aws · manastasova · Dec 30, 2024 · Dec 30, 2024 · Dec 30, 2024 · Dec 30, 2024
@@ -41,7 +41,7 @@ typedef struct {
 #define ML_DSA_L_MAX (7)
 #define ML_DSA_C_TILDE_BYTES_MAX (64)
 #define ML_DSA_POLYW1_PACKEDBYTES_MAX (192)
-#define ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX ((227 + SHAKE256_RATE - 1)/SHAKE256_RATE)
+#define ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX ((227 + SHAKE256_BLOCKSIZE - 1)/SHAKE256_BLOCKSIZE)
 #define ML_DSA_POLYZ_PACKEDBYTES_MAX (576)
 
 void ml_dsa_44_params_init(ml_dsa_params *params);

@@ -301,24 +301,24 @@ static unsigned int ml_dsa_rej_uniform(int32_t *a,
 *              - const uint8_t seed[]: byte array with seed of length SEEDBYTES
 *              - uint16_t nonce: 2-byte nonce
 **************************************************/
-#define POLY_UNIFORM_NBLOCKS ((768 + SHAKE128_RATE - 1)/ SHAKE128_RATE)
+#define POLY_UNIFORM_NBLOCKS ((768 + SHAKE128_BLOCKSIZE - 1)/ SHAKE128_BLOCKSIZE)
 void ml_dsa_poly_uniform(ml_dsa_poly *a,
                   const uint8_t seed[ML_DSA_SEEDBYTES],
                   uint16_t nonce)
 {
   unsigned int i, ctr, off;
-  unsigned int buflen = POLY_UNIFORM_NBLOCKS*SHAKE128_RATE;
-  uint8_t buf[POLY_UNIFORM_NBLOCKS*SHAKE128_RATE + 2];
+  unsigned int buflen = POLY_UNIFORM_NBLOCKS*SHAKE128_BLOCKSIZE;
+  uint8_t buf[POLY_UNIFORM_NBLOCKS*SHAKE128_BLOCKSIZE + 2];
   KECCAK1600_CTX state;
 
   uint8_t t[2];
   t[0] = nonce & 0xff;
   t[1] = nonce >> 8;
 
   SHAKE_Init(&state, SHAKE128_BLOCKSIZE);
-  SHA3_Update(&state, seed, ML_DSA_SEEDBYTES);
-  SHA3_Update(&state, t, 2);
-  SHAKE_Final(buf, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE);
+  SHAKE_Absorb(&state, seed, ML_DSA_SEEDBYTES);
+  SHAKE_Absorb(&state, t, 2);
+  SHAKE_Squeeze(buf, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE);
 
   ctr = ml_dsa_rej_uniform(a->coeffs, ML_DSA_N, buf, buflen);
 
@@ -327,8 +327,8 @@ void ml_dsa_poly_uniform(ml_dsa_poly *a,
     for(i = 0; i < off; ++i)
       buf[i] = buf[buflen - off + i];
 
-    SHAKE_Final(buf + off, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE);
-    buflen = SHAKE128_RATE + off;
+    SHAKE_Squeeze(buf + off, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE);
+    buflen = SHAKE128_BLOCKSIZE + off;
     ctr += ml_dsa_rej_uniform(a->coeffs + ctr, ML_DSA_N - ctr, buf, buflen);
   }
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
@@ -409,25 +409,26 @@ void ml_dsa_poly_uniform_eta(ml_dsa_params *params,
                       uint16_t nonce)
 {
   unsigned int ctr;
-  unsigned int buflen = ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_RATE;
-  uint8_t buf[ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_RATE];
+  unsigned int buflen = ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE;
+  uint8_t buf[ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE];
-  uint8_t buf[ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE];
+  uint8_t buf[buflen];
-  uint8_t buf[ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE];
+  uint8_t buf[buflen];
   KECCAK1600_CTX state;
 
   uint8_t t[2];
   t[0] = nonce & 0xff;
   t[1] = nonce >> 8;
 
