Start a Kyber implementation with basic Keccak code.

Change-Id: I8e9a0b83453e44bdecab017144596bd3d61898ac
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57385
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>

crypto/CMakeLists.txt

@@ -171,6 +171,7 @@ add_library(
   hkdf/hkdf.c
   hpke/hpke.c
   hrss/hrss.c
+  kyber/keccak.c
   lhash/lhash.c
   mem.c
   obj/obj.c
@@ -398,6 +399,7 @@ add_executable(
   hmac_extra/hmac_test.cc
   hrss/hrss_test.cc
   impl_dispatch_test.cc
+  kyber/kyber_test.cc
   lhash/lhash_test.cc
   obj/obj_test.cc
   pem/pem_test.cc

crypto/kyber/internal.h

@@ -0,0 +1,61 @@
+/* Copyright (c) 2023, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_KYBER_INTERNAL_H
+#define OPENSSL_HEADER_CRYPTO_KYBER_INTERNAL_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+struct BORINGSSL_keccak_st {
+  uint64_t state[25];
+  size_t rate_bytes;
+  size_t offset;
+};
+
+enum boringssl_keccak_config_t {
+  boringssl_sha3_256,
+  boringssl_sha3_512,
+  boringssl_shake128,
+  boringssl_shake256,
+};
+
+// BORINGSSL_keccak hashes |in_len| bytes from |in| and writes |out_len| bytes
+// of output to |out|. If the |config| specifies a fixed-output function, like
+// SHA3-256, then |out_len| must be the correct length for that function.
+OPENSSL_EXPORT void BORINGSSL_keccak(uint8_t *out, size_t out_len,
+                                     const uint8_t *in, size_t in_len,
+                                     enum boringssl_keccak_config_t config);
+
+// BORINGSSL_keccak_init absorbs |in_len| bytes from |in| and sets up |ctx| for
+// squeezing. The |config| must specify a SHAKE variant, otherwise callers
+// should use |BORINGSSL_keccak|.
+OPENSSL_EXPORT void BORINGSSL_keccak_init(
+    struct BORINGSSL_keccak_st *ctx, const uint8_t *in, size_t in_len,
+    enum boringssl_keccak_config_t config);
+
+// BORINGSSL_keccak_squeeze writes |out_len| bytes to |out| from |ctx|.
+OPENSSL_EXPORT void BORINGSSL_keccak_squeeze(
+    struct BORINGSSL_keccak_st *ctx, uint8_t *out, size_t out_len);
+
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif  // OPENSSL_HEADER_CRYPTO_KYBER_INTERNAL_H

