diff --git a/fips202/fips202x4.c b/fips202/fips202x4.c index f9e2c9e4a..0d5c702e0 100644 --- a/fips202/fips202x4.c +++ b/fips202/fips202x4.c @@ -176,10 +176,10 @@ int shake256x4_squeezeblocks(uint8_t *out0, return 0; } -int shake256x1_squeezeblocks(uint8_t *out, - size_t nblocks, - size_t index, - keccakx4_state *state) +int shake256x4_squeezeblocks_single(uint8_t *out, + size_t nblocks, + size_t index, + keccakx4_state *state) { if (out == NULL) { diff --git a/fips202/fips202x4.h b/fips202/fips202x4.h index 07bcbe2de..afa41fe1f 100644 --- a/fips202/fips202x4.h +++ b/fips202/fips202x4.h @@ -1,6 +1,6 @@ // SPDX-License-Identifier: Apache-2.0 -#ifndef FIPS_202X_H -#define FIPS_202X_H +#ifndef FIPS_202X4_H +#define FIPS_202X4_H #ifndef KECCAK_WAY #define KECCAK_WAY 4 @@ -47,10 +47,10 @@ int shake256x4_squeezeblocks(uint8_t *out0, /* * Squeezes a single lane in Keccak 4-way */ -int shake256x1_squeezeblocks(uint8_t *out, - size_t nblocks, - size_t index, - keccakx4_state *state); +int shake256x4_squeezeblocks_single(uint8_t *out, + size_t nblocks, + size_t index, + keccakx4_state *state); int shake256x4(uint8_t *out0, uint8_t *out1, diff --git a/mlkem/indcpa.c b/mlkem/indcpa.c index 8c7236245..eab4b66f2 100644 --- a/mlkem/indcpa.c +++ b/mlkem/indcpa.c @@ -214,7 +214,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) while (ctr < KYBER_N ) { - shake256x1_squeezeblocks(buf, 1, j, &statex); + shake256x4_squeezeblocks_single(buf, 1, j, &statex); buflen = XOF_BLOCKBYTES; ctr += rej_uniform(vec + ctr, KYBER_N - ctr, buf, buflen); } diff --git a/mlkem/poly.c b/mlkem/poly.c index a12a4b8d7..2444a17cd 100644 --- a/mlkem/poly.c +++ b/mlkem/poly.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: Apache-2.0 #include +#include #include "cbmc.h" #include "params.h" #include "poly.h" @@ -390,11 +391,18 @@ void poly_getnoise_eta1_4x(poly *r0, uint8_t nonce2, uint8_t nonce3) { - uint8_t buf[KECCAK_WAY][KYBER_ETA1 *KYBER_N / 4]; - prf(buf[0], sizeof(buf[0]), seed, nonce0); - prf(buf[1], sizeof(buf[1]), seed, nonce1); - prf(buf[2], sizeof(buf[2]), seed, nonce2); - prf(buf[3], sizeof(buf[3]), seed, nonce3); + uint8_t buf[KECCAK_WAY][KYBER_ETA1 * KYBER_N / 4]; + uint8_t extkey[KECCAK_WAY][KYBER_SYMBYTES + 1]; + memcpy(extkey[0], seed, KYBER_SYMBYTES); + memcpy(extkey[1], seed, KYBER_SYMBYTES); + memcpy(extkey[2], seed, KYBER_SYMBYTES); + memcpy(extkey[3], seed, KYBER_SYMBYTES); + extkey[0][KYBER_SYMBYTES] = nonce0; + extkey[1][KYBER_SYMBYTES] = nonce1; + extkey[2][KYBER_SYMBYTES] = nonce2; + extkey[3][KYBER_SYMBYTES] = nonce3; + shake256x4(buf[0], buf[1], buf[2], buf[3], KYBER_ETA1 * KYBER_N / 4, + extkey[0], extkey[1], extkey[2], extkey[3], KYBER_SYMBYTES + 