* cipher/dilithium.h: New.
* cipher/dilithium-common.c: Add static qualifier to functions.
* cipher/dilithium-dep.c: Move function delclarations from
dilithium.c and add undef-s.
* cipher/dilithium.c: Support use of DILITHIUM_MODE.
--
GnuPG-bug-id: 7640
Signed-off-by: NIIBE Yutaka <gni...@fsij.org>
---
cipher/dilithium-common.c | 43 +++-
cipher/dilithium-dep.c | 76 ++++++
cipher/dilithium.c | 473 ++++++++++++++++++++++++++++----------
cipher/dilithium.h | 171 ++++++++++++++
4 files changed, 634 insertions(+), 129 deletions(-)
create mode 100644 cipher/dilithium.h
diff --git a/cipher/dilithium-common.c b/cipher/dilithium-common.c
index 47d5f7d6..27579798 100644
--- a/cipher/dilithium-common.c
+++ b/cipher/dilithium-common.c
@@ -143,6 +143,25 @@ void invntt_tomont(int32_t a[N]) {
a[j] = montgomery_reduce((int64_t)f * a[j]);
}
}
+/*************** dilithium/ref/rounding.h */
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+static int32_t decompose_88(int32_t *a0, int32_t a);
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+static int32_t decompose_32(int32_t *a0, int32_t a);
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+static unsigned int make_hint_88(int32_t a0, int32_t a1);
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+static unsigned int make_hint_32(int32_t a0, int32_t a1);
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+static int32_t use_hint_88(int32_t a, unsigned int hint);
+#endif
+#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+static int32_t use_hint_32(int32_t a, unsigned int hint);
+#endif
/*************** dilithium/ref/rounding.c */
/*************************************************
@@ -468,6 +487,7 @@ void poly_power2round(poly *a1, poly *a0, const poly *a) {
* - const poly *a: pointer to input polynomial
**************************************************/
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+static
void poly_decompose_88(poly *a1, poly *a0, const poly *a) {
unsigned int i;
DBENCH_START();
@@ -479,6 +499,7 @@ void poly_decompose_88(poly *a1, poly *a0, const poly *a) {
}
#endif
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+static
void poly_decompose_32(poly *a1, poly *a0, const poly *a) {
unsigned int i;
DBENCH_START();
@@ -504,6 +525,7 @@ void poly_decompose_32(poly *a1, poly *a0, const poly *a) {
* Returns number of 1 bits.
**************************************************/
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+static
unsigned int poly_make_hint_88(poly *h, const poly *a0, const poly *a1) {
unsigned int i, s = 0;
DBENCH_START();
@@ -518,6 +540,7 @@ unsigned int poly_make_hint_88(poly *h, const poly *a0, const poly *a1) {
}
#endif
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+static
unsigned int poly_make_hint_32(poly *h, const poly *a0, const poly *a1) {
unsigned int i, s = 0;
DBENCH_START();
@@ -542,6 +565,7 @@ unsigned int poly_make_hint_32(poly *h, const poly *a0, const poly *a1) {
* - const poly *h: pointer to input hint polynomial
**************************************************/
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+static
void poly_use_hint_88(poly *b, const poly *a, const poly *h) {
unsigned int i;
DBENCH_START();
@@ -553,6 +577,7 @@ void poly_use_hint_88(poly *b, const poly *a, const poly *h) {
}
#endif
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+static
void poly_use_hint_32(poly *b, const poly *a, const poly *h) {
unsigned int i;
DBENCH_START();
@@ -759,6 +784,7 @@ static unsigned int rej_eta_4(int32_t *a,
**************************************************/
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2 || DILITHIUM_MODE == 5
#define POLY_UNIFORM_ETA_NBLOCKS_2 ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
+static
void poly_uniform_eta_2(poly *a,
const uint8_t seed[CRHBYTES],
uint16_t nonce)
@@ -782,6 +808,7 @@ void poly_uniform_eta_2(poly *a,
#endif
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3
#define POLY_UNIFORM_ETA_NBLOCKS_4 ((227 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
+static
void poly_uniform_eta_4(poly *a,
const uint8_t seed[CRHBYTES],