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHA3_Update(&state, seed, ML_DSA_CRHBYTES);
-  SHA3_Update(&state, t, 2);
-  SHAKE_Final(buf, &state, ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE);
+  SHAKE_Absorb(&state, seed, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, t, 2);
+  SHAKE_Squeeze(buf, &state, ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE);
 
   ctr = rej_eta(params, a->coeffs, ML_DSA_N, buf, buflen);
 
   while(ctr < ML_DSA_N) {
-    SHAKE_Final(buf, &state, SHAKE256_BLOCKSIZE);
-    ctr += rej_eta(params, a->coeffs + ctr, ML_DSA_N - ctr, buf, SHAKE256_RATE);
+    SHAKE_Squeeze(buf, &state, SHAKE256_BLOCKSIZE);
+    ctr += rej_eta(params, a->coeffs + ctr, ML_DSA_N - ctr, buf, SHAKE256_BLOCKSIZE);
   }
+
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   OPENSSL_cleanse(buf, sizeof(buf));
   OPENSSL_cleanse(&state, sizeof(state));
@@ -445,24 +446,23 @@ void ml_dsa_poly_uniform_eta(ml_dsa_params *params,
 *              - const uint8_t seed[]: byte array with seed of length CRHBYTES
 *              - uint16_t nonce: 16-bit nonce
 **************************************************/
-#define POLY_UNIFORM_GAMMA1_NBLOCKS ((ML_DSA_POLYZ_PACKEDBYTES_MAX + SHAKE256_RATE - 1) / SHAKE256_RATE)
+#define POLY_UNIFORM_GAMMA1_NBLOCKS ((ML_DSA_POLYZ_PACKEDBYTES_MAX + SHAKE256_BLOCKSIZE - 1) / SHAKE256_BLOCKSIZE)
 void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params,
                                 ml_dsa_poly *a,
                                 const uint8_t seed[ML_DSA_CRHBYTES],
                                 uint16_t nonce)
 {
-  uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS * SHAKE256_RATE];
+  uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS * SHAKE256_BLOCKSIZE];
   KECCAK1600_CTX state;
 
   uint8_t t[2];
   t[0] = nonce & 0xff;
   t[1] = nonce >> 8;
 
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHA3_Update(&state, seed, ML_DSA_CRHBYTES);
-  SHA3_Update(&state, t, 2);
-
-  SHAKE_Final(buf, &state, POLY_UNIFORM_GAMMA1_NBLOCKS * SHAKE256_BLOCKSIZE);
+  SHAKE_Absorb(&state, seed, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, t, 2);
+  SHAKE_Squeeze(buf, &state, POLY_UNIFORM_GAMMA1_NBLOCKS * SHAKE256_BLOCKSIZE);
   ml_dsa_polyz_unpack(params, a, buf);
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   OPENSSL_cleanse(buf, sizeof(buf));
@@ -483,12 +483,12 @@ void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params,
 void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, const uint8_t *seed) {
   unsigned int i, b, pos;
   uint64_t signs;
-  uint8_t buf[SHAKE256_RATE];
+  uint8_t buf[SHAKE256_BLOCKSIZE];
   KECCAK1600_CTX state;
 
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHA3_Update(&state, seed, params->c_tilde_bytes);
-  SHAKE_Final(buf, &state, SHAKE256_BLOCKSIZE);
+  SHAKE_Absorb(&state, seed, params->c_tilde_bytes);
+  SHAKE_Squeeze(buf, &state, SHAKE256_BLOCKSIZE);
 
   signs = 0;
   for(i = 0; i < 8; ++i) {
@@ -501,8 +501,8 @@ void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, const uint8_t
   }
   for(i = ML_DSA_N-params->tau; i < ML_DSA_N; ++i) {
     do {
-      if(pos >= SHAKE256_RATE) {
-        SHAKE_Final(buf, &state, SHAKE256_BLOCKSIZE);
+      if(pos >= SHAKE256_BLOCKSIZE) {
+        SHAKE_Squeeze(buf, &state, SHAKE256_BLOCKSIZE);
         pos = 0;
       }
 

@@ -156,17 +156,17 @@ int ml_dsa_sign_internal(ml_dsa_params *params,
   // processing of M' in the external function. However, as M' = (pre, msg),
   // mu = CRH(tr, M') = CRH(tr, pre, msg).
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHA3_Update(&state, tr, ML_DSA_TRBYTES);
-  SHA3_Update(&state, pre, prelen);
-  SHA3_Update(&state, m, mlen);
-  SHAKE_Final(mu, &state, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, tr, ML_DSA_TRBYTES);
+  SHAKE_Absorb(&state, pre, prelen);
+  SHAKE_Absorb(&state, m, mlen);
+  SHAKE_Squeeze(mu, &state, ML_DSA_CRHBYTES);
 
