unroll prf to shake256x4

Signed-off-by: Duc Tri Nguyen <[email protected]>

fips202/fips202x4.c

@@ -176,10 +176,10 @@ int shake256x4_squeezeblocks(uint8_t *out0,
     return 0;
 }
 
-int shake256x1_squeezeblocks(uint8_t *out,
-                             size_t nblocks,
-                             size_t index,
-                             keccakx4_state *state)
+int shake256x4_squeezeblocks_single(uint8_t *out,
+                                    size_t nblocks,
+                                    size_t index,
+                                    keccakx4_state *state)
 {
     if (out == NULL)
     {

fips202/fips202x4.h

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: Apache-2.0
-#ifndef FIPS_202X_H
-#define FIPS_202X_H
+#ifndef FIPS_202X4_H
+#define FIPS_202X4_H
 
 #ifndef KECCAK_WAY
 #define KECCAK_WAY 4
@@ -47,10 +47,10 @@ int shake256x4_squeezeblocks(uint8_t *out0,
 /*
  * Squeezes a single lane in Keccak 4-way
  */
-int shake256x1_squeezeblocks(uint8_t *out,
-                             size_t nblocks,
-                             size_t index,
-                             keccakx4_state *state);
+int shake256x4_squeezeblocks_single(uint8_t *out,
+                                    size_t nblocks,
+                                    size_t index,
+                                    keccakx4_state *state);
 
 int shake256x4(uint8_t *out0,
                uint8_t *out1,

mlkem/indcpa.c

@@ -214,7 +214,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
 
             while (ctr < KYBER_N )
             {
-                shake256x1_squeezeblocks(buf, 1, j, &statex);
+                shake256x4_squeezeblocks_single(buf, 1, j, &statex);
                 buflen = XOF_BLOCKBYTES;
                 ctr += rej_uniform(vec + ctr, KYBER_N - ctr, buf, buflen);
             }

