Change CRHBYTES to 64 and use SHAKE-256 for s1 and s2

Author: gregorseiler

SHA256SUMS

@@ -1,6 +1,6 @@
-e0dc8c8ace688e43a25fca7fe095030023315a3531c7b526ed80be2338f2245f  tvecs2
-691b9541f65fd2dfacad28c360ebd2091cea7eecb7533ffd807a4037eb21772a  tvecs2aes
-c73f18b1b06ef2cb6263c5e6a5b48fb180d187a0778d54a608d9662e19662012  tvecs3
-d5a912bd32570d907bc8b186449912259be0d0cf29cae60ff311954aa5ca06d5  tvecs3aes
-4801a29b7d5979422d1a0ad39e26bfb8b7af60ef46f494e2ed4db3d406cfa2ce  tvecs5
-23d83c4df50e8af9765b4a7323389a6baa75772e144ba4f5bafb5cea5da5c0bb  tvecs5aes
+5df7c85e4a59487314781403c0d75327cec95efd1761933c378256d18dc555ed  tvecs2
+8b1d8701df94514aaa9bb0bdf2e1da942d924cb21c9e4bc0590cd9e5c6166738  tvecs2aes
+eab054f82fdc543bdc4cc8dd95ccac1ecaa0fc1e263f07b7b828d51349c1a8f4  tvecs3
+920b6fe1ea8e974c7b531274ff23dd6202b2c78b040c99bf9f85d88a9bbbefbf  tvecs3aes
+1f9c89ed0a2ac925d660263335f2ef02ae471049d4d32b51d823c86d6257031f  tvecs5
+9db9a8a86204f8f4e8be5311029e3393efd00ccf21b4b02c2d1ff1faab6ea25f  tvecs5aes

avx2/poly.c

@@ -532,27 +532,27 @@ static unsigned int rej_eta(int32_t *a,
 *              or AES256CTR(seed,nonce).
 *
 * Arguments:   - poly *a: pointer to output polynomial
-*              - const uint8_t seed[]: byte array with seed of length  SEEDBYTES
+*              - const uint8_t seed[]: byte array with seed of length CRHBYTES
 *              - uint16_t nonce: 2-byte nonce
 **************************************************/
 void poly_uniform_eta_preinit(poly *a, stream128_state *state)
 {
   unsigned int ctr;
-  ALIGNED_UINT8(REJ_UNIFORM_BUFLEN*STREAM128_BLOCKBYTES) buf;
+  ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf;
 
-  stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
+  stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
   ctr = rej_eta_avx(a->coeffs, buf.coeffs);
 
   while(ctr < N) {
-    stream128_squeezeblocks(buf.coeffs, 1, state);
-    ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES);
+    stream256_squeezeblocks(buf.coeffs, 1, state);
+    ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES);
   }
 }
 
-void poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
+void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
 {
-  stream128_state state;
-  stream128_init(&state, seed, nonce);
+  stream256_state state;
+  stream256_init(&state, seed, nonce);
   poly_uniform_eta_preinit(a, &state);
 }
 
@@ -561,7 +561,7 @@ void poly_uniform_eta_4x(poly *a0,
                          poly *a1,
                          poly *a2,
                          poly *a3,
-                         const uint8_t seed[32],
+                         const uint8_t seed[64],
                          uint16_t nonce0,
                          uint16_t nonce1,
                          uint16_t nonce2,
@@ -573,36 +573,41 @@ void poly_uniform_eta_4x(poly *a0,
   __m256i f;
   keccakx4_state state;
 
