Dilithium on-the-fly matrix generation for keygen and verify

benchmarks.csv

@@ -77,12 +77,12 @@ sntrup953 (100 executions),m4f,12761557,12761535,12761571,943350,943350,943350,7
 Signature Schemes,,,,,,,,,,
 Scheme,Implementation,Key Generation [cycles] (mean),Key Generation [cycles] (min),Key Generation [cycles] (max),Sign [cycles] (mean),Sign [cycles] (min),Sign [cycles] (max),Verify [cycles] (mean),Verify [cycles] (min),Verify [cycles] (max)
 dilithium2 (100 executions),clean,1976311,1934124,2022613,7465108,3241343,29601126,2109292,2108823,2109692
-dilithium2 (10000 executions),m4f,1597282,1543011,1644501,4119336,1983077,34081046,1572328,1571561,1572863
+dilithium2 (10000 executions),m4f,1598273,1543984,1645520,4088281,1983092,23248321,1572681,1571953,1573212
 dilithium2aes (100 executions),clean,5153665,5109045,5227715,12016668,6375642,28738015,4824282,4779372,4898600
 dilithium3 (100 executions),clean,3414513,3413395,3416061,11722059,5037981,36169675,3499388,3498955,3499805
-dilithium3 (10000 executions),m4f,2829260,2827405,2842880,6652990,3235358,42043815,2691471,2690861,2691949
+dilithium3 (10000 executions),m4f,2829137,2827129,2831465,6644258,3235339,40269792,2691982,2691456,2692439
 dilithium3aes (100 executions),clean,9258325,9166749,9369734,19417325,10745071,60023085,8581938,8491758,8694807
-dilithium5 (10000 executions),m4f,4826132,4737167,4901952,8817385,5433369,40315104,4705982,4705308,4706614
+dilithium5 (10000 executions),m4f,4825973,4749351,4913802,8773020,5433389,44507501,4705852,4705213,4706521
 falcon-1024 (100 executions),clean,582455197,338850289,1754663445,133655078,133335905,133985773,1526901,1526233,1527648
 falcon-1024 (100 executions),m4-ct,458300837,273960881,1558842038,85160712,84941964,85410952,977811,966969,985555
 falcon-1024 (100 executions),opt-ct,445577914,273960881,1180316927,85152483,84871257,85396462,978443,966990,985220
@@ -214,11 +214,11 @@ Signature Schemes,,,,,,,,,,
 Scheme,Implementation,Key Generation [bytes],Sign [bytes],Verify [bytes],,,,,,
 dilithium2,clean,38284,51908,36196,,,,,,
 dilithium2aes,clean,39764,53388,37676,,,,,,
-dilithium2,m4f,38276,49356,36296,,,,,,
+dilithium2,m4f,25988,49356,23992,,,,,,
 dilithium3,clean,60812,79664,57700,,,,,,
 dilithium3aes,clean,62292,81036,59180,,,,,,
-dilithium3,m4f,60804,68804,57692,,,,,,
-dilithium5,m4f,97776,116016,92872,,,,,,
+dilithium3,m4f,35196,68804,32076,,,,,,
+dilithium5,m4f,47484,116016,42680,,,,,,
 falcon-1024,clean,36264,82428,8796,,,,,,
 falcon-1024,m4-ct,1488,2568,496,,,,,,
 falcon-1024,opt-ct,1448,2568,388,,,,,,
@@ -486,11 +486,11 @@ Signature Schemes,,,,,,,,,,
 Scheme,Implementation,.text [bytes],.data [bytes],.bss [bytes],Total [bytes],,,,,
 dilithium2,clean,7948,0,0,7948,,,,,
 dilithium2aes,clean,14982,0,0,14982,,,,,
-dilithium2,m4f,18440,0,0,18440,,,,,
+dilithium2,m4f,18552,0,0,18552,,,,,
 dilithium3,clean,7444,0,0,7444,,,,,
 dilithium3aes,clean,14470,0,0,14470,,,,,
-dilithium3,m4f,19912,0,0,19912,,,,,
-dilithium5,m4f,18236,0,0,18236,,,,,
+dilithium3,m4f,19980,0,0,19980,,,,,
+dilithium5,m4f,18300,0,0,18300,,,,,
 falcon-1024,clean,82285,0,0,82285,,,,,
 falcon-1024,m4-ct,81265,0,79872,161137,,,,,
 falcon-1024,opt-ct,81265,0,79872,161137,,,,,

