Skip to content

Commit 982c762

Browse files
bhessdstebila
authored andcommitted
Pull Kyber/ML-KEM CT-Fix from upstream
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
1 parent 755c023 commit 982c762

File tree

29 files changed

+166
-25
lines changed

29 files changed

+166
-25
lines changed

Diff for: docs/algorithms/kem/kyber.md

+2-2
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,9 @@
77
- **Authors' website**: https://pq-crystals.org/
88
- **Specification version**: NIST Round 3 submission.
99
- **Primary Source**<a name="primary-source"></a>:
10-
- **Source**: https://github.com/pq-crystals/kyber/commit/b628ba78711bc28327dc7d2d5c074a00f061884e with copy_from_upstream patches
10+
- **Source**: https://github.com/pq-crystals/kyber/commit/441c0519a07e8b86c8d079954a6b10bd31d29efc with copy_from_upstream patches
1111
- **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
12-
- **Optimized Implementation sources**: https://github.com/pq-crystals/kyber/commit/b628ba78711bc28327dc7d2d5c074a00f061884e with copy_from_upstream patches
12+
- **Optimized Implementation sources**: https://github.com/pq-crystals/kyber/commit/441c0519a07e8b86c8d079954a6b10bd31d29efc with copy_from_upstream patches
1313
- **oldpqclean-aarch64**:<a name="oldpqclean-aarch64"></a>
1414
- **Source**: https://github.com/PQClean/PQClean/commit/8e220a87308154d48fdfac40abbb191ac7fce06a with copy_from_upstream patches
1515
- **Implementation license (SPDX-Identifier)**: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT) and MIT

Diff for: docs/algorithms/kem/kyber.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ website: https://pq-crystals.org/
1717
nist-round: 3
1818
spec-version: NIST Round 3 submission
1919
primary-upstream:
20-
source: https://github.com/pq-crystals/kyber/commit/b628ba78711bc28327dc7d2d5c074a00f061884e
20+
source: https://github.com/pq-crystals/kyber/commit/441c0519a07e8b86c8d079954a6b10bd31d29efc
2121
with copy_from_upstream patches
2222
spdx-license-identifier: CC0-1.0 or Apache-2.0
2323
optimized-upstreams:

Diff for: docs/algorithms/kem/ml_kem.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
- **Authors' website**: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203/ipd
88
- **Specification version**: ML-KEM-ipd.
99
- **Primary Source**<a name="primary-source"></a>:
10-
- **Source**: https://github.com/pq-crystals/kyber/commit/11d00ff1f20cfca1f72d819e5a45165c1e0a2816 with copy_from_upstream patches
10+
- **Source**: https://github.com/pq-crystals/kyber/commit/d1321ce5ac0b53f583eb47a040dc3625ee8e7e37 with copy_from_upstream patches
1111
- **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
1212

1313

Diff for: docs/algorithms/kem/ml_kem.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ website: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203/
1717
nist-round: ipd
1818
spec-version: ML-KEM-ipd
1919
primary-upstream:
20-
source: https://github.com/pq-crystals/kyber/commit/11d00ff1f20cfca1f72d819e5a45165c1e0a2816
20+
source: https://github.com/pq-crystals/kyber/commit/d1321ce5ac0b53f583eb47a040dc3625ee8e7e37
2121
with copy_from_upstream patches
2222
spdx-license-identifier: CC0-1.0 or Apache-2.0
2323
parameter-sets:

Diff for: scripts/copy_from_upstream/copy_from_upstream.yml

+2-2
Original file line numberDiff line numberDiff line change
@@ -25,15 +25,15 @@ upstreams:
2525
name: pqcrystals-kyber
2626
git_url: https://github.com/pq-crystals/kyber.git
2727
git_branch: master
28-
git_commit: b628ba78711bc28327dc7d2d5c074a00f061884e
28+
git_commit: 441c0519a07e8b86c8d079954a6b10bd31d29efc
2929
kem_meta_path: '{pretty_name_full}_META.yml'
3030
kem_scheme_path: '.'
3131
patches: [pqcrystals-kyber-yml.patch, pqcrystals-kyber-ref-shake-aes.patch, pqcrystals-kyber-avx2-shake-aes.patch]
3232
-
3333
name: pqcrystals-kyber-standard
3434
git_url: https://github.com/pq-crystals/kyber.git
3535
git_branch: standard
36-
git_commit: 11d00ff1f20cfca1f72d819e5a45165c1e0a2816
36+
git_commit: d1321ce5ac0b53f583eb47a040dc3625ee8e7e37
3737
kem_meta_path: '{pretty_name_full}_META.yml'
3838
kem_scheme_path: '.'
3939
patches: [pqcrystals-ml_kem_ipd.patch]