-  f = _mm256_loadu_si256((__m256i *)seed);
-  _mm256_store_si256(buf[0].vec,f);
-  _mm256_store_si256(buf[1].vec,f);
-  _mm256_store_si256(buf[2].vec,f);
-  _mm256_store_si256(buf[3].vec,f);
-
-  buf[0].coeffs[SEEDBYTES+0] = nonce0;
-  buf[0].coeffs[SEEDBYTES+1] = nonce0 >> 8;
-  buf[1].coeffs[SEEDBYTES+0] = nonce1;
-  buf[1].coeffs[SEEDBYTES+1] = nonce1 >> 8;
-  buf[2].coeffs[SEEDBYTES+0] = nonce2;
-  buf[2].coeffs[SEEDBYTES+1] = nonce2 >> 8;
-  buf[3].coeffs[SEEDBYTES+0] = nonce3;
-  buf[3].coeffs[SEEDBYTES+1] = nonce3 >> 8;
-
-  shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2);
-  shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
+  f = _mm256_loadu_si256((__m256i *)&seed[0]);
+  _mm256_store_si256(&buf[0].vec[0],f);
+  _mm256_store_si256(&buf[1].vec[0],f);
+  _mm256_store_si256(&buf[2].vec[0],f);
+  _mm256_store_si256(&buf[3].vec[0],f);
+  f = _mm256_loadu_si256((__m256i *)&seed[32]);
+  _mm256_store_si256(&buf[0].vec[1],f);
+  _mm256_store_si256(&buf[1].vec[1],f);
+  _mm256_store_si256(&buf[2].vec[1],f);
+  _mm256_store_si256(&buf[3].vec[1],f);
+
+  buf[0].coeffs[64] = nonce0;
+  buf[0].coeffs[65] = nonce0 >> 8;
+  buf[1].coeffs[64] = nonce1;
+  buf[1].coeffs[65] = nonce1 >> 8;
+  buf[2].coeffs[64] = nonce2;
+  buf[2].coeffs[65] = nonce2 >> 8;
+  buf[3].coeffs[64] = nonce3;
+  buf[3].coeffs[65] = nonce3 >> 8;
+
+  shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
+  shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
 
   ctr0 = rej_eta_avx(a0->coeffs, buf[0].coeffs);
   ctr1 = rej_eta_avx(a1->coeffs, buf[1].coeffs);
   ctr2 = rej_eta_avx(a2->coeffs, buf[2].coeffs);
   ctr3 = rej_eta_avx(a3->coeffs, buf[3].coeffs);
 
   while(ctr0 < N || ctr1 < N || ctr2 < N || ctr3 < N) {
-    shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
+    shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
 
-    ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE128_RATE);
-    ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE128_RATE);
-    ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE);
-    ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE);
+    ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE256_RATE);
+    ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE256_RATE);
+    ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE);
+    ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE);
   }
 }
 #endif
@@ -639,7 +644,7 @@ void poly_uniform_gamma1_4x(poly *a0,
                             poly *a1,
                             poly *a2,
                             poly *a3,
-                            const uint8_t seed[48],
+                            const uint8_t seed[64],
                             uint16_t nonce0,
                             uint16_t nonce1,
                             uint16_t nonce2,
@@ -648,29 +653,28 @@ void poly_uniform_gamma1_4x(poly *a0,
   ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf[4];
   keccakx4_state state;
   __m256i f;
-  __m128i g;
 
