Merge pull request #116 from formosa-crypto/feature/xwing

xwing
formosa-crypto · Apr 17, 2024 · b2093af · b2093af
2 parents fdfd52a + 600212c
commit b2093af
Show file tree

Hide file tree

Showing 20 changed files with 722 additions and 20 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 .ci
 *.tar.gz
 libjade-*
+.vscode
diff --git a/proof/crypto_kem/xwing/amd64/.gitkeep b/proof/crypto_kem/xwing/amd64/.gitkeep
diff --git a/src/common/keccak/common/fips202_DIRTY.jinc b/src/common/keccak/common/fips202_DIRTY.jinc
@@ -84,6 +84,63 @@ fn _sha3_256_32(reg ptr u8[32] out, reg ptr u8[KYBER_SYMBYTES] in) -> reg ptr u8
   return out;
 }
 
+#[returnaddress="stack"]
+fn _sha3_256_134(reg ptr u8[32] out, reg ptr u8[134] in) -> reg ptr u8[32]
+{
+  reg u256[7] state;
+  stack u64[28] s_state;
+  stack u64[25] a_jagged_p;
+  reg u64 t l;
+  reg u8 c;
+  inline int i;
+
+  a_jagged_p = KECCAK_A_JAGGED;
+  s_state = __init_s_state_avx2();
+
+  state[0] = #VPBROADCAST_4u64(in[u64 0]);
+
+  for i=1 to 16
+  {
+    t = in[u64 i];
+    l = a_jagged_p[i];
+    s_state[(int) l] = t;
+  }
+
+  c = in[u8 128];
+  l = a_jagged_p[(int) 16];
+  l <<= 3;
+  s_state[u8 (int)l] = c;
+
+  for i = 129 to 134{
+    c = in[i];
+    l += 1;
+    s_state[u8 (int)l] = c;
+  }
+
+  l += 1;
+  s_state[u8 (int)l] = 0x06;
+
+  l = a_jagged_p[(SHA3_256_RATE-1)/8];
+  l <<= 3;
+  t = SHA3_256_RATE - 1; t &= 0x7;
+  l += t;
+  s_state[u8 (int)l] ^= 0x80;
+
+  for i=1 to 7 { state[i] = s_state[u256 i]; }
+
+  state = __keccakf1600_avx2(state);
+
+  for i=0 to 7 { s_state[u256 i] = state[i]; }
+
+  for i=0 to 4
+  {
+    l = a_jagged_p[i];
+    t = s_state[(int)l];
+    out[u64 i] = t;
+  }
+
+  return out;
+}
 
 #[returnaddress="stack"]
 fn _shake256_64(reg u64 out outlen, reg const ptr u8[64] in)

diff --git a/src/common/keccak/common/fips202_ref_DIRTY.jinc b/src/common/keccak/common/fips202_ref_DIRTY.jinc
@@ -235,6 +235,40 @@ fn _sha3_256_32(reg ptr u8[32] out, reg ptr u8[KYBER_SYMBYTES] in) -> reg ptr u8
   return out;
 }
 
+
+#[returnaddress="stack"]
+fn _sha3_256_134(reg ptr u8[32] out, reg ptr u8[134] in) -> reg ptr u8[32]
+{
+  stack u64[25] state;
+  stack ptr u8[32] s_out;
+  reg u64 t64;
+  inline int i;
+
+  s_out = out;
+
+  state = __keccak_init_ref1(state);
+
+  for i=0 to 134
+  {
+    state[u8 i] = in[i];
+  }
+
+  state[u8 134] ^= 0x06;
+  state[u8 SHA3_256_RATE - 1] = 0x80;
+
+  state = __keccakf1600_ref1(state);
+
+  out = s_out;
+
+  for i=0 to 4
+  {
+    t64 = state[i];
+    out[u64 i] = t64;
+  }
+
+  return out;
+}
+
 #[returnaddress="stack"]
 fn _sha3_512_64(reg ptr u8[64] out, reg const ptr u8[64] in) -> stack u8[64]
 {

diff --git a/src/common/tofromstack.jinc b/src/common/tofromstack.jinc
@@ -13,6 +13,21 @@ fn __tostack64u8(reg ptr u8[64] out, reg u64 inp) -> reg ptr u8[64]
   return out;
 }
 