uint16_t nonce)
@@ -817,7 +844,8 @@ void poly_uniform_eta_4(poly *a,
**************************************************/
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
#define POLY_UNIFORM_GAMMA1_NBLOCKS_17 ((POLYZ_PACKEDBYTES_17 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-void polyz_unpack_17(poly *r, const uint8_t *a);/* Forward declarations */
+static void polyz_unpack_17(poly *r, const uint8_t *a);/* Forward declarations */
+static
void poly_uniform_gamma1_17(poly *a,
const uint8_t seed[CRHBYTES],
uint16_t nonce)
@@ -833,7 +861,8 @@ void poly_uniform_gamma1_17(poly *a,
#endif
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
#define POLY_UNIFORM_GAMMA1_NBLOCKS_19 ((POLYZ_PACKEDBYTES_19 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-void polyz_unpack_19(poly *r, const uint8_t *a);/* Forward declarations */
+static void polyz_unpack_19(poly *r, const uint8_t *a);/* Forward declarations */
+static
void poly_uniform_gamma1_19(poly *a,
const uint8_t seed[CRHBYTES],
uint16_t nonce)
@@ -858,6 +887,7 @@ void poly_uniform_gamma1_19(poly *a,
* - const poly *a: pointer to input polynomial
**************************************************/
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2 || DILITHIUM_MODE == 5
+static
void polyeta_pack_2(uint8_t *r, const poly *a) {
unsigned int i;
uint8_t t[8];
@@ -882,6 +912,7 @@ void polyeta_pack_2(uint8_t *r, const poly *a) {
}
#endif
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3
+static
void polyeta_pack_4(uint8_t *r, const poly *a) {
unsigned int i;
uint8_t t[8];
@@ -906,6 +937,7 @@ void polyeta_pack_4(uint8_t *r, const poly *a) {
* - const uint8_t *a: byte array with bit-packed polynomial
**************************************************/
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2 || DILITHIUM_MODE == 5
+static
void polyeta_unpack_2(poly *r, const uint8_t *a) {
unsigned int i;
DBENCH_START();
@@ -934,6 +966,7 @@ void polyeta_unpack_2(poly *r, const uint8_t *a) {
}
#endif
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3
+static
void polyeta_unpack_4(poly *r, const uint8_t *a) {
unsigned int i;
DBENCH_START();
@@ -1119,6 +1152,7 @@ void polyt0_unpack(poly *r, const uint8_t *a) {
* - const poly *a: pointer to input polynomial
**************************************************/
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+static
void polyz_pack_17(uint8_t *r, const poly *a) {
unsigned int i;
uint32_t t[4];
@@ -1148,6 +1182,7 @@ void polyz_pack_17(uint8_t *r, const poly *a) {
}
#endif
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+static
void polyz_pack_19(uint8_t *r, const poly *a) {
unsigned int i;
uint32_t t[4];
@@ -1179,6 +1214,7 @@ void polyz_pack_19(uint8_t *r, const poly *a) {
* - const uint8_t *a: byte array with bit-packed polynomial
**************************************************/
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+static
void polyz_unpack_17(poly *r, const uint8_t *a) {
unsigned int i;
DBENCH_START();
@@ -1214,6 +1250,7 @@ void polyz_unpack_17(poly *r, const uint8_t *a) {
}
#endif
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+static
void polyz_unpack_19(poly *r, const uint8_t *a) {
unsigned int i;
DBENCH_START();
@@ -1248,6 +1285,7 @@ void polyz_unpack_19(poly *r, const uint8_t *a) {
* - const poly *a: pointer to input polynomial
**************************************************/
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+static
void polyw1_pack_88(uint8_t *r, const poly *a) {
unsigned int i;
DBENCH_START();
@@ -1265,6 +1303,7 @@ void polyw1_pack_88(uint8_t *r, const poly *a) {
}
#endif
#if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+static
void polyw1_pack_32(uint8_t *r, const poly *a) {
unsigned int i;
DBENCH_START();
diff --git a/cipher/dilithium-dep.c b/cipher/dilithium-dep.c
index a59bbeaf..3228ea89 100644
--- a/cipher/dilithium-dep.c
+++ b/cipher/dilithium-dep.c
@@ -372,6 +372,7 @@ int unpack_sig(uint8_t c[CTILDEBYTES],
* Arguments: - poly *c: pointer to output polynomial
* - const uint8_t mu[]: byte array containing seed of length CTILDEBYTES