Diff for: src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/verify.h

+3
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
1111
#define cmov KYBER_NAMESPACE(cmov)
1212
void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
1313

14+
#define cmov_int16 KYBER_NAMESPACE(cmov_int16)
15+
void cmov_int16(int16_t *r, int16_t v, uint16_t b);
16+
1417
#endif

Diff for: src/kem/kyber/pqcrystals-kyber_kyber1024_ref/poly.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
#include "reduce.h"
66
#include "cbd.h"
77
#include "symmetric.h"
8+
#include "verify.h"
89

910
/*************************************************
1011
* Name: poly_compress
@@ -166,16 +167,15 @@ void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES])
166167
void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES])
167168
{
168169
unsigned int i,j;
169-
int16_t mask;
170170

171171
#if (KYBER_INDCPA_MSGBYTES != KYBER_N/8)
172172
#error "KYBER_INDCPA_MSGBYTES must be equal to KYBER_N/8 bytes!"
173173
#endif
174174

175175
for(i=0;i<KYBER_N/8;i++) {
176176
for(j=0;j<8;j++) {
177-
mask = -(int16_t)((msg[i] >> j)&1);
178-
r->coeffs[8*i+j] = mask & ((KYBER_Q+1)/2);
177+
r->coeffs[8*i+j] = 0;
178+
cmov_int16(r->coeffs+8*i+j, ((KYBER_Q+1)/2), (msg[i] >> j)&1);
179179
}
180180
}
181181
}

Diff for: src/kem/kyber/pqcrystals-kyber_kyber1024_ref/verify.c

+17
Original file line numberDiff line numberDiff line change
@@ -55,3 +55,20 @@ void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b)
5555
for(i=0;i<len;i++)
5656
r[i] ^= b & (r[i] ^ x[i]);
5757
}
58+
59+
/*************************************************
60+
* Name: cmov_int16
61+
*
62+
* Description: Copy input v to *r if b is 1, don't modify *r if b is 0.
63+
* Requires b to be in {0,1};
64+
* Runs in constant time.
65+
*
66+
* Arguments: int16_t *r: pointer to output int16_t
67+
* int16_t v: input int16_t
68+
* uint8_t b: Condition bit; has to be in {0,1}
69+
**************************************************/
70+
void cmov_int16(int16_t *r, int16_t v, uint16_t b)
71+
{
72+
b = -b;
73+
*r ^= b & ((*r) ^ v);
74+
}

Diff for: src/kem/kyber/pqcrystals-kyber_kyber1024_ref/verify.h

+3
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
1111
#define cmov KYBER_NAMESPACE(cmov)
1212
void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
1313

14+
#define cmov_int16 KYBER_NAMESPACE(cmov_int16)
15+
void cmov_int16(int16_t *r, int16_t v, uint16_t b);
16+
1417
#endif

Diff for: src/kem/kyber/pqcrystals-kyber_kyber512_avx2/verify.h

+3
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
1111
#define cmov KYBER_NAMESPACE(cmov)
1212
void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
1313

14+
#define cmov_int16 KYBER_NAMESPACE(cmov_int16)
15+
void cmov_int16(int16_t *r, int16_t v, uint16_t b);
16+
1417
#endif

Diff for: src/kem/kyber/pqcrystals-kyber_kyber512_ref/poly.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
#include "reduce.h"
66
#include "cbd.h"
77
#include "symmetric.h"
8+
#include "verify.h"
89

910
/*************************************************
1011
* Name: poly_compress
@@ -166,16 +167,15 @@ void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES])
166167
void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES])
167168
{
168169
unsigned int i,j;
169-
int16_t mask;
170170

171171
#if (KYBER_INDCPA_MSGBYTES != KYBER_N/8)
172172
#error "KYBER_INDCPA_MSGBYTES must be equal to KYBER_N/8 bytes!"
173173
#endif
174174

175175
for(i=0;i<KYBER_N/8;i++) {
176176
for(j=0;j<8;j++) {
177-
mask = -(int16_t)((msg[i] >> j)&1);
178-
r->coeffs[8*i+j] = mask & ((KYBER_Q+1)/2);
177+
r->coeffs[8*i+j] = 0;
178+
cmov_int16(r->coeffs+8*i+j, ((KYBER_Q+1)/2), (msg[i] >> j)&1);
179179
}
180180
}
181181
}