+inline 
+fn __tostack96u8(reg ptr u8[96] out, reg u64 inp) -> reg ptr u8[96] 
+{
+  reg u8 t;
+  inline int i;
+
+  for i=0 to 96 
+  {
+    t = (u8)[inp + i];
+    out[i] = t;
+  }
+  return out;
+}
+
+
 inline 
 fn __tostack32u8(reg ptr u8[32] out, reg u64 inp) -> reg ptr u8[32] 
 {
@@ -40,3 +55,29 @@ fn __fromstack32u8(reg u64 outp, reg ptr u8[32] in)
     (u8)[outp + i] = t;
   }
 }
+
+inline 
+fn __fromstack134u8(reg u64 outp, reg ptr u8[134] in)
+{
+  reg u8 t;
+  inline int i;
+
+  for i=0 to 134
+  {
+    t = in[i];
+    (u8)[outp + i] = t;
+  }
+}
+
+inline 
+fn __fromstack64u8(reg u64 outp, reg ptr u8[64] in)
+{
+  reg u8 t;
+  inline int i;
+
+  for i=0 to 64
+  {
+    t = in[i];
+    (u8)[outp + i] = t;
+  }
+}
diff --git a/src/crypto_kem/mlkem/mlkem768/amd64/ref/params.jinc b/src/crypto_kem/mlkem/mlkem768/amd64/ref/params.jinc
@@ -14,3 +14,10 @@ param int MLKEM_CT_LEN = MLKEM_POLYVECCOMPRESSEDBYTES + MLKEM_POLYCOMPRESSEDBYTE
 param int MLKEM_INDCPA_PUBLICKEYBYTES = MLKEM_POLYVECBYTES + MLKEM_SYMBYTES;
 param int MLKEM_PUBLICKEYBYTES = MLKEM_INDCPA_PUBLICKEYBYTES;
 param int MLKEM_SSBYTES = 32;
+
+// the following is a patch to handle inconsistencies between ref/params.jinc and avx2/params.jinc (motivated by xwing);
+// this needs to be fixed upstream, in formosa-mlkem
+param int MLKEM_INDCPA_CIPHERTEXTBYTES = MLKEM_POLYVECCOMPRESSEDBYTES + MLKEM_POLYCOMPRESSEDBYTES;
+param int MLKEM_INDCPA_SECRETKEYBYTES = MLKEM_POLYVECBYTES;
+param int MLKEM_SECRETKEYBYTES = MLKEM_INDCPA_SECRETKEYBYTES + MLKEM_INDCPA_PUBLICKEYBYTES + 2*MLKEM_SYMBYTES;
+param int MLKEM_CIPHERTEXTBYTES = MLKEM_INDCPA_CIPHERTEXTBYTES;
diff --git a/src/crypto_kem/xwing/META.yml b/src/crypto_kem/xwing/META.yml
@@ -0,0 +1,26 @@
+name: X-Wing
+type: kem
+checksumsmall: d80f0bfdf6d38a189cfffe48c048973521c02456bde1934475c38e0819c4afae
+checksumbig: 607234d1da70d4441c64c8bb3deff3f22728a38942500457c92dbcdaf393d0c0
+claimed-nist-level: 3
+claimed-security: IND-CCA2
+length-public-key: 1216
+length-ciphertext: 1120
+length-secret-key: 2464
+length-shared-secret: 32
+principal-submitters:
+  - TODO
+auxiliary-submitters:
+  - TODO
+implementations:
+    - name: amd64/ref
+      version: TODO
+      supported_platforms:
+        - architecture: x86_64
+          operating_systems:
+              - Linux
+              - Darwin
+          required_flags: # FIXME
+              - avx2
+              - bmi2
+              - popcnt
diff --git a/src/crypto_kem/xwing/amd64/avx2/Makefile b/src/crypto_kem/xwing/amd64/avx2/Makefile
@@ -0,0 +1,3 @@
+SAFETY_FLAGS := -nocheckalignment
+SRCS := kem.jazz
+include ../../../../Makefile.common
diff --git a/src/crypto_kem/xwing/amd64/avx2/include/api.h b/src/crypto_kem/xwing/amd64/avx2/include/api.h
@@ -0,0 +1,47 @@
+#ifndef JADE_KEM_xwing_amd64_avx2_API_H
+#define JADE_KEM_xwing_amd64_avx2_API_H
+
+#include <stdint.h>
+
+#define JADE_KEM_xwing_amd64_avx2_PUBLICKEYBYTES   1216
+#define JADE_KEM_xwing_amd64_avx2_SECRETKEYBYTES   2464
+#define JADE_KEM_xwing_amd64_avx2_CIPHERTEXTBYTES  1120
+#define JADE_KEM_xwing_amd64_avx2_KEYPAIRCOINBYTES 96
+#define JADE_KEM_xwing_amd64_avx2_ENCCOINBYTES     64
+#define JADE_KEM_xwing_amd64_avx2_BYTES            32
+
+#define JADE_KEM_xwing_amd64_avx2_ALGNAME         "X-Wing"
+#define JADE_KEM_xwing_amd64_avx2_ARCH            "amd64"