**************************************************/
+static
void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]) {
unsigned int i, b, pos;
uint64_t signs;
@@ -1292,3 +1293,78 @@ badsig:
return -1;
}
#endif
+
+#undef DILITHIUM_MODE
+
+#undef CRYPTO_PUBLICKEYBYTES
+#undef CRYPTO_SECRETKEYBYTES
+#undef CRYPTO_BYTES
+#undef POLYZ_PACKEDBYTES
+#undef POLYW1_PACKEDBYTES
+#undef POLYETA_PACKEDBYTES
+
+#undef CRYPTO_ALGNAME
+#undef K
+#undef L
+#undef ETA
+#undef TAU
+#undef BETA
+#undef GAMMA1
+#undef GAMMA2
+#undef OMEGA
+#undef CTILDEBYTES
+
+#undef poly_decompose
+#undef poly_make_hint
+#undef poly_use_hint
+#undef poly_uniform_eta
+#undef poly_uniform_gamma1
+#undef polyz_pack
+#undef polyz_unpack
+#undef polyeta_pack
+#undef polyeta_unpack
+#undef polyw1_pack
+
+#undef polyvecl
+#undef polyveck
+#undef pack_pk
+#undef unpack_pk
+#undef pack_sk
+#undef unpack_sk
+#undef pack_sig
+#undef unpack_sig
+#undef poly_challenge
+#undef polyvec_matrix_expand
+#undef polyvec_matrix_pointwise_montgomery
+#undef polyveck_power2round
+#undef polyveck_make_hint
+#undef polyveck_use_hint
+#undef polyvecl_uniform_eta
+#undef polyvecl_uniform_gamma1
+#undef polyvecl_reduce
+#undef polyvecl_add
+#undef polyvecl_ntt
+#undef polyvecl_invntt_tomont
+#undef polyvecl_pointwise_poly_montgomery
+#undef polyvecl_pointwise_acc_montgomery
+#undef polyvecl_chknorm
+#undef polyveck_uniform_eta
+#undef polyveck_reduce
+#undef polyveck_caddq
+#undef polyveck_add
+#undef polyveck_sub
+#undef polyveck_shiftl
+#undef polyveck_ntt
+#undef polyveck_invntt_tomont
+#undef polyveck_pointwise_poly_montgomery
+#undef polyveck_chknorm
+#undef polyveck_pack_w1
+#undef polyveck_decompose
+#undef crypto_sign_keypair
+#undef crypto_sign_keypair_internal
+#undef crypto_sign_signature_internal
+#undef crypto_sign_signature
+#undef crypto_sign
+#undef crypto_sign_verify_internal
+#undef crypto_sign_verify
+#undef crypto_sign_open
diff --git a/cipher/dilithium.c b/cipher/dilithium.c
index 758e1403..ccfcb62a 100644
--- a/cipher/dilithium.c
+++ b/cipher/dilithium.c
@@ -238,79 +238,30 @@ void shake256(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen);
#define SHA3_256_RATE 136
/*************** dilithium/ref/params.h */
-#define SEEDBYTES 32
#define CRHBYTES 64
#define TRBYTES 64
-#define RNDBYTES 32
#define N 256
#define Q 8380417
#define D 13
#define ROOT_OF_UNITY 1753
-#if DILITHIUM_MODE == 2
-#define K 4
-#define L 4
-#define ETA 2
-#define TAU 39
-#define BETA 78
-#define GAMMA1 (1 << 17)
-#define GAMMA2 ((Q-1)/88)
-#define OMEGA 80
-#define CTILDEBYTES 32
-
-#elif DILITHIUM_MODE == 3
-#define K 6
-#define L 5
-#define ETA 4
-#define TAU 49
-#define BETA 196
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 55
-#define CTILDEBYTES 48
-
-#elif DILITHIUM_MODE == 5
-#define K 8
-#define L 7
-#define ETA 2
-#define TAU 60
-#define BETA 120
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 75
-#define CTILDEBYTES 64
-
-#endif
-
#define POLYT1_PACKEDBYTES 320
#define POLYT0_PACKEDBYTES 416
#define POLYVECH_PACKEDBYTES (OMEGA + K)
-#if GAMMA1 == (1 << 17)
-#define POLYZ_PACKEDBYTES 576
-#elif GAMMA1 == (1 << 19)
-#define POLYZ_PACKEDBYTES 640
-#endif
-
-#if GAMMA2 == (Q-1)/88
-#define POLYW1_PACKEDBYTES 192
-#elif GAMMA2 == (Q-1)/32
-#define POLYW1_PACKEDBYTES 128
-#endif
-
-#if ETA == 2
-#define POLYETA_PACKEDBYTES 96
-#elif ETA == 4
-#define POLYETA_PACKEDBYTES 128
-#endif
-
-#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (2*SEEDBYTES \
- + TRBYTES \
- + L*POLYETA_PACKEDBYTES \
- + K*POLYETA_PACKEDBYTES \
- + K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (CTILDEBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
+/* DILITHIUM_MODE dependent values */
+#define ETA2 2
+#define ETA4 4
+#define GAMMA1_17 (1 << 17)
+#define GAMMA1_19 (1 << 19)
+#define GAMMA2_32 ((Q-1)/32)
+#define GAMMA2_88 ((Q-1)/88)
+#define POLYZ_PACKEDBYTES_17 576
+#define POLYZ_PACKEDBYTES_19 640
+#define POLYW1_PACKEDBYTES_88 192
+#define POLYW1_PACKEDBYTES_32 128
+#define POLYETA_PACKEDBYTES_2 96
+#define POLYETA_PACKEDBYTES_4 128
/*************** dilithium/ref/poly.h */