benchmarks.md

@@ -79,12 +79,12 @@
 | scheme | implementation | key generation [cycles] | sign [cycles] | verify [cycles] |
 | ------ | -------------- | ----------------------- | ------------- | --------------- |
 | dilithium2 (100 executions) | clean | AVG: 1,976,311 <br /> MIN: 1,934,124 <br /> MAX: 2,022,613 | AVG: 7,465,108 <br /> MIN: 3,241,343 <br /> MAX: 29,601,126 | AVG: 2,109,292 <br /> MIN: 2,108,823 <br /> MAX: 2,109,692 |
-| dilithium2 (10000 executions) | m4f | AVG: 1,597,282 <br /> MIN: 1,543,011 <br /> MAX: 1,644,501 | AVG: 4,119,336 <br /> MIN: 1,983,077 <br /> MAX: 34,081,046 | AVG: 1,572,328 <br /> MIN: 1,571,561 <br /> MAX: 1,572,863 |
+| dilithium2 (10000 executions) | m4f | AVG: 1,598,273 <br /> MIN: 1,543,984 <br /> MAX: 1,645,520 | AVG: 4,088,281 <br /> MIN: 1,983,092 <br /> MAX: 23,248,321 | AVG: 1,572,681 <br /> MIN: 1,571,953 <br /> MAX: 1,573,212 |
 | dilithium2aes (100 executions) | clean | AVG: 5,153,665 <br /> MIN: 5,109,045 <br /> MAX: 5,227,715 | AVG: 12,016,668 <br /> MIN: 6,375,642 <br /> MAX: 28,738,015 | AVG: 4,824,282 <br /> MIN: 4,779,372 <br /> MAX: 4,898,600 |
 | dilithium3 (100 executions) | clean | AVG: 3,414,513 <br /> MIN: 3,413,395 <br /> MAX: 3,416,061 | AVG: 11,722,059 <br /> MIN: 5,037,981 <br /> MAX: 36,169,675 | AVG: 3,499,388 <br /> MIN: 3,498,955 <br /> MAX: 3,499,805 |
-| dilithium3 (10000 executions) | m4f | AVG: 2,829,260 <br /> MIN: 2,827,405 <br /> MAX: 2,842,880 | AVG: 6,652,990 <br /> MIN: 3,235,358 <br /> MAX: 42,043,815 | AVG: 2,691,471 <br /> MIN: 2,690,861 <br /> MAX: 2,691,949 |
+| dilithium3 (10000 executions) | m4f | AVG: 2,829,137 <br /> MIN: 2,827,129 <br /> MAX: 2,831,465 | AVG: 6,644,258 <br /> MIN: 3,235,339 <br /> MAX: 40,269,792 | AVG: 2,691,982 <br /> MIN: 2,691,456 <br /> MAX: 2,692,439 |
 | dilithium3aes (100 executions) | clean | AVG: 9,258,325 <br /> MIN: 9,166,749 <br /> MAX: 9,369,734 | AVG: 19,417,325 <br /> MIN: 10,745,071 <br /> MAX: 60,023,085 | AVG: 8,581,938 <br /> MIN: 8,491,758 <br /> MAX: 8,694,807 |
-| dilithium5 (10000 executions) | m4f | AVG: 4,826,132 <br /> MIN: 4,737,167 <br /> MAX: 4,901,952 | AVG: 8,817,385 <br /> MIN: 5,433,369 <br /> MAX: 40,315,104 | AVG: 4,705,982 <br /> MIN: 4,705,308 <br /> MAX: 4,706,614 |
+| dilithium5 (10000 executions) | m4f | AVG: 4,825,973 <br /> MIN: 4,749,351 <br /> MAX: 4,913,802 | AVG: 8,773,020 <br /> MIN: 5,433,389 <br /> MAX: 44,507,501 | AVG: 4,705,852 <br /> MIN: 4,705,213 <br /> MAX: 4,706,521 |
