Switch to nibble-sliced representation.

Co-authored-by: Ward Beullens <[email protected]> Co-authored-by: Fabio Campos <[email protected]> Co-authored-by: Sofía Celi <[email protected]> Co-authored-by: Basil Hess <[email protected]> Co-authored-by: Matthias J. Kannwischer <[email protected]>
PQCMayo · Oct 17, 2023 · d81b689 · d81b689
1 parent 1593d89
commit d81b689
Show file tree

Hide file tree

Showing 50 changed files with 4,599 additions and 3,777 deletions.
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
@@ -26,12 +26,12 @@ jobs:
 
     - name: Install xsltproc
       run: sudo apt-get install -y xsltproc
-    
+
     - name: Install Valgrind
       run: |
-          sudo apt install valgrind
+          sudo apt-get update && sudo apt install valgrind
           echo "Valgrind installed"
-          
+
     - name: Install Valgrind dependencies
       run: |
         python -m pip install --upgrade pip
@@ -55,7 +55,7 @@ jobs:
       # Execute tests defined by the CMake configuration.
       # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail
       run: ctest -C ${{env.BUILD_TYPE}}
-    
+
     - name: Examples (opt/avx2)
       working-directory: ${{github.workspace}}/build/apps
       run: |
@@ -86,7 +86,7 @@ jobs:
           ./example_nistapi_mayo_3
           ./example_nistapi_mayo_5
       if: matrix.mayo_build_type == 'ref'
-  
+
     - name: CT-Tests
       run: |
           rm -rf build

diff --git a/KAT/PQCsignKAT_24_MAYO_1.rsp b/KAT/PQCsignKAT_24_MAYO_1.rsp
diff --git a/KAT/PQCsignKAT_24_MAYO_2.rsp b/KAT/PQCsignKAT_24_MAYO_2.rsp
diff --git a/KAT/PQCsignKAT_32_MAYO_3.rsp b/KAT/PQCsignKAT_32_MAYO_3.rsp
diff --git a/KAT/PQCsignKAT_40_MAYO_5.rsp b/KAT/PQCsignKAT_40_MAYO_5.rsp
diff --git a/apps/example.c b/apps/example.c
@@ -31,7 +31,7 @@ static int example_mayo(const mayo_params_t* p) {
     unsigned char *sk  = calloc(p->csk_bytes, 1);
 
     unsigned char *epk = calloc(p->epk_bytes, 1);
-    unsigned char *esk = calloc(p->esk_bytes, 1);
+    sk_t *esk = calloc(sizeof(sk_t), 1);
 
     unsigned char *sig = calloc(p->sig_bytes + msglen, 1);
 
@@ -92,7 +92,7 @@ static int example_mayo(const mayo_params_t* p) {
     }
 
     printf("mayo_verify (with correct signature) -> ");
-    res = mayo_verify(p, msg, msglen, sig, p->sig_bytes, pk);
+    res = mayo_verify(p, msg, msglen, sig, pk);
     if (res != MAYO_OK) {
         printf("FAIL\n");
         res = -1;
@@ -116,7 +116,7 @@ static int example_mayo(const mayo_params_t* p) {
     }
 
     printf("mayo_verify (with altered signature) -> ");
-    res = mayo_verify(p, msg, msglen, sig, p->sig_bytes, pk);
+    res = mayo_verify(p, msg, msglen, sig, pk);
     if (res == MAYO_OK) {
         printf("FAIL\n");
         res = -1;
@@ -130,7 +130,7 @@ static int example_mayo(const mayo_params_t* p) {
     free(pk);
     free(epk);
     mayo_secure_free(sk, p->csk_bytes);
-    mayo_secure_free(esk, p->esk_bytes);
+    mayo_secure_free(esk, sizeof(sk_t));
     free(sig);
     return res;
 }

diff --git a/include/mayo.h b/include/mayo.h
@@ -3,6 +3,8 @@
 #ifndef MAYO_H
 #define MAYO_H
 