   /* FIPS 204: line 7 Compute rhoprime = CRH(key, rnd, mu) */
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHA3_Update(&state, key, ML_DSA_SEEDBYTES);
-  SHA3_Update(&state, rnd, ML_DSA_RNDBYTES);
-  SHA3_Update(&state, mu, ML_DSA_CRHBYTES);
-  SHAKE_Final(rhoprime, &state, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, key, ML_DSA_SEEDBYTES);
+  SHAKE_Absorb(&state, rnd, ML_DSA_RNDBYTES);
+  SHAKE_Absorb(&state, mu, ML_DSA_CRHBYTES);
+  SHAKE_Squeeze(rhoprime, &state, ML_DSA_CRHBYTES);
 
   /* FIPS 204: line 5 Expand matrix and transform vectors */
   ml_dsa_polyvec_matrix_expand(params, mat, rho);
@@ -191,9 +191,9 @@ int ml_dsa_sign_internal(ml_dsa_params *params,
   ml_dsa_polyveck_pack_w1(params, sig, &w1);
 
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHA3_Update(&state, mu, ML_DSA_CRHBYTES);
-  SHA3_Update(&state, sig, params->k * params->poly_w1_packed_bytes);
-  SHAKE_Final(sig, &state, params->c_tilde_bytes);
+  SHAKE_Absorb(&state, mu, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, sig, params->k * params->poly_w1_packed_bytes);
+  SHAKE_Squeeze(sig, &state, params->c_tilde_bytes);
   ml_dsa_poly_challenge(params, &cp, sig);
   ml_dsa_poly_ntt(&cp);
 
@@ -395,10 +395,10 @@ int ml_dsa_verify_internal(ml_dsa_params *params,
   // Like crypto_sign_signature_internal, the processing of M' is performed
   // here, as opposed to within the external function.
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHA3_Update(&state, tr, ML_DSA_TRBYTES);
-  SHA3_Update(&state, pre, prelen);
-  SHA3_Update(&state, m, mlen);
-  SHAKE_Final(mu, &state, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, tr, ML_DSA_TRBYTES);
+  SHAKE_Absorb(&state, pre, prelen);
+  SHAKE_Absorb(&state, m, mlen);
+  SHAKE_Squeeze(mu, &state, ML_DSA_CRHBYTES);
 
   /* FIPS 204: line 9 Matrix-vector multiplication; compute Az - c2^dt1 */
   ml_dsa_poly_challenge(params, &cp, c);
@@ -423,9 +423,10 @@ int ml_dsa_verify_internal(ml_dsa_params *params,
 
   /* FIPS 204: line 12 Call random oracle and verify challenge */
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
-  SHA3_Update(&state, mu, ML_DSA_CRHBYTES);
-  SHA3_Update(&state, buf, params->k * params->poly_w1_packed_bytes);
-  SHAKE_Final(c2, &state, params->c_tilde_bytes);
+  SHAKE_Absorb(&state, mu, ML_DSA_CRHBYTES);
+  SHAKE_Absorb(&state, buf, params->k * params->poly_w1_packed_bytes);
+  SHAKE_Squeeze(c2, &state, params->c_tilde_bytes);
+
   for(i = 0; i < params->c_tilde_bytes; ++i) {
     if(c[i] != c2[i]) {
       return -1;