 | falcon-1024 (100 executions) | clean | AVG: 582,455,197 <br /> MIN: 338,850,289 <br /> MAX: 1,754,663,445 | AVG: 133,655,078 <br /> MIN: 133,335,905 <br /> MAX: 133,985,773 | AVG: 1,526,901 <br /> MIN: 1,526,233 <br /> MAX: 1,527,648 |
 | falcon-1024 (100 executions) | m4-ct | AVG: 458,300,837 <br /> MIN: 273,960,881 <br /> MAX: 1,558,842,038 | AVG: 85,160,712 <br /> MIN: 84,941,964 <br /> MAX: 85,410,952 | AVG: 977,811 <br /> MIN: 966,969 <br /> MAX: 985,555 |
 | falcon-1024 (100 executions) | opt-ct | AVG: 445,577,914 <br /> MIN: 273,960,881 <br /> MAX: 1,180,316,927 | AVG: 85,152,483 <br /> MIN: 84,871,257 <br /> MAX: 85,396,462 | AVG: 978,443 <br /> MIN: 966,990 <br /> MAX: 985,220 |
@@ -217,12 +217,12 @@
 | Scheme | Implementation | Key Generation [bytes] | Sign [bytes] | Verify [bytes] |
 | ------ | -------------- | ---------------------- | ------------ | -------------- |
 | dilithium2 | clean | 38,284 | 51,908 | 36,196 |
-| dilithium2 | m4f | 38,276 | 49,356 | 36,296 |
+| dilithium2 | m4f | 25,988 | 49,356 | 23,992 |
 | dilithium2aes | clean | 39,764 | 53,388 | 37,676 |
 | dilithium3 | clean | 60,812 | 79,664 | 57,700 |
-| dilithium3 | m4f | 60,804 | 68,804 | 57,692 |
+| dilithium3 | m4f | 35,196 | 68,804 | 32,076 |
 | dilithium3aes | clean | 62,292 | 81,036 | 59,180 |
-| dilithium5 | m4f | 97,776 | 116,016 | 92,872 |
+| dilithium5 | m4f | 47,484 | 116,016 | 42,680 |
 | falcon-1024 | clean | 36,264 | 82,428 | 8,796 |
 | falcon-1024 | m4-ct | 1,488 | 2,568 | 496 |
 | falcon-1024 | opt-ct | 1,448 | 2,568 | 388 |
@@ -493,12 +493,12 @@
 | Scheme | Implementation | .text [bytes] | .data [bytes] | .bss [bytes] | Total [bytes] |
 | ------ | -------------- | ------------- | ------------- | ------------ | ------------- |
 | dilithium2 | clean | 7,948 | 0 | 0 | 7,948 |
-| dilithium2 | m4f | 18,440 | 0 | 0 | 18,440 |
+| dilithium2 | m4f | 18,552 | 0 | 0 | 18,552 |
 | dilithium2aes | clean | 14,982 | 0 | 0 | 14,982 |
 | dilithium3 | clean | 7,444 | 0 | 0 | 7,444 |
-| dilithium3 | m4f | 19,912 | 0 | 0 | 19,912 |
+| dilithium3 | m4f | 19,980 | 0 | 0 | 19,980 |
 | dilithium3aes | clean | 14,470 | 0 | 0 | 14,470 |
-| dilithium5 | m4f | 18,236 | 0 | 0 | 18,236 |
+| dilithium5 | m4f | 18,300 | 0 | 0 | 18,300 |
 | falcon-1024 | clean | 82,285 | 0 | 0 | 82,285 |
 | falcon-1024 | m4-ct | 81,265 | 0 | 79,872 | 161,137 |
 | falcon-1024 | opt-ct | 81,265 | 0 | 79,872 | 161,137 |