typedef struct {
@@ -329,24 +280,11 @@ static void poly_invntt_tomont(poly *a);
static void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b);
static void poly_power2round(poly *a1, poly *a0, const poly *a);
-static void poly_decompose(poly *a1, poly *a0, const poly *a);
-static unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1);
-static void poly_use_hint(poly *b, const poly *a, const poly *h);
static int poly_chknorm(const poly *a, int32_t B);
static void poly_uniform(poly *a,
const uint8_t seed[SEEDBYTES],
uint16_t nonce);
-static void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-static void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-static void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]);
-
-static void polyeta_pack(uint8_t *r, const poly *a);
-static void polyeta_unpack(poly *r, const uint8_t *a);
static void polyt1_pack(uint8_t *r, const poly *a);
static void polyt1_unpack(poly *r, const uint8_t *a);
@@ -354,11 +292,6 @@ static void polyt1_unpack(poly *r, const uint8_t *a);
static void polyt0_pack(uint8_t *r, const poly *a);
static void polyt0_unpack(poly *r, const uint8_t *a);
-static void polyz_pack(uint8_t *r, const poly *a);
-static void polyz_unpack(poly *r, const uint8_t *a);
-
-static void polyw1_pack(uint8_t *r, const poly *a);
-
/*************** dilithium/ref/reduce.h */
#define MONT -4186625 /* 2^32 % Q */
#define QINV 58728449 /* q^(-1) mod 2^32 */
@@ -374,52 +307,6 @@ static int32_t freeze(int32_t a);
/*************** dilithium/ref/rounding.h */
static int32_t power2round(int32_t *a0, int32_t a);
-static int32_t decompose(int32_t *a0, int32_t a);
-
-static unsigned int make_hint(int32_t a0, int32_t a1);
-
-static int32_t use_hint(int32_t a, unsigned int hint);
-
-/*************** dilithium/ref/sign.h */
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-int crypto_sign_signature_internal(uint8_t *sig,
- size_t *siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *pre,
- size_t prelen,
- const uint8_t rnd[RNDBYTES],
- const uint8_t *sk);
-
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *ctx, size_t ctxlen,
- const uint8_t *sk);
-
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *ctx, size_t ctxlen,
- const uint8_t *sk);
-
-int crypto_sign_verify_internal(const uint8_t *sig,
- size_t siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *pre,
- size_t prelen,
- const uint8_t *pk);
-
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *ctx, size_t ctxlen,
- const uint8_t *pk);
-
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *ctx, size_t ctxlen,
- const uint8_t *pk);
-
/*************** dilithium/ref/symmetric.h */
typedef keccak_state stream128_state;
typedef keccak_state stream256_state;
@@ -483,4 +370,336 @@ static void shake128_close (keccak_state *state) { (void)state; }
#endif
#include "dilithium-common.c"
-#include "dilithium-dep.c"
+
+#ifdef DILITHIUM_MODE
+
+# if DILITHIUM_MODE == 2
+# define CRYPTO_ALGNAME "Dilithium2"
+# define K 4
+# define L 4
+# define ETA 2
+# define TAU 39
+# define BETA 78
+# define GAMMA1 (1 << 17)
+# define GAMMA2 ((Q-1)/88)
+# define OMEGA 80
+# define CTILDEBYTES 32
+
+# define poly_decompose poly_decompose_88
+# define poly_make_hint poly_make_hint_88
+# define poly_use_hint poly_use_hint_88
+# define poly_uniform_eta poly_uniform_eta_2
+# define poly_uniform_gamma1 poly_uniform_gamma1_17
+# define polyz_pack polyz_pack_17
+# define polyz_unpack polyz_unpack_17
+# define polyeta_pack polyeta_pack_2
+# define polyeta_unpack polyeta_unpack_2
+# define polyw1_pack polyw1_pack_88
+
+# elif DILITHIUM_MODE == 3
+# define CRYPTO_ALGNAME "Dilithium3"
+# define K 6
+# define L 5
+# define ETA 4
+# define TAU 49
+# define BETA 196
+# define GAMMA1 (1 << 19)
+# define GAMMA2 ((Q-1)/32)
+# define OMEGA 55
+# define CTILDEBYTES 48
+
+# define poly_decompose poly_decompose_32
+# define poly_make_hint poly_make_hint_32
+# define poly_use_hint poly_use_hint_32
+# define poly_uniform_eta poly_uniform_eta_4
+# define poly_uniform_gamma1 poly_uniform_gamma1_19
+# define polyz_pack polyz_pack_19
+# define polyz_unpack polyz_unpack_19
