8_t *pk); - -int crypto_sign_open(ml_dsa_params *params, - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *pk); +int ml_dsa_sign_internal(ml_dsa_params *params, + uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, + const uint8_t *pre, size_t prelen, + const uint8_t *rnd, + const uint8_t *sk); + +int ml_dsa_sign_message(ml_dsa_params *params, + uint8_t *sm, size_t *smlen, + const uint8_t *m, size_t mlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t *sk); + +int ml_dsa_verify(ml_dsa_params *params, + const uint8_t *sig, size_t siglen, + const uint8_t *m, size_t mlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t *pk); + +int ml_dsa_verify_internal(ml_dsa_params *params, + const uint8_t *sig, size_t siglen, + const uint8_t *m, size_t mlen, + const uint8_t *pre, size_t prelen, + const uint8_t *pk); + +int ml_dsa_verify_message(ml_dsa_params *params, + uint8_t *m, size_t *mlen, + const uint8_t *sm, size_t smlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t *pk); #endif diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc index 4e9956ad22..28010b8786 100644 --- a/ssl/test/bssl_shim.cc +++ b/ssl/test/bssl_shim.cc @@ -31,6 +31,7 @@ OPENSSL_MSVC_PRAGMA(warning(pop)) #endif #include +#include #ifndef __STDC_FORMAT_MACROS #define __STDC_FORMAT_MACROS @@ -986,6 +987,11 @@ static bool DoConnection(bssl::UniquePtr *out_session, int ssl_err = SSL_get_error(ssl.get(), -1); if (ssl_err != SSL_ERROR_NONE) { fprintf(stderr, "SSL error: %s\n", SSL_error_description(ssl_err)); + if (ssl_err == SSL_ERROR_SYSCALL) { + int err = errno; + fprintf(stderr, "Error occurred: errno = %d, description = %s\n", err, strerror(err)); + + } } return false; } diff --git a/tests/ci/integration/python_patch/main/aws-lc-cpython.patch b/tests/ci/integration/python_patch/main/aws-lc-cpython.patch index 724fbf3fd9..b59d0f09dd 100644 --- a/tests/ci/integration/python_patch/main/aws-lc-cpython.patch +++ b/tests/ci/integration/python_patch/main/aws-lc-cpython.patch @@ -1,16 +1,3 @@ -diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py -index 6e63a88..7dc83d7 100644 ---- a/Lib/test/test_httplib.py -+++ b/Lib/test/test_httplib.py -@@ -2066,7 +2066,7 @@ def test_host_port(self): - - def test_tls13_pha(self): - import ssl -- if not ssl.HAS_TLSv1_3: -+ if not ssl.HAS_TLSv1_3 or "AWS-LC" in ssl.OPENSSL_VERSION: - self.skipTest('TLS 1.3 support required') - # just check status of PHA flag - h = client.HTTPSConnection('localhost', 443) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 0e50d09..f4b7b3c 100644 --- a/Lib/test/test_ssl.py @@ -74,50 +61,6 @@ index 0e50d09..f4b7b3c 100644 server_context.minimum_version = ssl.TLSVersion.TLSv1_3 server_context.set_ciphers('PSK') server_context.set_psk_server_callback(server_callback, identity_hint) -@@ -4461,7 +4463,10 @@ def server_callback(identity): - s.connect((HOST, server.port)) - - --@unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3") -+@unittest.skipUnless( -+ has_tls_version('TLSv1_3') and not Py_OPENSSL_IS_AWSLC, -+ "Test needs TLS 1.3; AWS-LC doesn't support PHA" -+) - class TestPostHandshakeAuth(unittest.TestCase): - def test_pha_setter(self): - protocols = [ -@@ -4737,6 +4742,31 @@ def test_internal_chain_server(self): - self.assertEqual(res, b'\x02\n') - - -+@unittest.skipUnless(Py_OPENSSL_IS_AWSLC, "Only test this against AWS-LC") -+class TestPostHandshakeAuthAwsLc(unittest.TestCase): -+ def test_pha(self): -+ protocols = [ -+ ssl.PROTOCOL_TLS_SERVER, ssl.PROTOCOL_TLS_CLIENT -+ ] -+ for protocol in protocols: -+ client_ctx, server_ctx, hostname = testing_context() -+ client_ctx.load_cert_chain(SIGNED_CERTFILE) -+ self.assertEqual(client_ctx.post_handshake_auth, None) -+ with self.assertRaises(AttributeError): -+ client_ctx.post_handshake_auth = True -+ with self.assertRaises(AttributeError): -+ server_ctx.post_handshake_auth = True -+ -+ with ThreadedEchoServer(context=server_ctx) as server: -+ with client_ctx.wrap_socket( -+ socket.socket(), -+ server_hostname=hostname -+ ) as ssock: -+ ssock.connect((HOST, server.port)) -+ with self.assertRaises(NotImplementedError): -+ ssock.verify_client_post_handshake() -+ -+ - HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename') - requires_keylog = unittest.skipUnless( - HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback') diff --git a/Modules/Setup b/Modules/Setup index cd1cf24..53bcc4c 100644 --- a/Modules/Setup diff --git a/tests/ci/integration/ruby_patch/ruby_patch_common/net-http.patch b/tests/ci/integration/ruby_patch/ruby_patch_common/net-http.patch new file mode 100644 index 0000000000..ffd48836f4 --- /dev/null +++ b/tests/ci/integration/ruby_patch/ruby_patch_common/net-http.patch @@ -0,0 +1,22 @@ +diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb +index a24f5e0..26ab754 100644 +--- a/test/net/http/test_https.rb ++++ b/test/net/http/test_https.rb +@@ -167,6 +167,8 @@ def test_session_reuse + def test_session_reuse_but_expire + # FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h. + omit if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('OpenSSL 1.1.0h') ++ # "AWS-LC does not support internal session caching on the client". ++ omit if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('AWS-LC') + + http = Net::HTTP.new(HOST, config("port")) + http.use_ssl = true +@@ -237,7 +239,7 @@ def test_certificate_verify_failure + ex = assert_raise(OpenSSL::SSL::SSLError){ + http.request_get("/") {|res| } + } +- assert_match(/certificate verify failed/, ex.message) ++ assert_match(/certificate verify failed|CERTIFICATE_VERIFY_FAILED/, ex.message) + unless /mswin|mingw/ =~ RUBY_PLATFORM + # on Windows, Errno::ECONNRESET will be raised, and it'll be eaten by + # WEBrick diff --git a/tests/ci/integration/ruby_patch/ruby_release_backport/Fix-wrong-certificate-version.patch b/tests/ci/integration/ruby_patch/ruby_release_backport/Fix-wrong-certificate-version.patch new file mode 100644 index 0000000000..2c70410cf5 --- /dev/null +++ b/tests/ci/integration/ruby_patch/ruby_release_backport/Fix-wrong-certificate-version.patch @@ -0,0 +1,31 @@ +From 226ae828c5cc2c87245417e9a372b9403c91a54c Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Tue, 4 Jun 2024 16:35:06 -0700 +Subject: [PATCH] Fix wrong certificate version + +OpenSSL::X509::Certificate#version= calls X509_set_version, and +that sets the version stored in the certificate. However, the +version stored in certificate is one less than the actual +certificate version (https://www.openssl.org/docs/manmaster/man3/X509_set_version.html). +There are no version 4 certificates, and when using recent LibreSSL, +drb ssl tests all fail without this change. +--- + lib/drb/ssl.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/drb/ssl.rb b/lib/drb/ssl.rb +index 392d656..4e4d992 100644 +--- a/lib/drb/ssl.rb ++++ b/lib/drb/ssl.rb +@@ -185,7 +185,7 @@ module DRb + } + + cert = OpenSSL::X509::Certificate.new +- cert.version = 3 ++ cert.version = 2 + cert.serial = 0 + name = OpenSSL::X509::Name.new(self[:SSLCertName]) + cert.subject = name +-- +2.25.1 + diff --git a/tests/ci/integration/run_ruby_integration.sh b/tests/ci/integration/run_ruby_integration.sh index cd13116add..d3b15cb529 100755 --- a/tests/ci/integration/run_ruby_integration.sh +++ b/tests/ci/integration/run_ruby_integration.sh @@ -25,6 +25,8 @@ FIPS=${FIPS:-"0"} SCRATCH_FOLDER="${SRC_ROOT}/RUBY_BUILD_ROOT" RUBY_SRC_FOLDER="${SCRATCH_FOLDER}/ruby-src" RUBY_PATCH_FOLDER="${SRC_ROOT}/tests/ci/integration/ruby_patch" +RUBY_BACKPORT_FOLDER="${SRC_ROOT}/tests/ci/integration/ruby_patch/ruby_release_backport" +RUBY_COMMON_FOLDER="${SRC_ROOT}/tests/ci/integration/ruby_patch/ruby_patch_common" AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build" AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install" @@ -45,8 +47,9 @@ function ruby_build() { ldd "$(find "$PWD/install" -name "openssl.so")" | grep "${AWS_LC_INSTALL_FOLDER}/lib/libcrypto.so" || exit 1 ldd "$(find "$PWD/install" -name "openssl.so")" | grep "${AWS_LC_INSTALL_FOLDER}/lib/libssl.so" || exit 1 - #TODO: add more relevant tests here make test-all TESTS="test/openssl/*.rb" + make test-all TESTS="test/drb/*ssl*.rb" + make test-all TESTS="test/rubygems/test*.rb" popd } @@ -54,17 +57,25 @@ function ruby_build() { function ruby_patch() { local branch=${1} local src_dir="${RUBY_SRC_FOLDER}/${branch}" - local patch_dir="${RUBY_PATCH_FOLDER}/${branch}" - if [[ ! $(find -L ${patch_dir} -type f -name '*.patch') ]]; then + local patch_dirs=("${RUBY_PATCH_FOLDER}/${branch}" "${RUBY_COMMON_FOLDER}") + if [[ ! $(find -L ${patch_dirs[0]} -type f -name '*.patch') ]]; then echo "No patch for ${branch}!" exit 1 fi git clone https://github.com/ruby/ruby.git ${src_dir} \ --depth 1 \ --branch ${branch} - for patchfile in $(find -L ${patch_dir} -type f -name '*.patch'); do - echo "Apply patch ${patchfile}..." - cat ${patchfile} | patch -p1 --quiet -d ${src_dir} + + # Add directory of backport patches if branch is not master. + if [[ "${branch}" != "master" ]]; then + patch_dirs+=("${RUBY_BACKPORT_FOLDER}") + fi + + for patch_dir in "${patch_dirs[@]}"; do + for patchfile in $(find -L ${patch_dir} -type f -name '*.patch'); do + echo "Apply patch ${patchfile}..." + cat ${patchfile} | patch -p1 --quiet -d ${src_dir} + done done }