crypto/kyber/keccak.c

@@ -0,0 +1,205 @@
+/* Copyright (c) 2023, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/base.h>
+
+#include <assert.h>
+#include <stdlib.h>
+
+#include "../internal.h"
+#include "./internal.h"
+
+
+// keccak_f implements the Keccak-1600 permutation as described at
+// https://keccak.team/keccak_specs_summary.html. Each lane is represented as a
+// 64-bit value and the 5×5 lanes are stored as an array in row-major order.
+static void keccak_f(uint64_t state[25]) {
+  static const int kNumRounds = 24;
+  for (int round = 0; round < kNumRounds; round++) {
+    // θ step
+    uint64_t c[5];
+    for (int x = 0; x < 5; x++) {
+      c[x] = state[x] ^ state[x + 5] ^ state[x + 10] ^ state[x + 15] ^
+             state[x + 20];
+    }
+
+    for (int x = 0; x < 5; x++) {
+      const uint64_t d = c[(x + 4) % 5] ^ CRYPTO_rotl_u64(c[(x + 1) % 5], 1);
+      for (int y = 0; y < 5; y++) {
+        state[y * 5 + x] ^= d;
+      }
+    }
+
+    // ρ and π steps.
+    //
+    // These steps involve a mapping of the state matrix. Each input point,
+    // (x,y), is rotated and written to the point (y, 2x + 3y). In the Keccak
+    // pseudo-code a separate array is used because an in-place operation would
+    // overwrite some values that are subsequently needed. However, the mapping
+    // forms a trail through 24 of the 25 values so we can do it in place with
+    // only a single temporary variable.
+    //
+    // Start with (1, 0). The value here will be mapped and end up at (0, 2).
+    // That value will end up at (2, 1), then (1, 2), and so on. After 24
+    // steps, 24 of the 25 values have been hit (as this mapping is injective)
+    // and the sequence will repeat. All that remains is to handle the element
+    // at (0, 0), but the rotation for that element is zero, and it goes to (0,
+    // 0), so we can ignore it.
+    int pi_x = 1, pi_y = 0;
+    uint64_t prev_value = state[1];
+    int pi_rot = 1;
+    for (int i = 1; i < 25; i++) {
+      const int out_x = pi_y;
+      const int out_y = (2 * pi_x + 3 * pi_y) % 5;
+      const int index = out_y * 5 + out_x;
+      const uint64_t t = state[index];
+      state[index] = CRYPTO_rotl_u64(prev_value, pi_rot);
+      pi_rot = (pi_rot + i + 1) % 64;
+      prev_value = t;
+      pi_x = out_x;
+      pi_y = out_y;
+    }
+
+    // χ step
+    for (int y = 0; y < 5; y++) {
+      const int row_index = 5 * y;
+      const uint64_t orig_x0 = state[row_index];
+      const uint64_t orig_x1 = state[row_index + 1];
+      state[row_index] ^= ~orig_x1 & state[row_index + 2];
+      state[row_index + 1] ^= ~state[row_index + 2] & state[row_index + 3];
+      state[row_index + 2] ^= ~state[row_index + 3] & state[row_index + 4];
+      state[row_index + 3] ^= ~state[row_index + 4] & orig_x0;
+      state[row_index + 4] ^= ~orig_x0 & orig_x1;
+    }
+
+    // ι step
+    //
+    // From https://keccak.team/files/Keccak-reference-3.0.pdf, section
+    // 1.2, the round constants are based on the output of a LFSR. Thus, as
+    // suggested in the appendix of of
+    // https://keccak.team/keccak_specs_summary.html, the values are
+    // simply encoded here.
+    static const uint64_t kRoundConstants[24] = {
+        0x0000000000000001, 0x0000000000008082, 0x800000000000808a,
+        0x8000000080008000, 0x000000000000808b, 0x0000000080000001,
+        0x8000000080008081, 0x8000000000008009, 0x000000000000008a,
+        0x0000000000000088, 0x0000000080008009, 0x000000008000000a,
+        0x000000008000808b, 0x800000000000008b, 0x8000000000008089,
+        0x8000000000008003, 0x8000000000008002, 0x8000000000000080,
+        0x000000000000800a, 0x800000008000000a, 0x8000000080008081,
+        0x8000000000008080, 0x0000000080000001, 0x8000000080008008,
+    };
+
+    state[0] ^= kRoundConstants[round];
+  }
+}
+
+static void keccak_init(struct BORINGSSL_keccak_st *ctx,
+                        size_t *out_required_out_len, const uint8_t *in,
+                        size_t in_len, enum boringssl_keccak_config_t config) {
+  size_t capacity_bytes;
+  uint8_t terminator;
+  switch (config) {
+    case boringssl_sha3_256:
+      capacity_bytes = 512 / 8;
+      *out_required_out_len = 32;
+      terminator = 0x06;
+      break;
+    case boringssl_sha3_512:
+      capacity_bytes = 1024 / 8;
+      *out_required_out_len = 64;
+      terminator = 0x06;
+      break;
+    case boringssl_shake128:
+      capacity_bytes = 256 / 8;
+      *out_required_out_len = 0;
+      terminator = 0x1f;
+      break;
+    case boringssl_shake256:
+      capacity_bytes = 512 / 8;
+      *out_required_out_len = 0;
+      terminator = 0x1f;
+      break;
+    default:
+      abort();
+  }
+
+  OPENSSL_memset(ctx, 0, sizeof(*ctx));
+  ctx->rate_bytes = 200 - capacity_bytes;
+  assert(ctx->rate_bytes % 8 == 0);
+  const size_t rate_words = ctx->rate_bytes / 8;
+
+  while (in_len >= ctx->rate_bytes) {
+    for (size_t i = 0; i < rate_words; i++) {
+      ctx->state[i] ^= CRYPTO_load_u64_le(in + 8 * i);
+    }
+    keccak_f(ctx->state);
+    in += ctx->rate_bytes;
+    in_len -= ctx->rate_bytes;
+  }
+
+  // XOR the final block. Accessing |ctx->state| as a |uint8_t*| is allowed by
+  // strict aliasing because we require |uint8_t| to be a character type.
+  uint8_t *state_bytes = (uint8_t *)ctx->state;
+  assert(in_len < ctx->rate_bytes);
+  for (size_t i = 0; i < in_len; i++) {
+    state_bytes[i] ^= in[i];
+  }
+  state_bytes[in_len] ^= terminator;
+  state_bytes[ctx->rate_bytes - 1] ^= 0x80;
+  keccak_f(ctx->state);
+}
+
+void BORINGSSL_keccak(uint8_t *out, size_t out_len, const uint8_t *in,
+                      size_t in_len, enum boringssl_keccak_config_t config) {
+  struct BORINGSSL_keccak_st ctx;
+  size_t required_out_len;
+  keccak_init(&ctx, &required_out_len, in, in_len, config);
+  if (required_out_len != 0 && out_len != required_out_len) {
+    abort();
+  }
+  BORINGSSL_keccak_squeeze(&ctx, out, out_len);
+}
+
+void BORINGSSL_keccak_init(struct BORINGSSL_keccak_st *ctx, const uint8_t *in,
+                           size_t in_len,
+                           enum boringssl_keccak_config_t config) {
+  size_t required_out_len;
+  keccak_init(ctx, &required_out_len, in, in_len, config);
+  if (required_out_len != 0) {
+    abort();
+  }
+}
+
+void BORINGSSL_keccak_squeeze(struct BORINGSSL_keccak_st *ctx, uint8_t *out,
+                              size_t out_len) {
+  // Accessing |ctx->state| as a |uint8_t*| is allowed by strict aliasing
+  // because we require |uint8_t| to be a character type.
+  const uint8_t *state_bytes = (const uint8_t *)ctx->state;
+  while (out_len) {
+    size_t remaining = ctx->rate_bytes - ctx->offset;
+    size_t todo = out_len;
+    if (todo > remaining) {
+      todo = remaining;
+    }
+    OPENSSL_memcpy(out, &state_bytes[ctx->offset], todo);
+    out += todo;
+    out_len -= todo;
+    ctx->offset += todo;
+    if (ctx->offset == ctx->rate_bytes) {
+      keccak_f(ctx->state);
+      ctx->offset = 0;
+    }
+  }
+}