+# define polyeta_pack polyeta_pack_4
+# define polyeta_unpack polyeta_unpack_4
+# define polyw1_pack polyw1_pack_32
+
+# elif DILITHIUM_MODE == 5
+# define CRYPTO_ALGNAME "Dilithium5"
+# define K 8
+# define L 7
+# define ETA 2
+# define TAU 60
+# define BETA 120
+# define GAMMA1 (1 << 19)
+# define GAMMA2 ((Q-1)/32)
+# define OMEGA 75
+# define CTILDEBYTES 64
+
+# define poly_decompose poly_decompose_32
+# define poly_make_hint poly_make_hint_32
+# define poly_use_hint poly_use_hint_32
+# define poly_uniform_eta poly_uniform_eta_2
+# define poly_uniform_gamma1 poly_uniform_gamma1_19
+# define polyz_pack polyz_pack_19
+# define polyz_unpack polyz_unpack_19
+# define polyeta_pack polyeta_pack_2
+# define polyeta_unpack polyeta_unpack_2
+# define polyw1_pack polyw1_pack_32
+
+# endif
+
+# if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+# define POLYZ_PACKEDBYTES POLYZ_PACKEDBYTES_17
+# endif
+# if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+# define POLYZ_PACKEDBYTES POLYZ_PACKEDBYTES_19
+# endif
+
+# if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2
+# define POLYW1_PACKEDBYTES POLYW1_PACKEDBYTES_88
+# endif
+# if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3 || DILITHIUM_MODE == 5
+# define POLYW1_PACKEDBYTES POLYW1_PACKEDBYTES_32
+# endif
+
+# if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 2 || DILITHIUM_MODE == 5
+# define POLYETA_PACKEDBYTES POLYETA_PACKEDBYTES_2
+# endif
+# if !defined(DILITHIUM_MODE) || DILITHIUM_MODE == 3
+# define POLYETA_PACKEDBYTES POLYETA_PACKEDBYTES_4
+# endif
+
+# include "dilithium-dep.c"
+#else
+
+# define CRYPTO_ALGNAME "Dilithium"
+
+# define VARIANT2(name) name ## _2
+# define VARIANT3(name) name ## _3
+# define VARIANT5(name) name ## _5
+
+# define DILITHIUM_MODE 2
+
+# define CRYPTO_PUBLICKEYBYTES CRYPTO_PUBLICKEYBYTES_2
+# define CRYPTO_SECRETKEYBYTES CRYPTO_SECRETKEYBYTES_2
+# define CRYPTO_BYTES CRYPTO_BYTES_2
+# define POLYZ_PACKEDBYTES POLYZ_PACKEDBYTES_17
+# define POLYW1_PACKEDBYTES POLYW1_PACKEDBYTES_88
+# define POLYETA_PACKEDBYTES POLYETA_PACKEDBYTES_2
+
+# define K 4
+# define L 4
+# define ETA 2
+# define TAU 39
+# define BETA 78
+# define GAMMA1 (1 << 17)
+# define GAMMA2 ((Q-1)/88)
+# define OMEGA 80
+# define CTILDEBYTES 32
+
+# define poly_decompose poly_decompose_88
+# define poly_make_hint poly_make_hint_88
+# define poly_use_hint poly_use_hint_88
+# define poly_uniform_eta poly_uniform_eta_2
+# define poly_uniform_gamma1 poly_uniform_gamma1_17
+# define polyz_pack polyz_pack_17
+# define polyz_unpack polyz_unpack_17
+# define polyeta_pack polyeta_pack_2
+# define polyeta_unpack polyeta_unpack_2
+# define polyw1_pack polyw1_pack_88
+
+# define polyvecl VARIANT2(polyvecl)
+# define polyveck VARIANT2(polyveck)
+# define pack_pk VARIANT2(pack_pk)
+# define unpack_pk VARIANT2(unpack_pk)
+# define pack_sk VARIANT2(pack_sk)
+# define unpack_sk VARIANT2(unpack_sk)
+# define pack_sig VARIANT2(pack_sig)
+# define unpack_sig VARIANT2(unpack_sig)
+# define poly_challenge VARIANT2(poly_challenge)
+# define polyvec_matrix_expand VARIANT2(polyvec_matrix_expand)
+# define polyvec_matrix_pointwise_montgomery VARIANT2(polyvec_matrix_pointwise_montgomery)
+# define polyveck_power2round VARIANT2(polyvec_power2round)
+# define polyveck_make_hint VARIANT2(polyvec_make_hint)
+# define polyveck_use_hint VARIANT2(polyvec_use_hint)
+# define polyvecl_uniform_eta VARIANT2(polyvecl_uniform_eta)
+# define polyvecl_uniform_gamma1 VARIANT2(polyvecl_uniform_gamma1)
+# define polyvecl_reduce VARIANT2(polyvecl_reduce)
+# define polyvecl_add VARIANT2(polyvecl_add)
+# define polyvecl_ntt VARIANT2(polyvecl_ntt)
+# define polyvecl_invntt_tomont VARIANT2(polyvecl_invntt_tomont)
+# define polyvecl_pointwise_poly_montgomery VARIANT2(polyvecl_pointwise_poly_montgomery)
+# define polyvecl_pointwise_acc_montgomery VARIANT2(polyvecl_pointwise_acc_montgomery)
+# define polyvecl_chknorm VARIANT2(polyvecl_chknorm)
+# define polyveck_uniform_eta VARIANT2(polyveck_uniform_eta)
+# define polyveck_reduce VARIANT2(polyveck_reduce)
+# define polyveck_caddq VARIANT2(polyveck_caddq)