-  f = _mm256_loadu_si256((__m256i *)seed);
-  _mm256_store_si256(buf[0].vec,f);
-  _mm256_store_si256(buf[1].vec,f);
-  _mm256_store_si256(buf[2].vec,f);
-  _mm256_store_si256(buf[3].vec,f);
-  g = _mm_loadu_si128((__m128i *)&seed[32]);
-  _mm_store_si128((__m128i *)&buf[0].vec[1],g);
-  _mm_store_si128((__m128i *)&buf[1].vec[1],g);
-  _mm_store_si128((__m128i *)&buf[2].vec[1],g);
-  _mm_store_si128((__m128i *)&buf[3].vec[1],g);
-
-  buf[0].coeffs[CRHBYTES + 0] = nonce0;
-  buf[0].coeffs[CRHBYTES + 1] = nonce0 >> 8;
-  buf[1].coeffs[CRHBYTES + 0] = nonce1;
-  buf[1].coeffs[CRHBYTES + 1] = nonce1 >> 8;
-  buf[2].coeffs[CRHBYTES + 0] = nonce2;
-  buf[2].coeffs[CRHBYTES + 1] = nonce2 >> 8;
-  buf[3].coeffs[CRHBYTES + 0] = nonce3;
-  buf[3].coeffs[CRHBYTES + 1] = nonce3 >> 8;
-
-  shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, CRHBYTES + 2);
+  f = _mm256_loadu_si256((__m256i *)&seed[0]);
+  _mm256_store_si256(&buf[0].vec[0],f);
+  _mm256_store_si256(&buf[1].vec[0],f);
+  _mm256_store_si256(&buf[2].vec[0],f);
+  _mm256_store_si256(&buf[3].vec[0],f);
+  f = _mm256_loadu_si256((__m256i *)&seed[32]);
+  _mm256_store_si256(&buf[0].vec[1],f);
+  _mm256_store_si256(&buf[1].vec[1],f);
+  _mm256_store_si256(&buf[2].vec[1],f);
+  _mm256_store_si256(&buf[3].vec[1],f);
+
+  buf[0].coeffs[64] = nonce0;
+  buf[0].coeffs[65] = nonce0 >> 8;
+  buf[1].coeffs[64] = nonce1;
+  buf[1].coeffs[65] = nonce1 >> 8;
+  buf[2].coeffs[64] = nonce2;
+  buf[2].coeffs[65] = nonce2 >> 8;
+  buf[3].coeffs[64] = nonce3;
+  buf[3].coeffs[65] = nonce3 >> 8;
+
+  shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
   shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
 
   polyz_unpack(a0, buf[0].coeffs);

avx2/poly.h

@@ -49,7 +49,7 @@ void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
 #define poly_uniform_eta_preinit DILITHIUM_NAMESPACE(poly_uniform_eta_preinit)
 void poly_uniform_eta_preinit(poly *a, stream128_state *state);
 #define poly_uniform_eta DILITHIUM_NAMESPACE(poly_uniform_eta)
-void poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
 #define poly_uniform_gamma1_preinit DILITHIUM_NAMESPACE(poly_uniform_gamma1_preinit)
 void poly_uniform_gamma1_preinit(poly *a, stream256_state *state);
 #define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
@@ -73,7 +73,7 @@ void poly_uniform_eta_4x(poly *a0,
                          poly *a1,
                          poly *a2,
                          poly *a3,
-                         const uint8_t seed[SEEDBYTES],
+                         const uint8_t seed[CRHBYTES],
                          uint16_t nonce0,
                          uint16_t nonce1,
                          uint16_t nonce2,

avx2/polyvec.c

@@ -265,14 +265,14 @@ void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], con
 /************ Vectors of polynomials of length L **************/
 /**************************************************************/
 
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
   unsigned int i;
 
   for(i = 0; i < L; ++i)
     poly_uniform_eta(&v->vec[i], seed, nonce++);
 }
 
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
   unsigned int i;
 
   for(i = 0; i < L; ++i)
@@ -388,7 +388,7 @@ int polyvecl_chknorm(const polyvecl *v, int32_t bound)  {
 /************ Vectors of polynomials of length K **************/
 /**************************************************************/
 
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
+void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
   unsigned int i;
 
   for(i = 0; i < K; ++i)

avx2/polyvec.h

@@ -11,10 +11,10 @@ typedef struct {
 } polyvecl;
 
 #define polyvecl_uniform_eta DILITHIUM_NAMESPACE(polyvecl_uniform_eta)
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 #define polyvecl_uniform_gamma1 DILITHIUM_NAMESPACE(polyvecl_uniform_gamma1)
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 #define polyvecl_reduce DILITHIUM_NAMESPACE(polyvecl_reduce)
 void polyvecl_reduce(polyvecl *v);
@@ -46,7 +46,7 @@ typedef struct {
 } polyveck;
 
