Dilithium: apply keygen changes to be fully FIPS 204 compliant

Signed-off-by: Stephan Mueller <[email protected]>
smuellerDD · Aug 14, 2024 · 347e5a2 · 347e5a2
1 parent e9b2c17
commit 347e5a2
Show file tree

Hide file tree

Showing 9 changed files with 176,583 additions and 176,565 deletions.
diff --git a/signature/src/avx2/dilithium_signature_avx2.c b/signature/src/avx2/dilithium_signature_avx2.c
@@ -114,11 +114,13 @@ LC_INTERFACE_FUNCTION(int, lc_dilithium_keypair_avx2,
 		poly t1, t0;
 		keccakx4_state keccak_state;
 	};
+	static const uint8_t dimension[2] = { LC_DILITHIUM_K, LC_DILITHIUM_L };
 	unsigned int i;
 	const uint8_t *rho, *rhoprime, *key;
 	polyvecl *row;
 	int ret;
 	static int tested = 0;
+	LC_HASH_CTX_ON_STACK(shake256_ctx, lc_shake256);
 	LC_DECLARE_MEM(ws, struct workspace, 32);
 
 	if (!pk || !sk || !rng_ctx) {
@@ -134,8 +136,12 @@ LC_INTERFACE_FUNCTION(int, lc_dilithium_keypair_avx2,
 	/* Get randomness for rho, rhoprime and key */
 	CKINT(lc_rng_generate(rng_ctx, NULL, 0, ws->seedbuf,
 			      LC_DILITHIUM_SEEDBYTES));
-	lc_xof(lc_shake256, ws->seedbuf, LC_DILITHIUM_SEEDBYTES, ws->seedbuf,
-	       sizeof(ws->seedbuf));
+	lc_hash_init(shake256_ctx);
+	lc_hash_update(shake256_ctx, ws->seedbuf, LC_DILITHIUM_SEEDBYTES);
+	lc_hash_update(shake256_ctx, dimension, sizeof(dimension));
+	lc_hash_set_digestsize(shake256_ctx, sizeof(ws->seedbuf));
+	lc_hash_final(shake256_ctx, ws->seedbuf);
+	lc_hash_zero(shake256_ctx);
 
 	rho = ws->seedbuf;
 	rhoprime = rho + LC_DILITHIUM_SEEDBYTES;

diff --git a/signature/src/dilithium_selftest_vector_44.h b/signature/src/dilithium_selftest_vector_44.h
diff --git a/signature/src/dilithium_selftest_vector_65.h b/signature/src/dilithium_selftest_vector_65.h
diff --git a/signature/src/dilithium_selftest_vector_87.h b/signature/src/dilithium_selftest_vector_87.h
diff --git a/signature/src/dilithium_signature_impl.h b/signature/src/dilithium_signature_impl.h
@@ -80,9 +80,11 @@ static int lc_dilithium_keypair_impl(struct lc_dilithium_pk *pk,
 			uint8_t tr[LC_DILITHIUM_TRBYTES];
 		} tmp;
 	};
+	static const uint8_t dimension[2] = { LC_DILITHIUM_K, LC_DILITHIUM_L };
 	const uint8_t *rho, *rhoprime, *key;
 	int ret;
 	static int tested = LC_DILITHIUM_TEST_INIT;
+	LC_HASH_CTX_ON_STACK(shake256_ctx, lc_shake256);
 	LC_DECLARE_MEM(ws, struct workspace, sizeof(uint64_t));
 
 	CKNULL(pk, -EINVAL);
@@ -99,8 +101,12 @@ static int lc_dilithium_keypair_impl(struct lc_dilithium_pk *pk,
 	dilithium_print_buffer(ws->seedbuf, LC_DILITHIUM_SEEDBYTES,
 			       "Keygen - Seed");
 
-	lc_xof(lc_shake256, ws->seedbuf, LC_DILITHIUM_SEEDBYTES, ws->seedbuf,
-	       sizeof(ws->seedbuf));
+	lc_hash_init(shake256_ctx);
+	lc_hash_update(shake256_ctx, ws->seedbuf, LC_DILITHIUM_SEEDBYTES);
+	lc_hash_update(shake256_ctx, dimension, sizeof(dimension));
+	lc_hash_set_digestsize(shake256_ctx, sizeof(ws->seedbuf));
+	lc_hash_final(shake256_ctx, ws->seedbuf);
+	lc_hash_zero(shake256_ctx);
 
 	rho = ws->seedbuf;
 	dilithium_print_buffer(ws->seedbuf, LC_DILITHIUM_SEEDBYTES,

diff --git a/signature/tests/dilithium_edge_case_tester.c b/signature/tests/dilithium_edge_case_tester.c
@@ -526,6 +526,12 @@ int dilithium_edge_tester(
 	unsigned int i;
 	int ret = 0;
 
+	/*
+	 * The test vectors apply to the key gen without the hashing of the
+	 * dimension together with the seed. Let us wait for new vectors.
+	 */
+	return 77;
+
 	for (i = 0; i < ARRAY_SIZE(tcs); i++)
 		ret += dilithium_edge_tester_internal(
 			&tcs[i], _lc_dilithium_keypair_from_seed,

diff --git a/signature/tests/dilithium_tester_vectors_44.h b/signature/tests/dilithium_tester_vectors_44.h
diff --git a/signature/tests/dilithium_tester_vectors_65.h b/signature/tests/dilithium_tester_vectors_65.h
diff --git a/signature/tests/dilithium_tester_vectors_87.h b/signature/tests/dilithium_tester_vectors_87.h