+#define JADE_KEM_xwing_amd64_avx2_IMPL            "ref"
+
+int jade_kem_xwing_amd64_avx2_keypair_derand(
+  uint8_t *public_key,
+  uint8_t *secret_key,
+  const uint8_t *coins
+);
+
+int jade_kem_xwing_amd64_avx2_keypair(
+  uint8_t *public_key,
+  uint8_t *secret_key
+);
+
+int jade_kem_xwing_amd64_avx2_enc_derand(
+  uint8_t *ciphertext,
+  uint8_t *shared_secret,
+  const uint8_t *public_key,
+  const uint8_t *coins
+);
+
+int jade_kem_xwing_amd64_avx2_enc(
+  uint8_t *ciphertext,
+  uint8_t *shared_secret,
+  const uint8_t *public_key
+);
+
+int jade_kem_xwing_amd64_avx2_dec(
+  uint8_t *shared_secret,
+  const uint8_t *ciphertext,
+  const uint8_t *secret_key
+);
+
+#endif
diff --git a/src/crypto_kem/xwing/amd64/avx2/kem.jazz b/src/crypto_kem/xwing/amd64/avx2/kem.jazz
@@ -0,0 +1,92 @@
+from Jade require "common/tofromstack.jinc"
+
+from Jade require "crypto_kem/mlkem/mlkem768/amd64/avx2/kem.jinc"
+from Jade require "crypto_kem/xwing/amd64/ref/kem.jinc"
+from Jade require "crypto_kem/xwing/amd64/ref/params.jinc"
+
+export fn jade_kem_xwing_amd64_avx2_keypair_derand(reg u64 public_key secret_key coins) -> reg u64
+{
+  reg u64 r;
+  stack u8[XWING_KEYPAIRCOINBYTES] stack_coins;
+
+  _ = #init_msf();
+
+  public_key = public_key;
+  secret_key = secret_key;
+  stack_coins = __tostack96u8(stack_coins, coins);
+
+  _crypto_xkem_keypair_derand_jazz(public_key, secret_key, stack_coins);
+
+  ?{}, r = #set0();
+  return r;
+}
+
+export fn jade_kem_xwing_amd64_avx2_keypair(reg u64 public_key secret_key) -> reg u64
+{
+  reg u64 r;
+  stack u8[XWING_KEYPAIRCOINBYTES] stack_coins;
+
+  _ = #init_msf();
+
+  public_key = public_key;
+  secret_key = secret_key;
+  stack_coins = #randombytes(stack_coins);
+
+  _crypto_xkem_keypair_derand_jazz(public_key, secret_key, stack_coins);
+
+  ?{}, r = #set0();
+  return r;
+}
+
+export fn jade_kem_xwing_amd64_avx2_enc_derand(reg u64 ciphertext shared_secret public_key coins) -> reg u64
+{
+  reg u64 r;
+  stack u8[XWING_ENCCOINBYTES] stack_coins;
+
+  _ = #init_msf();
+
+  ciphertext = ciphertext;
+  shared_secret = shared_secret;
+  public_key = public_key;
+  stack_coins = __tostack64u8(stack_coins, coins);
+
+  _crypto_xkem_enc_derand_jazz(ciphertext, shared_secret, public_key, stack_coins);
+
+  ?{}, r = #set0();
+  return r;
+}
+
+export fn jade_kem_xwing_amd64_avx2_enc(reg u64 ciphertext shared_secret public_key) -> reg u64
+{
+  reg u64 r;
+  stack u8[XWING_ENCCOINBYTES] stack_coins;
+
+  _ = #init_msf();
+
+  ciphertext = ciphertext;
+  shared_secret = shared_secret;
+  public_key = public_key;
+  stack_coins = #randombytes(stack_coins);
+
+  _crypto_xkem_enc_derand_jazz(ciphertext, shared_secret, public_key, stack_coins);
+
+  ?{}, r = #set0();
+  return r;
+}
+
+export fn jade_kem_xwing_amd64_avx2_dec(reg u64 shared_secret ciphertext secret_key) -> reg u64
+{
+  reg u64 r;
+
+  _ = #init_msf();
+
+  shared_secret = shared_secret;
+  ciphertext = ciphertext;
+  secret_key = secret_key;
+
+  _crypto_xkem_dec_jazz(shared_secret, ciphertext, secret_key);
+
+  ?{}, r = #set0();
+  return r;
+}
+
diff --git a/src/crypto_kem/xwing/amd64/ref/Makefile b/src/crypto_kem/xwing/amd64/ref/Makefile
@@ -0,0 +1,3 @@
+SAFETY_FLAGS := -nocheckalignment
+SRCS := kem.jazz
+include ../../../../Makefile.common