 #define polyveck_uniform_eta DILITHIUM_NAMESPACE(polyveck_uniform_eta)
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
 
 #define polyveck_reduce DILITHIUM_NAMESPACE(polyveck_reduce)
 void polyveck_reduce(polyveck *v);

avx2/rejsample.h

@@ -9,11 +9,11 @@
 #define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES)
 
 #if ETA == 2
-#define REJ_UNIFORM_ETA_NBLOCKS ((137+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES)
+#define REJ_UNIFORM_ETA_NBLOCKS ((136+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
 #elif ETA == 4
-#define REJ_UNIFORM_ETA_NBLOCKS ((228+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES)
+#define REJ_UNIFORM_ETA_NBLOCKS ((227+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
 #endif
-#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES)
+#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES)
 
 #define idxlut DILITHIUM_NAMESPACE(idxlut)
 extern const uint8_t idxlut[256][8];

avx2/sign.c

@@ -70,7 +70,7 @@ static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], co
 **************************************************/
 int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
   unsigned int i;
-  uint8_t seedbuf[3*SEEDBYTES];
+  uint8_t seedbuf[2*SEEDBYTES + CRHBYTES];
   const uint8_t *rho, *rhoprime, *key;
 #ifdef DILITHIUM_USE_AES
   uint64_t nonce;
@@ -85,10 +85,10 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
   /* Get randomness for rho, rhoprime and key */
   randombytes(seedbuf, SEEDBYTES);
-  shake256(seedbuf, 3*SEEDBYTES, seedbuf, SEEDBYTES);
+  shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
   rho = seedbuf;
   rhoprime = seedbuf + SEEDBYTES;
-  key = seedbuf + 2*SEEDBYTES;
+  key = seedbuf + SEEDBYTES + CRHBYTES;
 
   /* Store rho, key */
   memcpy(pk, rho, SEEDBYTES);

ref/params.h

@@ -4,7 +4,7 @@
 #include "config.h"
 
 #define SEEDBYTES 32
-#define CRHBYTES 48
+#define CRHBYTES 64
 #define N 256
 #define Q 8380417
 #define D 13

ref/poly.c

@@ -442,31 +442,31 @@ static unsigned int rej_eta(int32_t *a,
 *              output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
 *
 * Arguments:   - poly *a: pointer to output polynomial
-*              - const uint8_t seed[]: byte array with seed of length SEEDBYTES
+*              - const uint8_t seed[]: byte array with seed of length CRHBYTES
 *              - uint16_t nonce: 2-byte nonce
 **************************************************/
 #if ETA == 2
-#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES)
+#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
 #elif ETA == 4
-#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES)
+#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
 #endif
 void poly_uniform_eta(poly *a,
-                      const uint8_t seed[SEEDBYTES],
+                      const uint8_t seed[CRHBYTES],
                       uint16_t nonce)
 {
   unsigned int ctr;
-  unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES;
-  uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES];
-  stream128_state state;
+  unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES;
+  uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES];
+  stream256_state state;
 
-  stream128_init(&state, seed, nonce);
-  stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
+  stream256_init(&state, seed, nonce);
+  stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
 
   ctr = rej_eta(a->coeffs, N, buf, buflen);
 
   while(ctr < N) {
-    stream128_squeezeblocks(buf, 1, &state);
-    ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES);
+    stream256_squeezeblocks(buf, 1, &state);
+    ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
   }
 }
 

ref/poly.h

@@ -46,7 +46,7 @@ void poly_uniform(poly *a,
                   uint16_t nonce);
 #define poly_uniform_eta DILITHIUM_NAMESPACE(poly_uniform_eta)
 void poly_uniform_eta(poly *a,
-                      const uint8_t seed[SEEDBYTES],
+                      const uint8_t seed[CRHBYTES],
                       uint16_t nonce);
 #define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
 void poly_uniform_gamma1(poly *a,