@@ -326,7 +326,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha512_256) {
 
 
 static void sha3_224_init(EVP_MD_CTX *ctx) {
-  CHECK(SHA3_Init(ctx->md_data, SHA3_PAD_CHAR, SHA3_224_DIGEST_BITLENGTH));
+  CHECK(SHA3_Init(ctx->md_data, SHA3_224_DIGEST_BITLENGTH));
 }
 
 static void sha3_224_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
@@ -351,7 +351,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha3_224) {
 
 
 static void sha3_256_init(EVP_MD_CTX *ctx) {
-  CHECK(SHA3_Init(ctx->md_data, SHA3_PAD_CHAR, SHA3_256_DIGEST_BITLENGTH));
+  CHECK(SHA3_Init(ctx->md_data, SHA3_256_DIGEST_BITLENGTH));
 }
 
 static void sha3_256_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
@@ -376,7 +376,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha3_256) {
 
 
 static void sha3_384_init(EVP_MD_CTX *ctx) {
-  CHECK(SHA3_Init(ctx->md_data, SHA3_PAD_CHAR, SHA3_384_DIGEST_BITLENGTH));
+  CHECK(SHA3_Init(ctx->md_data, SHA3_384_DIGEST_BITLENGTH));
 }
 
 static void sha3_384_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
@@ -401,7 +401,7 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha3_384) {
 
 
 static void sha3_512_init(EVP_MD_CTX *ctx) {
-  CHECK(SHA3_Init(ctx->md_data, SHA3_PAD_CHAR, SHA3_512_DIGEST_BITLENGTH));
+  CHECK(SHA3_Init(ctx->md_data, SHA3_512_DIGEST_BITLENGTH));
 }
 
 static void sha3_512_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
@@ -430,7 +430,7 @@ static void shake128_init(EVP_MD_CTX *ctx) {
 }
 
 static void shake128_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
-  CHECK(SHA3_Update(ctx->md_data, data, count));
+  CHECK(SHAKE_Absorb(ctx->md_data, data, count));
 }
 
 static void shake128_final(EVP_MD_CTX *ctx, uint8_t *md, size_t len) {
@@ -455,7 +455,7 @@ static void shake256_init(EVP_MD_CTX *ctx) {
 }
 
 static void shake256_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
-  CHECK(SHA3_Update(ctx->md_data, data, count));
+  CHECK(SHAKE_Absorb(ctx->md_data, data, count));
 }
 
 static void shake256_finalXOF(EVP_MD_CTX *ctx, uint8_t *md, size_t len) {

@@ -29,8 +29,8 @@ void kyber_shake128_absorb(KECCAK1600_CTX *ctx,
   // SHAKE_Init always returns 1 when called with correct block size value
   SHAKE_Init(ctx, SHAKE128_BLOCKSIZE);
 
-  // SHA3_Update always returns 1 on first call of sizeof(extseed) (34 bytes)
-  SHA3_Update(ctx, extseed, sizeof(extseed));
+  // SHAKE_Absorb always returns 1 on first call of sizeof(extseed) (34 bytes)
+  SHAKE_Absorb(ctx, extseed, sizeof(extseed));
 }
 
 /*************************************************
@@ -48,8 +48,8 @@ void kyber_shake128_absorb(KECCAK1600_CTX *ctx,
 void kyber_shake128_squeeze(KECCAK1600_CTX *ctx, uint8_t *out, int nblocks)
 {
   // Return code checks can be omitted
-  // SHAKE_Final always returns 1
-  SHAKE_Final(out, ctx, nblocks * SHAKE128_BLOCKSIZE);
+  // SHAKE_Squeeze always returns 1 when |ctx->padded| flag is cleared
+  SHAKE_Squeeze(out, ctx, nblocks * SHAKE128_BLOCKSIZE);
 }
 
 /*************************************************
@@ -94,12 +94,12 @@ void kyber_shake256_rkprf(ml_kem_params *params, uint8_t out[KYBER_SSBYTES], con
   // SHAKE_Init always returns 1 when called with correct block size value
   SHAKE_Init(&ctx, SHAKE256_BLOCKSIZE);
 
-  // SHA3_Update always returns 1 on first call of KYBER_SYMBYTES (32 bytes)
-  SHA3_Update(&ctx, key, KYBER_SYMBYTES);
+  // SHAKE_Absorb always returns 1 on first call of KYBER_SYMBYTES (32 bytes)
+  SHAKE_Absorb(&ctx, key, KYBER_SYMBYTES);
 
-  // SHA3_Update always returns 1 processing all data blocks that don't need pad
-  SHA3_Update(&ctx, input, params->ciphertext_bytes);
+  // SHAKE_Absorb always returns 1 processing all data blocks that don't need pad
+  SHAKE_Absorb(&ctx, input, params->ciphertext_bytes);
 