1); poly_cbd_eta1(r0, buf[0]); poly_cbd_eta1(r1, buf[1]); poly_cbd_eta1(r2, buf[2]); @@ -443,10 +451,17 @@ void poly_getnoise_eta2_4x(poly *r0, uint8_t nonce3) { uint8_t buf[KECCAK_WAY][KYBER_ETA2 * KYBER_N / 4]; - prf(buf[0], sizeof(buf[0]), seed, nonce0); - prf(buf[1], sizeof(buf[1]), seed, nonce1); - prf(buf[2], sizeof(buf[2]), seed, nonce2); - prf(buf[3], sizeof(buf[3]), seed, nonce3); + uint8_t extkey[KECCAK_WAY][KYBER_SYMBYTES + 1]; + memcpy(extkey[0], seed, KYBER_SYMBYTES); + memcpy(extkey[1], seed, KYBER_SYMBYTES); + memcpy(extkey[2], seed, KYBER_SYMBYTES); + memcpy(extkey[3], seed, KYBER_SYMBYTES); + extkey[0][KYBER_SYMBYTES] = nonce0; + extkey[1][KYBER_SYMBYTES] = nonce1; + extkey[2][KYBER_SYMBYTES] = nonce2; + extkey[3][KYBER_SYMBYTES] = nonce3; + shake256x4(buf[0], buf[1], buf[2], buf[3], KYBER_ETA2 * KYBER_N / 4, + extkey[0], extkey[1], extkey[2], extkey[3], KYBER_SYMBYTES + 1); poly_cbd_eta2(r0, buf[0]); poly_cbd_eta2(r1, buf[1]); poly_cbd_eta2(r2, buf[2]); @@ -477,10 +492,26 @@ void poly_getnoise_eta1122_4x(poly *r0, { uint8_t buf1[KECCAK_WAY/2][KYBER_ETA1 * KYBER_N / 4]; uint8_t buf2[KECCAK_WAY/2][KYBER_ETA2 * KYBER_N / 4]; - prf(buf1[0], sizeof(buf1[0]), seed, nonce0); - prf(buf1[1], sizeof(buf1[1]), seed, nonce1); - prf(buf2[0], sizeof(buf2[0]), seed, nonce2); - prf(buf2[1], sizeof(buf2[1]), seed, nonce3); + uint8_t extkey[KECCAK_WAY][KYBER_SYMBYTES + 1]; + memcpy(extkey[0], seed, KYBER_SYMBYTES); + memcpy(extkey[1], seed, KYBER_SYMBYTES); + memcpy(extkey[2], seed, KYBER_SYMBYTES); + memcpy(extkey[3], seed, KYBER_SYMBYTES); + extkey[0][KYBER_SYMBYTES] = nonce0; + extkey[1][KYBER_SYMBYTES] = nonce1; + extkey[2][KYBER_SYMBYTES] = nonce2; + extkey[3][KYBER_SYMBYTES] = nonce3; + + #if KYBER_ETA1 == KYBER_ETA2 + shake256x4(buf1[0], buf1[1], buf2[0], buf2[1], KYBER_ETA1 * KYBER_N / 4, + extkey[0], extkey[1], extkey[2], extkey[3], KYBER_SYMBYTES + 1); + #else + shake256(buf1[0], sizeof(buf1[0]), extkey[0], sizeof(extkey[0])); + shake256(buf1[1], sizeof(buf1[1]), extkey[1], sizeof(extkey[1])); + shake256(buf2[0], sizeof(buf2[0]), extkey[2], sizeof(extkey[2])); + shake256(buf2[1], sizeof(buf2[1]), extkey[3], sizeof(extkey[3])); + #endif + poly_cbd_eta1(r0, buf1[0]); poly_cbd_eta1(r1, buf1[1]); poly_cbd_eta2(r2, buf2[0]); diff --git a/mlkem/symmetric-shake.c b/mlkem/symmetric-shake.c index 33a80ecc3..722550656 100644 --- a/mlkem/symmetric-shake.c +++ b/mlkem/symmetric-shake.c @@ -52,7 +52,7 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM } /************************************************* -* Name: kyber_shake256_prf +* Name: kyber_shake256_rkprf * * Description: Usage of SHAKE256 as a PRF, concatenates secret and public input * and then generates outlen bytes of SHAKE256 output