+# define polyveck_add VARIANT2(polyveck_add)
+# define polyveck_sub VARIANT2(polyveck_sub)
+# define polyveck_shiftl VARIANT2(polyveck_shiftl)
+# define polyveck_ntt VARIANT2(polyveck_ntt)
+# define polyveck_invntt_tomont VARIANT2(polyveck_invntt_tomont)
+# define polyveck_pointwise_poly_montgomery VARIANT2(polyveck_pointwise_poly_montgomery)
+# define polyveck_chknorm VARIANT2(polyveck_chknorm)
+# define polyveck_pack_w1 VARIANT2(polyveck_pack_w1)
+# define polyveck_decompose VARIANT2(polyveck_decompose)
+# define crypto_sign_keypair VARIANT2(crypto_sign_keypair)
+# define crypto_sign_keypair_internal VARIANT2(crypto_sign_keypair_internal)
+# define crypto_sign_signature_internal VARIANT2(crypto_sign_signature_internal)
+# define crypto_sign_signature VARIANT2(crypto_sign_signature)
+# define crypto_sign VARIANT2(crypto_sign)
+# define crypto_sign_verify_internal VARIANT2(crypto_sign_verify_internal)
+# define crypto_sign_verify VARIANT2(crypto_sign_verify)
+# define crypto_sign_open VARIANT2(crypto_sign_open)
+
+# include "dilithium-dep.c"
+
+# define DILITHIUM_MODE 3
+
+# define CRYPTO_PUBLICKEYBYTES CRYPTO_PUBLICKEYBYTES_3
+# define CRYPTO_SECRETKEYBYTES CRYPTO_SECRETKEYBYTES_3
+# define CRYPTO_BYTES CRYPTO_BYTES_3
+# define POLYZ_PACKEDBYTES POLYZ_PACKEDBYTES_19
+# define POLYW1_PACKEDBYTES POLYW1_PACKEDBYTES_32
+# define POLYETA_PACKEDBYTES POLYETA_PACKEDBYTES_4
+
+# define K 6
+# define L 5
+# define ETA 4
+# define TAU 49
+# define BETA 196
+# define GAMMA1 (1 << 19)
+# define GAMMA2 ((Q-1)/32)
+# define OMEGA 55
+# define CTILDEBYTES 48
+
+# define poly_decompose poly_decompose_32
+# define poly_make_hint poly_make_hint_32
+# define poly_use_hint poly_use_hint_32
+# define poly_uniform_eta poly_uniform_eta_4
+# define poly_uniform_gamma1 poly_uniform_gamma1_19
+# define polyz_pack polyz_pack_19
+# define polyz_unpack polyz_unpack_19
+# define polyeta_pack polyeta_pack_4
+# define polyeta_unpack polyeta_unpack_4
+# define polyw1_pack polyw1_pack_32
+
+# define polyvecl VARIANT3(polyvecl)
+# define polyveck VARIANT3(polyveck)
+# define pack_pk VARIANT3(pack_pk)
+# define unpack_pk VARIANT3(unpack_pk)
+# define pack_sk VARIANT3(pack_sk)
+# define unpack_sk VARIANT3(unpack_sk)
+# define pack_sig VARIANT3(pack_sig)
+# define unpack_sig VARIANT3(unpack_sig)
+# define poly_challenge VARIANT3(poly_challenge)
+# define polyvec_matrix_expand VARIANT3(polyvec_matrix_expand)
+# define polyvec_matrix_pointwise_montgomery VARIANT3(polyvec_matrix_pointwise_montgomery)
+# define polyveck_power2round VARIANT3(polyvec_power2round)
+# define polyveck_make_hint VARIANT3(polyvec_make_hint)
+# define polyveck_use_hint VARIANT3(polyvec_use_hint)
+# define polyvecl_uniform_eta VARIANT3(polyvecl_uniform_eta)
+# define polyvecl_uniform_gamma1 VARIANT3(polyvecl_uniform_gamma1)
+# define polyvecl_reduce VARIANT3(polyvecl_reduce)
+# define polyvecl_add VARIANT3(polyvecl_add)
+# define polyvecl_ntt VARIANT3(polyvecl_ntt)
+# define polyvecl_invntt_tomont VARIANT3(polyvecl_invntt_tomont)
+# define polyvecl_pointwise_poly_montgomery VARIANT3(polyvecl_pointwise_poly_montgomery)
+# define polyvecl_pointwise_acc_montgomery VARIANT3(polyvecl_pointwise_acc_montgomery)
+# define polyvecl_chknorm VARIANT3(polyvecl_chknorm)
+# define polyveck_uniform_eta VARIANT3(polyveck_uniform_eta)
+# define polyveck_reduce VARIANT3(polyveck_reduce)
+# define polyveck_caddq VARIANT3(polyveck_caddq)
+# define polyveck_add VARIANT3(polyveck_add)
+# define polyveck_sub VARIANT3(polyveck_sub)
+# define polyveck_shiftl VARIANT3(polyveck_shiftl)
+# define polyveck_ntt VARIANT3(polyveck_ntt)
+# define polyveck_invntt_tomont VARIANT3(polyveck_invntt_tomont)
+# define polyveck_pointwise_poly_montgomery VARIANT3(polyveck_pointwise_poly_montgomery)
+# define polyveck_chknorm VARIANT3(polyveck_chknorm)
+# define polyveck_pack_w1 VARIANT3(polyveck_pack_w1)
+# define polyveck_decompose VARIANT3(polyveck_decompose)
+# define crypto_sign_keypair VARIANT3(crypto_sign_keypair)
+# define crypto_sign_keypair_internal VARIANT3(crypto_sign_keypair_internal)