-  // SHAKE_Final always returns 1
-  SHAKE_Final(out, &ctx, KYBER_SSBYTES);
+  // SHAKE_Squeeze always returns 1 when |ctx->padded| flag is cleared (no previous calls to SHAKE_Squeeze)
+  SHAKE_Squeeze(out, &ctx, KYBER_SSBYTES);
 }
@@ -343,10 +343,10 @@
 	AARCH64_VALIDATE_LINK_REGISTER
 	ret
 .size	KeccakF1600,.-KeccakF1600
-.globl	SHA3_Absorb_hw
-.type	SHA3_Absorb_hw,%function
+.globl	Keccak1600_Absorb_hw
+.type	Keccak1600_Absorb_hw,%function
 .align	5
-SHA3_Absorb_hw:
+Keccak1600_Absorb_hw:
 	AARCH64_SIGN_LINK_REGISTER
 	stp	x29,x30,[sp,#-128]!
 	add	x29,sp,#0
@@ -438,15 +438,15 @@
 	ldp	x29,x30,[sp],#128
 	AARCH64_VALIDATE_LINK_REGISTER
 	ret
-.size	SHA3_Absorb_hw,.-SHA3_Absorb_hw
+.size	Keccak1600_Absorb_hw,.-Keccak1600_Absorb_hw
 ___
 {
 my ($A_flat,$out,$len,$bsz) = map("x$_",(19..22));
 $code.=<<___;
-.globl	SHA3_Squeeze_hw
-.type	SHA3_Squeeze_hw,%function
+.globl	Keccak1600_Squeeze_hw
+.type	Keccak1600_Squeeze_hw,%function
 .align	5
-SHA3_Squeeze_hw:
+Keccak1600_Squeeze_hw:
 	AARCH64_SIGN_LINK_REGISTER
 	stp	x29,x30,[sp,#-48]!
 	add	x29,sp,#0
@@ -512,7 +512,7 @@
 	ldp	x29,x30,[sp],#48
 	AARCH64_VALIDATE_LINK_REGISTER
 	ret
-.size	SHA3_Squeeze_hw,.-SHA3_Squeeze_hw
+.size	Keccak1600_Squeeze_hw,.-Keccak1600_Squeeze_hw
 ___
 }								}}}
 								{{{
@@ -650,10 +650,10 @@
 my ($ctx,$inp,$len,$bsz) = map("x$_",(0..3));
 
 $code.=<<___;
-.globl	SHA3_Absorb_cext
-.type	SHA3_Absorb_cext,%function
+.globl	Keccak1600_Absorb_cext
+.type	Keccak1600_Absorb_cext,%function
 .align	5
-SHA3_Absorb_cext:
+Keccak1600_Absorb_cext:
 	AARCH64_SIGN_LINK_REGISTER
 	stp	x29,x30,[sp,#-80]!
 	add	x29,sp,#0
@@ -722,16 +722,16 @@
 	ldp	x29,x30,[sp],#80
 	AARCH64_VALIDATE_LINK_REGISTER
 	ret
-.size	SHA3_Absorb_cext,.-SHA3_Absorb_cext
+.size	Keccak1600_Absorb_cext,.-Keccak1600_Absorb_cext
 ___
 }
 {
 my ($ctx,$out,$len,$bsz) = map("x$_",(0..3));
 $code.=<<___;
-.globl	SHA3_Squeeze_cext
-.type	SHA3_Squeeze_cext,%function
+.globl	Keccak1600_Squeeze_cext
+.type	Keccak1600_Squeeze_cext,%function
 .align	5
-SHA3_Squeeze_cext:
+Keccak1600_Squeeze_cext:
 	AARCH64_SIGN_LINK_REGISTER
 	stp	x29,x30,[sp,#-16]!
 	add	x29,sp,#0
@@ -787,7 +787,7 @@
 	ldr	x29,[sp],#16
 	AARCH64_VALIDATE_LINK_REGISTER
 	ret
-.size	SHA3_Squeeze_cext,.-SHA3_Squeeze_cext
+.size	Keccak1600_Squeeze_cext,.-Keccak1600_Squeeze_cext
 ___
 }								}}}
 $code.=<<___;