+#include <stdint.h>
+
 #define F_TAIL_LEN 5
 #define F_TAIL_64                                                              \
   { 8, 0, 2, 8, 0 } // f(z) =  z^64         + x^3*z^3 + x*z^2         + x^3
@@ -124,6 +126,7 @@
 #define N_MAX 133
 #define M_MAX 128
 #define O_MAX 18
+#define V_MAX 121
 #define K_MAX 12
 #define Q_MAX 16
 #define PK_SEED_BYTES_MAX 16
@@ -157,6 +160,7 @@
 #define P1_BYTES_MAX PARAM_NAME(P1_bytes)
 #define P2_BYTES_MAX PARAM_NAME(P2_bytes)
 #define P3_BYTES_MAX PARAM_NAME(P3_bytes)
+#define SIG_BYTES_MAX PARAM_NAME(sig_bytes)
 #define CSK_BYTES_MAX PARAM_NAME(csk_bytes)
 #define ESK_BYTES_MAX PARAM_NAME(esk_bytes)
 #define CPK_BYTES_MAX PARAM_NAME(cpk_bytes)
@@ -200,6 +204,11 @@ typedef struct {
     const char *name;
 } mayo_params_t;
 
+typedef struct sk_t {
+    uint32_t p[P1_BYTES_MAX/4 + P2_BYTES_MAX/4];
+    uint8_t o[O_BYTES_MAX];
+} sk_t;
+
 /**
  * MAYO parameter sets
  */
@@ -308,7 +317,7 @@ int mayo_expand_pk(const mayo_params_t *p, const unsigned char *cpk,
  * @return int return code
  */
 int mayo_expand_sk(const mayo_params_t *p, const unsigned char *csk,
-                   unsigned char *esk);
+                   sk_t *esk);
 
 /**
  * Mayo verify signature.
@@ -320,12 +329,11 @@ int mayo_expand_sk(const mayo_params_t *p, const unsigned char *csk,
  * @param[out] m Message stored if verification succeeds
  * @param[out] mlen Pointer to the length of m
  * @param[in] sig Signature
- * @param[in] siglen Length of sig
  * @param[in] pk Compacted public key
  * @return int 0 if verification succeeded, 1 otherwise.
  */
 int mayo_verify(const mayo_params_t *p, const unsigned char *m,
                 unsigned long long mlen, const unsigned char *sig,
-                unsigned long long siglen, const unsigned char *pk);
+                const unsigned char *pk);
 