+# define crypto_sign_signature_internal VARIANT3(crypto_sign_signature_internal)
+# define crypto_sign_signature VARIANT3(crypto_sign_signature)
+# define crypto_sign VARIANT3(crypto_sign)
+# define crypto_sign_verify_internal VARIANT3(crypto_sign_verify_internal)
+# define crypto_sign_verify VARIANT3(crypto_sign_verify)
+# define crypto_sign_open VARIANT3(crypto_sign_open)
+
+# include "dilithium-dep.c"
+
+# define DILITHIUM_MODE 5
+
+# define CRYPTO_PUBLICKEYBYTES CRYPTO_PUBLICKEYBYTES_5
+# define CRYPTO_SECRETKEYBYTES CRYPTO_SECRETKEYBYTES_5
+# define CRYPTO_BYTES CRYPTO_BYTES_5
+# define POLYZ_PACKEDBYTES POLYZ_PACKEDBYTES_19
+# define POLYW1_PACKEDBYTES POLYW1_PACKEDBYTES_32
+# define POLYETA_PACKEDBYTES POLYETA_PACKEDBYTES_2
+
+# define K 8
+# define L 7
+# define ETA 2
+# define TAU 60
+# define BETA 120
+# define GAMMA1 (1 << 19)
+# define GAMMA2 ((Q-1)/32)
+# define OMEGA 75
+# define CTILDEBYTES 64
+
+# define poly_decompose poly_decompose_32
+# define poly_make_hint poly_make_hint_32
+# define poly_use_hint poly_use_hint_32
+# define poly_uniform_eta poly_uniform_eta_2
+# define poly_uniform_gamma1 poly_uniform_gamma1_19
+# define polyz_pack polyz_pack_19
+# define polyz_unpack polyz_unpack_19
+# define polyeta_pack polyeta_pack_2
+# define polyeta_unpack polyeta_unpack_2
+# define polyw1_pack polyw1_pack_32
+
+# define polyvecl VARIANT5(polyvecl)
+# define polyveck VARIANT5(polyveck)
+# define pack_pk VARIANT5(pack_pk)
+# define unpack_pk VARIANT5(unpack_pk)
+# define pack_sk VARIANT5(pack_sk)
+# define unpack_sk VARIANT5(unpack_sk)
+# define pack_sig VARIANT5(pack_sig)
+# define unpack_sig VARIANT5(unpack_sig)
+# define poly_challenge VARIANT5(poly_challenge)
+# define polyvec_matrix_expand VARIANT5(polyvec_matrix_expand)
+# define polyvec_matrix_pointwise_montgomery VARIANT5(polyvec_matrix_pointwise_montgomery)
+# define polyveck_power2round VARIANT5(polyvec_power2round)
+# define polyveck_make_hint VARIANT5(polyvec_make_hint)
+# define polyveck_use_hint VARIANT5(polyvec_use_hint)
+# define polyvecl_uniform_eta VARIANT5(polyvecl_uniform_eta)
+# define polyvecl_uniform_gamma1 VARIANT5(polyvecl_uniform_gamma1)
+# define polyvecl_reduce VARIANT5(polyvecl_reduce)
+# define polyvecl_add VARIANT5(polyvecl_add)
+# define polyvecl_ntt VARIANT5(polyvecl_ntt)
+# define polyvecl_invntt_tomont VARIANT5(polyvecl_invntt_tomont)
+# define polyvecl_pointwise_poly_montgomery VARIANT5(polyvecl_pointwise_poly_montgomery)
+# define polyvecl_pointwise_acc_montgomery VARIANT5(polyvecl_pointwise_acc_montgomery)
+# define polyvecl_chknorm VARIANT5(polyvecl_chknorm)
+# define polyveck_uniform_eta VARIANT5(polyveck_uniform_eta)
+# define polyveck_reduce VARIANT5(polyveck_reduce)
+# define polyveck_caddq VARIANT5(polyveck_caddq)
+# define polyveck_add VARIANT5(polyveck_add)
+# define polyveck_sub VARIANT5(polyveck_sub)
+# define polyveck_shiftl VARIANT5(polyveck_shiftl)
+# define polyveck_ntt VARIANT5(polyveck_ntt)
+# define polyveck_invntt_tomont VARIANT5(polyveck_invntt_tomont)
+# define polyveck_pointwise_poly_montgomery VARIANT5(polyveck_pointwise_poly_montgomery)
+# define polyveck_chknorm VARIANT5(polyveck_chknorm)
+# define polyveck_pack_w1 VARIANT5(polyveck_pack_w1)
+# define polyveck_decompose VARIANT5(polyveck_decompose)
+# define crypto_sign_keypair VARIANT5(crypto_sign_keypair)
+# define crypto_sign_keypair_internal VARIANT5(crypto_sign_keypair_internal)
+# define crypto_sign_signature_internal VARIANT5(crypto_sign_signature_internal)
+# define crypto_sign_signature VARIANT5(crypto_sign_signature)
+# define crypto_sign VARIANT5(crypto_sign)
+# define crypto_sign_verify_internal VARIANT5(crypto_sign_verify_internal)
+# define crypto_sign_verify VARIANT5(crypto_sign_verify)
+# define crypto_sign_open VARIANT5(crypto_sign_open)
+
+# include "dilithium-dep.c"
+
+#endif
diff --git a/cipher/dilithium.h b/cipher/dilithium.h
new file mode 100644
index 00000000..7d3c9572
--- /dev/null
+++ b/cipher/dilithium.h
@@ -0,0 +1,171 @@
+/* dilithium.h - the Dilithium (header)
+ * Copyright (C) 2025 g10 Code GmbH
+ *
+ * This file was modified for use by Libgcrypt.