mlkem/poly.c

@@ -1,5 +1,6 @@
 // SPDX-License-Identifier: Apache-2.0
 #include <stdint.h>
+#include <string.h>
 #include "cbmc.h"
 #include "params.h"
 #include "poly.h"
@@ -390,11 +391,18 @@ void poly_getnoise_eta1_4x(poly *r0,
                            uint8_t nonce2,
                            uint8_t nonce3)
 {
-    uint8_t buf[KECCAK_WAY][KYBER_ETA1 *KYBER_N / 4];
-    prf(buf[0], sizeof(buf[0]), seed, nonce0);
-    prf(buf[1], sizeof(buf[1]), seed, nonce1);
-    prf(buf[2], sizeof(buf[2]), seed, nonce2);
-    prf(buf[3], sizeof(buf[3]), seed, nonce3);
+    uint8_t buf[KECCAK_WAY][KYBER_ETA1 * KYBER_N / 4];
+    uint8_t extkey[KECCAK_WAY][KYBER_SYMBYTES + 1];
+    memcpy(extkey[0], seed, KYBER_SYMBYTES);
+    memcpy(extkey[1], seed, KYBER_SYMBYTES);
+    memcpy(extkey[2], seed, KYBER_SYMBYTES);
+    memcpy(extkey[3], seed, KYBER_SYMBYTES);
+    extkey[0][KYBER_SYMBYTES] = nonce0;
+    extkey[1][KYBER_SYMBYTES] = nonce1;
+    extkey[2][KYBER_SYMBYTES] = nonce2;
+    extkey[3][KYBER_SYMBYTES] = nonce3;
+    shake256x4(buf[0], buf[1], buf[2], buf[3], KYBER_ETA1 * KYBER_N / 4,
+               extkey[0], extkey[1], extkey[2], extkey[3], KYBER_SYMBYTES + 1);
     poly_cbd_eta1(r0, buf[0]);
     poly_cbd_eta1(r1, buf[1]);
     poly_cbd_eta1(r2, buf[2]);
@@ -443,10 +451,17 @@ void poly_getnoise_eta2_4x(poly *r0,
                            uint8_t nonce3)
 {
     uint8_t buf[KECCAK_WAY][KYBER_ETA2 * KYBER_N / 4];
-    prf(buf[0], sizeof(buf[0]), seed, nonce0);
-    prf(buf[1], sizeof(buf[1]), seed, nonce1);
-    prf(buf[2], sizeof(buf[2]), seed, nonce2);
-    prf(buf[3], sizeof(buf[3]), seed, nonce3);
+    uint8_t extkey[KECCAK_WAY][KYBER_SYMBYTES + 1];
+    memcpy(extkey[0], seed, KYBER_SYMBYTES);
+    memcpy(extkey[1], seed, KYBER_SYMBYTES);
+    memcpy(extkey[2], seed, KYBER_SYMBYTES);
+    memcpy(extkey[3], seed, KYBER_SYMBYTES);
+    extkey[0][KYBER_SYMBYTES] = nonce0;
+    extkey[1][KYBER_SYMBYTES] = nonce1;
+    extkey[2][KYBER_SYMBYTES] = nonce2;
+    extkey[3][KYBER_SYMBYTES] = nonce3;
+    shake256x4(buf[0], buf[1], buf[2], buf[3], KYBER_ETA2 * KYBER_N / 4,
+               extkey[0], extkey[1], extkey[2], extkey[3], KYBER_SYMBYTES + 1);
     poly_cbd_eta2(r0, buf[0]);
     poly_cbd_eta2(r1, buf[1]);
     poly_cbd_eta2(r2, buf[2]);
@@ -477,10 +492,26 @@ void poly_getnoise_eta1122_4x(poly *r0,
 {
     uint8_t buf1[KECCAK_WAY/2][KYBER_ETA1 * KYBER_N / 4];
     uint8_t buf2[KECCAK_WAY/2][KYBER_ETA2 * KYBER_N / 4];
-    prf(buf1[0], sizeof(buf1[0]), seed, nonce0);
-    prf(buf1[1], sizeof(buf1[1]), seed, nonce1);
-    prf(buf2[0], sizeof(buf2[0]), seed, nonce2);
-    prf(buf2[1], sizeof(buf2[1]), seed, nonce3);
+    uint8_t extkey[KECCAK_WAY][KYBER_SYMBYTES + 1];
+    memcpy(extkey[0], seed, KYBER_SYMBYTES);
+    memcpy(extkey[1], seed, KYBER_SYMBYTES);
+    memcpy(extkey[2], seed, KYBER_SYMBYTES);
+    memcpy(extkey[3], seed, KYBER_SYMBYTES);
+    extkey[0][KYBER_SYMBYTES] = nonce0;
+    extkey[1][KYBER_SYMBYTES] = nonce1;
+    extkey[2][KYBER_SYMBYTES] = nonce2;
+    extkey[3][KYBER_SYMBYTES] = nonce3;
+
+    #if KYBER_ETA1 == KYBER_ETA2
+    shake256x4(buf1[0], buf1[1], buf2[0], buf2[1], KYBER_ETA1 * KYBER_N / 4,
+               extkey[0], extkey[1], extkey[2], extkey[3], KYBER_SYMBYTES + 1);
+    #else
+    shake256(buf1[0], sizeof(buf1[0]), extkey[0], sizeof(extkey[0]));
+    shake256(buf1[1], sizeof(buf1[1]), extkey[1], sizeof(extkey[1]));
+    shake256(buf2[0], sizeof(buf2[0]), extkey[2], sizeof(extkey[2]));
+    shake256(buf2[1], sizeof(buf2[1]), extkey[3], sizeof(extkey[3]));
+    #endif
+
     poly_cbd_eta1(r0, buf1[0]);
     poly_cbd_eta1(r1, buf1[1]);
     poly_cbd_eta2(r2, buf2[0]);

mlkem/symmetric-shake.c

@@ -52,7 +52,7 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
 }
 
 /*************************************************
-* Name:        kyber_shake256_prf
+* Name:        kyber_shake256_rkprf
 *
 * Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
 *              and then generates outlen bytes of SHAKE256 output