 #endif
diff --git a/src/AVX2/arithmetic_128.h b/src/AVX2/arithmetic_128.h
@@ -0,0 +1,80 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef ARITHMETIC_128_H
+#define ARITHMETIC_128_H
+
+#include <stdint.h>
+#include <mayo.h>
+#include <arithmetic_common.h>
+
+// This implements arithmetic for vectors of 128 field elements in Z_2[x]/(x^4+x+1)
+
+static
+inline void vec_copy_128(const uint64_t *in, uint64_t *out) {
+    out[0] = in[0];
+    out[1] = in[1];
+    out[2] = in[2];
+    out[3] = in[3];
+    out[4] = in[4];
+    out[5] = in[5];
+    out[6] = in[6];
+    out[7] = in[7];
+}
+
+
+static
+inline void vec_add_128(const uint64_t *in, uint64_t *acc) {
+    acc[0] ^= in[0];
+    acc[1] ^= in[1];
+    acc[2] ^= in[2];
+    acc[3] ^= in[3];
+    acc[4] ^= in[4];
+    acc[5] ^= in[5];
+    acc[6] ^= in[6];
+    acc[7] ^= in[7];
+}
+
+inline
+static void m_vec_mul_add_x_128(const uint64_t *in, uint64_t *acc) {
+    for(int i=0;i<8;i++){
+        acc[i] ^= gf16v_mul_u64(in[i], 0x2);
+    }
+}
+inline
+static void m_vec_mul_add_x_inv_128(const uint64_t *in, uint64_t *acc) {
+    for(int i=0;i<8;i++){
+        acc[i] ^= gf16v_mul_u64(in[i], 0x9);
+    }
+}
+
+static 
+inline void vec_mul_add_128(const uint64_t *in, unsigned char a, uint64_t *acc) {
+    for(int i=0; i < 8;i++){
+        acc[i] ^= gf16v_mul_u64(in[i], a);        
+    }
+}
+
+static 
+    inline void multiply_bins_128(uint32_t *bins_32, uint32_t *out_32) {
+
+    uint64_t *bins = (uint64_t *) bins_32;
+    uint64_t *out = (uint64_t *) out_32;
+
+    m_vec_mul_add_x_inv_128(bins +  5 * 8, bins +  10 * 8);
+    m_vec_mul_add_x_128(bins + 11 * 8, bins + 12 * 8);
+    m_vec_mul_add_x_inv_128(bins +  10 * 8, bins +  7 * 8);
+    m_vec_mul_add_x_128(bins + 12 * 8, bins +  6 * 8);
+    m_vec_mul_add_x_inv_128(bins +  7 * 8, bins +  14 * 8);
+    m_vec_mul_add_x_128(bins +  6 * 8, bins +  3 * 8);
+    m_vec_mul_add_x_inv_128(bins +  14 * 8, bins +  15 * 8);
+    m_vec_mul_add_x_128(bins +  3 * 8, bins +  8 * 8);
+    m_vec_mul_add_x_inv_128(bins +  15 * 8, bins +  13 * 8);
+    m_vec_mul_add_x_128(bins +  8 * 8, bins +  4 * 8);
+    m_vec_mul_add_x_inv_128(bins +  13 * 8, bins +  9 * 8);
+    m_vec_mul_add_x_128(bins +  4 * 8, bins +  2 * 8);
+    m_vec_mul_add_x_inv_128(bins +   9 * 8, bins +  1 * 8);
+    m_vec_mul_add_x_128(bins +  2 * 8, bins +  1 * 8);
+    vec_copy_128(bins + 8, out);
+}
+
+#endif
diff --git a/src/AVX2/arithmetic_64.h b/src/AVX2/arithmetic_64.h
@@ -0,0 +1,71 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef ARITHMETIC_64_H
+#define ARITHMETIC_64_H
+
+#include <stdint.h>
+#include <mayo.h>
+#include <arithmetic_common.h>
+
+// This implements arithmetic for vectors of 64 field elements in Z_2[x]/(x^4+x+1)
+
+static
+inline void vec_copy_64(const uint64_t *in, uint64_t *out) {
+    out[0] = in[0];
+    out[1] = in[1];
+    out[2] = in[2];
+    out[3] = in[3];
+}
+
+static
+inline void vec_add_64(const uint64_t *in, uint64_t *acc) {
+    acc[0] ^= in[0];
+    acc[1] ^= in[1];
+    acc[2] ^= in[2];
+    acc[3] ^= in[3];
+}
+
+static 
+inline void vec_mul_add_64(const uint64_t *in, unsigned char a, uint64_t *acc) {
+    for(int i=0; i < 4;i++){
+        acc[i] ^= gf16v_mul_u64(in[i], a);        
+    }
+}
+
+inline
+static void m_vec_mul_add_x_64(const uint64_t *in, uint64_t *acc) {
+    for(int i=0;i<4;i++){
+        acc[i] ^= gf16v_mul_u64(in[i], 0x2);
+    }
+}
+inline