+ *
+ * This file is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <https://www.gnu.org/licenses/>.
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * You can also use this file under the same licence of original code.
+ * SPDX-License-Identifier: CC0 OR Apache-2.0
+ *
+ */
+/*
+ Original code from:
+
+ Repository: https://github.com/pq-crystals/dilithium.git
+ Branch: master
+ Commit: 444cdcc84eb36b66fe27b3a2529ee48f6d8150c2
+
+ Licence:
+ Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/);
+ or Apache 2.0 License (https://www.apache.org/licenses/LICENSE-2.0.html).
+
+ Authors:
+ Léo Ducas
+ Eike Kiltz
+ Tancrède Lepoint
+ Vadim Lyubashevsky
+ Gregor Seiler
+ Peter Schwabe
+ Damien Stehlé
+
+ Dilithium Home: https://github.com/pq-crystals/dilithium.git
+ */
+/* Standalone use is possible either with DILITHIUM_MODE defined with
+ * the value (2, 3, or 5), or not defined. For the latter, routines
+ * for three variants are available.
+ */
+#ifndef DILITHIUM_H
+#define DILITHIUM_H
+
+#define SEEDBYTES 32
+#define RNDBYTES 32
+
+#if defined(DILITHIUM_MODE)
+#ifndef DILITHIUM_INTERNAL_API_ONLY
+int crypto_sign_keypair (uint8_t *pk, uint8_t *sk);
+int crypto_sign_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+int crypto_sign (uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+int crypto_sign_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+int crypto_sign_open (uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+#endif
+int crypto_sign_keypair_internal (uint8_t *pk, uint8_t *sk,
+ const uint8_t seed[SEEDBYTES]);
+int crypto_sign_signature_internal (uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *pre, size_t prelen,
+ const uint8_t rnd[RNDBYTES],
+ const uint8_t *sk);
+int crypto_sign_verify_internal (const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *pre, size_t prelen,
+ const uint8_t *pk);
+
+# if DILITHIUM_MODE == 2
+# define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + 4*320)
+# define CRYPTO_SECRETKEYBYTES (2*SEEDBYTES \
+ + 64 \
+ + 4*96 \
+ + 4*96 \
+ + 4*416)
+# define CRYPTO_BYTES (32 + 4*576 + 80 + 4)
+# elif DILITHIUM_MODE == 3
+# define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + 6*320)
+# define CRYPTO_SECRETKEYBYTES (2*SEEDBYTES \
+ + 64 \
+ + 5*128 \
+ + 6*128 \
+ + 6*416)
+# define CRYPTO_BYTES (48 + 5*640 + 55 + 6)
+# elif DILITHIUM_MODE == 5
+# define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + 8*320)
+# define CRYPTO_SECRETKEYBYTES (2*SEEDBYTES \
+ + 64 \
+ + 7*96 \
+ + 8*96 \
+ + 8*416)
+# define CRYPTO_BYTES (64 + 7*640 + 75 + 8)
+# else
+# error "DILITHIUM_MODE should be either 2, 3 or 5"
+# endif
+#else
+# ifndef DILITHIUM_INTERNAL_API_ONLY
+int crypto_sign_keypair_2 (uint8_t *pk, uint8_t *sk);
+int crypto_sign_keypair_3 (uint8_t *pk, uint8_t *sk);
+int crypto_sign_keypair_5 (uint8_t *pk, uint8_t *sk);
+int crypto_sign_2 (uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+int crypto_sign_3 (uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+int crypto_sign_5 (uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+int crypto_sign_open_2 (uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+int crypto_sign_open_3 (uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+int crypto_sign_open_5 (uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+# endif
+
+# define CRYPTO_PUBLICKEYBYTES_2 (SEEDBYTES + 4*320)
+# define CRYPTO_SECRETKEYBYTES_2 (2*SEEDBYTES \
+ + 64 \
+ + 4*96 \
+ + 4*96 \
+ + 4*416)
+# define CRYPTO_BYTES_2 (32 + 4*576 + 80 + 4)
+
+# define CRYPTO_PUBLICKEYBYTES_3 (SEEDBYTES + 6*320)
+# define CRYPTO_SECRETKEYBYTES_3 (2*SEEDBYTES \
+ + 64 \
+ + 5*128 \
+ + 6*128 \
+ + 6*416)
+# define CRYPTO_BYTES_3 (48 + 5*640 + 55 + 6)
+
+# define CRYPTO_PUBLICKEYBYTES_5 (SEEDBYTES + 8*320)
+# define CRYPTO_SECRETKEYBYTES_5 (2*SEEDBYTES \
+ + 64 \
+ + 7*96 \
+ + 8*96 \
+ + 8*416)
+# define CRYPTO_BYTES_5 (64 + 7*640 + 75 + 8)
+#endif
+
+#endif
_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