Diff for: src/kem/kyber/pqcrystals-kyber_kyber512_ref/verify.c

+17
Original file line numberDiff line numberDiff line change
@@ -55,3 +55,20 @@ void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b)
5555
for(i=0;i<len;i++)
5656
r[i] ^= b & (r[i] ^ x[i]);
5757
}
58+
59+
/*************************************************
60+
* Name: cmov_int16
61+
*
62+
* Description: Copy input v to *r if b is 1, don't modify *r if b is 0.
63+
* Requires b to be in {0,1};
64+
* Runs in constant time.
65+
*
66+
* Arguments: int16_t *r: pointer to output int16_t
67+
* int16_t v: input int16_t
68+
* uint8_t b: Condition bit; has to be in {0,1}
69+
**************************************************/
70+
void cmov_int16(int16_t *r, int16_t v, uint16_t b)
71+
{
72+
b = -b;
73+
*r ^= b & ((*r) ^ v);
74+
}

Diff for: src/kem/kyber/pqcrystals-kyber_kyber512_ref/verify.h

+3
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
1111
#define cmov KYBER_NAMESPACE(cmov)
1212
void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
1313

14+
#define cmov_int16 KYBER_NAMESPACE(cmov_int16)
15+
void cmov_int16(int16_t *r, int16_t v, uint16_t b);
16+
1417
#endif

Diff for: src/kem/kyber/pqcrystals-kyber_kyber768_avx2/verify.h

+3
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
1111
#define cmov KYBER_NAMESPACE(cmov)
1212
void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
1313

14+
#define cmov_int16 KYBER_NAMESPACE(cmov_int16)
15+
void cmov_int16(int16_t *r, int16_t v, uint16_t b);
16+
1417
#endif

Diff for: src/kem/kyber/pqcrystals-kyber_kyber768_ref/poly.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
#include "reduce.h"
66
#include "cbd.h"
77
#include "symmetric.h"
8+
#include "verify.h"
89

910
/*************************************************
1011
* Name: poly_compress
@@ -166,16 +167,15 @@ void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES])
166167
void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES])
167168
{
168169
unsigned int i,j;
169-
int16_t mask;
170170

171171
#if (KYBER_INDCPA_MSGBYTES != KYBER_N/8)
172172
#error "KYBER_INDCPA_MSGBYTES must be equal to KYBER_N/8 bytes!"
173173
#endif
174174

175175
for(i=0;i<KYBER_N/8;i++) {
176176
for(j=0;j<8;j++) {
177-
mask = -(int16_t)((msg[i] >> j)&1);
178-
r->coeffs[8*i+j] = mask & ((KYBER_Q+1)/2);
177+
r->coeffs[8*i+j] = 0;
178+
cmov_int16(r->coeffs+8*i+j, ((KYBER_Q+1)/2), (msg[i] >> j)&1);
179179
}
180180
}
181181
}

Diff for: src/kem/kyber/pqcrystals-kyber_kyber768_ref/verify.c

+17
Original file line numberDiff line numberDiff line change
@@ -55,3 +55,20 @@ void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b)
5555
for(i=0;i<len;i++)
5656
r[i] ^= b & (r[i] ^ x[i]);
5757
}
58+
59+
/*************************************************
60+
* Name: cmov_int16
61+
*
62+
* Description: Copy input v to *r if b is 1, don't modify *r if b is 0.
63+
* Requires b to be in {0,1};
64+
* Runs in constant time.
65+
*
66+
* Arguments: int16_t *r: pointer to output int16_t
67+
* int16_t v: input int16_t
68+
* uint8_t b: Condition bit; has to be in {0,1}
69+
**************************************************/
70+
void cmov_int16(int16_t *r, int16_t v, uint16_t b)
71+
{
72+
b = -b;
73+
*r ^= b & ((*r) ^ v);
74+
}

Diff for: src/kem/kyber/pqcrystals-kyber_kyber768_ref/verify.h

+3
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
1111
#define cmov KYBER_NAMESPACE(cmov)
1212
void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
1313

14+
#define cmov_int16 KYBER_NAMESPACE(cmov_int16)
15+
void cmov_int16(int16_t *r, int16_t v, uint16_t b);
16+
1417
#endif

Diff for: src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024-ipd_avx2/verify.h

+3
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
1111
#define cmov KYBER_NAMESPACE(cmov)
1212
void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
1313

14+
#define cmov_int16 KYBER_NAMESPACE(cmov_int16)
15+
void cmov_int16(int16_t *r, int16_t v, uint16_t b);
16+
1417
#endif

Diff for: src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024-ipd_ref/poly.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
#include "reduce.h"
66
#include "cbd.h"
77
#include "symmetric.h"
8+
#include "verify.h"
89

910
/*************************************************
1011
* Name: poly_compress
@@ -167,16 +168,15 @@ void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES])
167168
void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES])
168169
{
169170
unsigned int i,j;
170-
int16_t mask;
171171

172172
#if (KYBER_INDCPA_MSGBYTES != KYBER_N/8)
173173
#error "KYBER_INDCPA_MSGBYTES must be equal to KYBER_N/8 bytes!"
174174
#endif
175175