+static void m_vec_mul_add_x_inv_64(const uint64_t *in, uint64_t *acc) {
+    for(int i=0;i<4;i++){
+        acc[i] ^= gf16v_mul_u64(in[i], 0x9);
+    }
+}
+
+static 
+inline void multiply_bins_64(uint32_t *bins_32, uint32_t *out_32) {
+
+    uint64_t *bins = (uint64_t *) bins_32;
+    uint64_t *out = (uint64_t *) out_32;
+
+    m_vec_mul_add_x_inv_64(bins +  5 * 4, bins +  10 * 4);
+    m_vec_mul_add_x_64(bins + 11 * 4, bins + 12 * 4);
+    m_vec_mul_add_x_inv_64(bins +  10 * 4, bins +  7 * 4);
+    m_vec_mul_add_x_64(bins + 12 * 4, bins +  6 * 4);
+    m_vec_mul_add_x_inv_64(bins +  7 * 4, bins +  14 * 4);
+    m_vec_mul_add_x_64(bins +  6 * 4, bins +  3 * 4);
+    m_vec_mul_add_x_inv_64(bins +  14 * 4, bins +  15 * 4);
+    m_vec_mul_add_x_64(bins +  3 * 4, bins +  8 * 4);
+    m_vec_mul_add_x_inv_64(bins +  15 * 4, bins +  13 * 4);
+    m_vec_mul_add_x_64(bins +  8 * 4, bins +  4 * 4);
+    m_vec_mul_add_x_inv_64(bins +  13 * 4, bins +  9 * 4);
+    m_vec_mul_add_x_64(bins +  4 * 4, bins +  2 * 4);
+    m_vec_mul_add_x_inv_64(bins +   9 * 4, bins +  1 * 4);
+    m_vec_mul_add_x_64(bins +  2 * 4, bins +  1 * 4);
+    vec_copy_64(bins + 4, out);
+}
+
+#endif
diff --git a/src/AVX2/arithmetic_96.h b/src/AVX2/arithmetic_96.h
@@ -0,0 +1,76 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef ARITHMETIC_96_H
+#define ARITHMETIC_96_H
+
+#include <stdint.h>
+#include <mayo.h>
+#include <arithmetic_common.h>
+
+// This implements arithmetic for vectors of 96 field elements in Z_2[x]/(x^4+x+1)
+
+static
+inline void vec_copy_96(const uint64_t *in, uint64_t *out) {
+    out[0] = in[0];
+    out[1] = in[1];
+    out[2] = in[2];
+    out[3] = in[3];
+    out[4] = in[4];
+    out[5] = in[5];
+}
+
+static
+inline void vec_add_96(const uint64_t *in, uint64_t *acc) {
+    acc[0] ^= in[0];
+    acc[1] ^= in[1];
+    acc[2] ^= in[2];
+    acc[3] ^= in[3];
+    acc[4] ^= in[4];
+    acc[5] ^= in[5];
+}
+
+inline
+static void m_vec_mul_add_x_96(const uint64_t *in, uint64_t *acc) {
+    for(int i=0;i<6;i++){
+        acc[i] ^= gf16v_mul_u64(in[i], 0x2);
+    }
+}
+
+inline
+static void m_vec_mul_add_x_inv_96(const uint64_t *in, uint64_t *acc) {
+    for(int i=0;i<6;i++){
+        acc[i] ^= gf16v_mul_u64(in[i], 0x9);
+    }
+}
+
+static 
+inline void vec_mul_add_96(const uint64_t *in, unsigned char a, uint64_t *acc) {
+    for(int i=0; i < 6;i++){
+        acc[i] ^= gf16v_mul_u64(in[i], a);        
+    }
+}
+
+static 
+inline void multiply_bins_96(uint32_t *bins_32, uint32_t *out_32) {
+
+    uint64_t *bins = (uint64_t *) bins_32;
+    uint64_t *out = (uint64_t *) out_32;
+
+    m_vec_mul_add_x_inv_96(bins +  5 * 6, bins +  10 * 6);
+    m_vec_mul_add_x_96(bins + 11 * 6, bins + 12 * 6);
+    m_vec_mul_add_x_inv_96(bins +  10 * 6, bins +  7 * 6);
+    m_vec_mul_add_x_96(bins + 12 * 6, bins +  6 * 6);
+    m_vec_mul_add_x_inv_96(bins +  7 * 6, bins +  14 * 6);
+    m_vec_mul_add_x_96(bins +  6 * 6, bins +  3 * 6);
+    m_vec_mul_add_x_inv_96(bins +  14 * 6, bins +  15 * 6);
+    m_vec_mul_add_x_96(bins +  3 * 6, bins +  8 * 6);
+    m_vec_mul_add_x_inv_96(bins +  15 * 6, bins +  13 * 6);
+    m_vec_mul_add_x_96(bins +  8 * 6, bins +  4 * 6);
+    m_vec_mul_add_x_inv_96(bins +  13 * 6, bins +  9 * 6);
+    m_vec_mul_add_x_96(bins +  4 * 6, bins +  2 * 6);
+    m_vec_mul_add_x_inv_96(bins +   9 * 6, bins +  1 * 6);
+    m_vec_mul_add_x_96(bins +  2 * 6, bins +  1 * 6);
+    vec_copy_96(bins + 6, out);
+}
+
+#endif