crypto_sign/dilithium2/m4f/packing.c

@@ -26,6 +26,37 @@ void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
     polyt1_pack(pk + i*POLYT1_PACKEDBYTES, &t1->vec[i]);
 }
 
+/*************************************************
+* Name:        pack_pk_rho
+*
+* Description: Bit-pack only rho in public key pk = (rho, t1).
+*
+* Arguments:   - unsigned char pk[]: output byte array
+*              - const unsigned char rho[]: byte array containing rho
+**************************************************/
+void pack_pk_rho(unsigned char pk[CRYPTO_PUBLICKEYBYTES],
+                 const unsigned char rho[SEEDBYTES]) {
+    for (unsigned int i = 0; i < SEEDBYTES; ++i) {
+        pk[i] = rho[i];
+    }
+}
+
+/*************************************************
+* Name:        pack_pk_t1
+*
+* Description: Bit-pack only the t1 elem at idx in public key pk = (rho, t1).
+*
+* Arguments:   - unsigned char pk[]: output byte array
+*              - const polyveck *t1: pointer to vector t1
+*              - const unsigned int idx: index to the elem to pack
+**************************************************/
+void pack_pk_t1(unsigned char pk[CRYPTO_PUBLICKEYBYTES],
+             const poly *t1,
+             const unsigned int idx) {
+    pk += SEEDBYTES;
+    polyt1_pack(pk + idx * POLYT1_PACKEDBYTES, t1);
+}
+
 /*************************************************
 * Name:        unpack_pk
 *
@@ -96,6 +127,101 @@ void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
     polyt0_pack(sk + i*POLYT0_PACKEDBYTES, &t0->vec[i]);
 }
 
+/*************************************************
+* Name:        pack_sk_s1
+*
+* Description: Bit-pack only some element of s1 in secret key sk = (rho, key, tr, s1, s2, t0).
+*
+* Arguments:   - unsigned char sk[]: output byte array
+*              - const poly *s1_elem: pointer to vector element idx in s1
+*              - const unisgned int idx: index to the element of s1 that should be packed
+**************************************************/
+void pack_sk_s1(unsigned char sk[CRYPTO_SECRETKEYBYTES],
+                const poly *s1_elem,
+                const unsigned int idx) {
+    sk += 3 * SEEDBYTES;
+    polyeta_pack(sk + idx * POLYETA_PACKEDBYTES, s1_elem);
+}
+
+/*************************************************
+* Name:        pack_sk_s2
+*
+* Description: Bit-pack only some element of s2 in secret key sk = (rho, key, tr, s1, s2, t0).
+*
+* Arguments:   - unsigned char sk[]: output byte array
+*              - const poly *s2_elem: pointer to vector element idx in s2
+*              - const unsigned int idx: index to the element of s1 that should be packed
+**************************************************/
+void pack_sk_s2(unsigned char sk[CRYPTO_SECRETKEYBYTES],
+                const poly *s2_elem,
+                const unsigned int idx) {
+    sk += 3 * SEEDBYTES + L * POLYETA_PACKEDBYTES;
+    polyeta_pack(sk + idx * POLYETA_PACKEDBYTES, s2_elem);
+}
+
+/*************************************************
+* Name:        pack_sk_t0
+*
+* Description: Bit-pack only some element of t0 in secret key sk = (rho, key, tr, s1, s2, t0).
+*
+* Arguments:   - unsigned char sk[]: output byte array
+*              - const poly *t0_elem: pointer to vector element idx in s2
+*              - const unsigned int idx: index to the element of s1 that should be packed
+**************************************************/
+void pack_sk_t0(unsigned char sk[CRYPTO_SECRETKEYBYTES],
+                const poly *t0_elem,
+                const unsigned int idx) {
+    sk += 3 * SEEDBYTES + L * POLYETA_PACKEDBYTES + K * POLYETA_PACKEDBYTES;
+    polyt0_pack(sk + idx * POLYT0_PACKEDBYTES, t0_elem);
+}
+
+/*************************************************
+* Name:        pack_sk_rho
+*
+* Description: Bit-pack only rho in secret key sk = (rho, key, tr, s1, s2, t0).
+*
+* Arguments:   - unsigned char sk[]: output byte array
+*              - const unsigned char rho[]: byte array containing rho
+**************************************************/
+void pack_sk_rho(unsigned char sk[CRYPTO_SECRETKEYBYTES],
+                 const unsigned char rho[SEEDBYTES]) {
+  for (unsigned int i = 0; i < SEEDBYTES; ++i) {
+    sk[i] = rho[i];
+  }
+}
+
+/*************************************************
+* Name:        pack_sk_key
+*
+* Description: Bit-pack only key in secret key sk = (rho, key, tr, s1, s2, t0).
+*
+* Arguments:   - unsigned char sk[]: output byte array
+*              - const unsigned char key[]: byte array containing key
+**************************************************/
+void pack_sk_key(unsigned char sk[CRYPTO_SECRETKEYBYTES],
+                 const unsigned char key[SEEDBYTES]) {
+    sk += SEEDBYTES;
+    for (unsigned int i = 0; i < SEEDBYTES; ++i) {
+      sk[i] = key[i];
+    }
+}
+
+/*************************************************
+* Name:        pack_sk_tr
+*
+* Description: Bit-pack only tr in secret key sk = (rho, key, tr, s1, s2, t0).
+*
+* Arguments:   - unsigned char sk[]: output byte array
+*              - const unsigned char tr[]: byte array containing tr
+**************************************************/
+void pack_sk_tr(unsigned char sk[CRYPTO_SECRETKEYBYTES],
+                const unsigned char tr[SEEDBYTES]) {
+    sk += 2*SEEDBYTES;
+    for (unsigned int i = 0; i < SEEDBYTES; ++i) {
+        sk[i] = tr[i];
+    }
+}
+
 /*************************************************
 * Name:        unpack_sk
 *
@@ -283,3 +409,98 @@ int unpack_sig(uint8_t c[SEEDBYTES],
 