176176
for(i=0;i<KYBER_N/8;i++) {
177177
for(j=0;j<8;j++) {
178-
mask = -(int16_t)((msg[i] >> j)&1);
179-
r->coeffs[8*i+j] = mask & ((KYBER_Q+1)/2);
178+
r->coeffs[8*i+j] = 0;
179+
cmov_int16(r->coeffs+8*i+j, ((KYBER_Q+1)/2), (msg[i] >> j)&1);
180180
}
181181
}
182182
}

Diff for: src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024-ipd_ref/verify.c

+18
Original file line numberDiff line numberDiff line change
@@ -45,3 +45,21 @@ void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b)
4545
for(i=0;i<len;i++)
4646
r[i] ^= b & (r[i] ^ x[i]);
4747
}
48+
49+
50+
/*************************************************
51+
* Name: cmov_int16
52+
*
53+
* Description: Copy input v to *r if b is 1, don't modify *r if b is 0.
54+
* Requires b to be in {0,1};
55+
* Runs in constant time.
56+
*
57+
* Arguments: int16_t *r: pointer to output int16_t
58+
* int16_t v: input int16_t
59+
* uint8_t b: Condition bit; has to be in {0,1}
60+
**************************************************/
61+
void cmov_int16(int16_t *r, int16_t v, uint16_t b)
62+
{
63+
b = -b;
64+
*r ^= b & ((*r) ^ v);
65+
}

Diff for: src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024-ipd_ref/verify.h

+3
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
1111
#define cmov KYBER_NAMESPACE(cmov)
1212
void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
1313

14+
#define cmov_int16 KYBER_NAMESPACE(cmov_int16)
15+
void cmov_int16(int16_t *r, int16_t v, uint16_t b);
16+
1417
#endif

Diff for: src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512-ipd_avx2/verify.h

+3
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
1111
#define cmov KYBER_NAMESPACE(cmov)
1212
void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
1313

14+
#define cmov_int16 KYBER_NAMESPACE(cmov_int16)
15+
void cmov_int16(int16_t *r, int16_t v, uint16_t b);
16+
1417
#endif

Diff for: src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512-ipd_ref/poly.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
#include "reduce.h"
66
#include "cbd.h"
77
#include "symmetric.h"
8+
#include "verify.h"
89

910
/*************************************************
1011
* Name: poly_compress
@@ -167,16 +168,15 @@ void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES])
167168
void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES])
168169
{
169170
unsigned int i,j;
170-
int16_t mask;
171171

172172
#if (KYBER_INDCPA_MSGBYTES != KYBER_N/8)
173173
#error "KYBER_INDCPA_MSGBYTES must be equal to KYBER_N/8 bytes!"
174174
#endif
175175

176176
for(i=0;i<KYBER_N/8;i++) {
177177
for(j=0;j<8;j++) {
178-
mask = -(int16_t)((msg[i] >> j)&1);
179-
r->coeffs[8*i+j] = mask & ((KYBER_Q+1)/2);
178+
r->coeffs[8*i+j] = 0;
179+
cmov_int16(r->coeffs+8*i+j, ((KYBER_Q+1)/2), (msg[i] >> j)&1);
180180
}
181181
}
182182
}

Diff for: src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512-ipd_ref/verify.c

+18
Original file line numberDiff line numberDiff line change
@@ -45,3 +45,21 @@ void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b)
4545
for(i=0;i<len;i++)
4646
r[i] ^= b & (r[i] ^ x[i]);
4747
}
48+
49+
50+
/*************************************************
51+
* Name: cmov_int16
52+
*
53+
* Description: Copy input v to *r if b is 1, don't modify *r if b is 0.
54+
* Requires b to be in {0,1};
55+
* Runs in constant time.
56+
*
57+
* Arguments: int16_t *r: pointer to output int16_t
58+
* int16_t v: input int16_t
59+
* uint8_t b: Condition bit; has to be in {0,1}
60+
**************************************************/
61+
void cmov_int16(int16_t *r, int16_t v, uint16_t b)
62+
{
63+
b = -b;
64+
*r ^= b & ((*r) ^ v);
65+
}

Diff for: src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512-ipd_ref/verify.h

+3
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
1111
#define cmov KYBER_NAMESPACE(cmov)
1212
void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
1313

14+
#define cmov_int16 KYBER_NAMESPACE(cmov_int16)
15+
void cmov_int16(int16_t *r, int16_t v, uint16_t b);
16+
1417
#endif

Diff for: src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768-ipd_avx2/verify.h

+3
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
1111
#define cmov KYBER_NAMESPACE(cmov)
1212
void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
1313

14+
#define cmov_int16 KYBER_NAMESPACE(cmov_int16)
15+
void cmov_int16(int16_t *r, int16_t v, uint16_t b);
16+
1417
#endif

0 commit comments

Comments
 (0)