   return 0;
 }
+
+/*************************************************
+* Name:        unpack_sig_z
+*
+* Description: Unpack only z from signature sig = (c, z, h).
+*
+* Arguments:   - polyvecl *z: pointer to output vector z
+*              - const unsigned char sig[]: byte array containing
+*                bit-packed signature
+*
+**************************************************/
+int unpack_sig_z(polyvecl *z, const unsigned char sig[CRYPTO_BYTES]) {
+  sig += SEEDBYTES;
+  for (unsigned int i = 0; i < L; ++i) {
+      polyz_unpack(&z->vec[i], sig + i * POLYZ_PACKEDBYTES);
+  }
+  return 0;
+}
+
+/*************************************************
+* Name:        unpack_pk_t1
+*
+* Description: Unpack public key pk = (rho, t1).
+*
+* Arguments:   - const polyvec *t1: pointer to output vector t1
+*              - const size_t idx: unpack n'th element from t1
+*              - unsigned char pk[]: byte array containing bit-packed pk
+**************************************************/
+void unpack_pk_t1(poly *t1, unsigned int idx, const unsigned char pk[CRYPTO_PUBLICKEYBYTES]) {
+    pk += SEEDBYTES;
+    polyt1_unpack(t1, pk + idx * POLYT1_PACKEDBYTES);
+}
+
+/*************************************************
+* Name:        unpack_sig_h
+*
+* Description: Unpack only h from signature sig = (c, z, h).
+*
+* Arguments:   - polyveck *h: pointer to output hint vector h
+*              - const unsigned char sig[]: byte array containing
+*                bit-packed signature
+*
+* Returns 1 in case of malformed signature; otherwise 0.
+**************************************************/
+int unpack_sig_h(poly *h, unsigned int idx, const unsigned char sig[CRYPTO_BYTES]) {
+    sig += L * POLYZ_PACKEDBYTES;
+    sig += SEEDBYTES;
+    /* Decode h */
+    unsigned int k = 0;
+    for (unsigned int i = 0; i < K; ++i) {
+        for (unsigned int j = 0; j < N; ++j) {
+            if (i == idx) {
+                h->coeffs[j] = 0;
+            }
+        }
+
+        if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) {
+            return 1;
+        }
+
+        for (unsigned int j = k; j < sig[OMEGA + i]; ++j) {
+            /* Coefficients are ordered for strong unforgeability */
+            if (j > k && sig[j] <= sig[j - 1]) {
+                return 1;
+            }
+            if (i == idx) {
+                h->coeffs[sig[j]] = 1;
+            }
+        }
+
+        k = sig[OMEGA + i];
+    }
+
+    /* Extra indices are zero for strong unforgeability */
+    for (unsigned int j = k; j < OMEGA; ++j) {
+        if (sig[j]) {
+            return 1;
+        }
+    }
+    return 0;
+}
+
+/*************************************************
+* Name:        getoffset_pk_rho
+*
+* Description: Unpack only rho from public key pk = (rho, t1).
+*
+* Arguments:   - const unsigned char *rho: pointer to rho inside of pk
+*              - unsigned char pk[]: byte array containing bit-packed pk
+*
+* The lifetime of rho MUST NOT exceed the lifetime of pk!
+**************************************************/
+const unsigned char *getoffset_pk_rho(const unsigned char pk[CRYPTO_PUBLICKEYBYTES]) {
+    return pk;
+}