crypto/kyber/kyber_test.cc

@@ -0,0 +1,66 @@
+/* Copyright (c) 2023, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <gtest/gtest.h>
+
+#include "../test/file_test.h"
+#include "../test/test_util.h"
+#include "./internal.h"
+
+
+static void KeccakFileTest(FileTest *t) {
+  std::vector<uint8_t> input, sha3_256_expected, sha3_512_expected,
+      shake128_expected, shake256_expected;
+  ASSERT_TRUE(t->GetBytes(&input, "Input"));
+  ASSERT_TRUE(t->GetBytes(&sha3_256_expected, "SHA3-256"));
+  ASSERT_TRUE(t->GetBytes(&sha3_512_expected, "SHA3-512"));
+  ASSERT_TRUE(t->GetBytes(&shake128_expected, "SHAKE-128"));
+  ASSERT_TRUE(t->GetBytes(&shake256_expected, "SHAKE-256"));
+
+  uint8_t sha3_256_digest[32];
+  BORINGSSL_keccak(sha3_256_digest, sizeof(sha3_256_digest), input.data(),
+                   input.size(), boringssl_sha3_256);
+  uint8_t sha3_512_digest[64];
+  BORINGSSL_keccak(sha3_512_digest, sizeof(sha3_512_digest), input.data(),
+                   input.size(), boringssl_sha3_512);
+  uint8_t shake128_output[512];
+  BORINGSSL_keccak(shake128_output, sizeof(shake128_output), input.data(),
+                   input.size(), boringssl_shake128);
+  uint8_t shake256_output[512];
+  BORINGSSL_keccak(shake256_output, sizeof(shake256_output), input.data(),
+                   input.size(), boringssl_shake256);
+
+  EXPECT_EQ(Bytes(sha3_256_expected), Bytes(sha3_256_digest));
+  EXPECT_EQ(Bytes(sha3_512_expected), Bytes(sha3_512_digest));
+  EXPECT_EQ(Bytes(shake128_expected), Bytes(shake128_output));
+  EXPECT_EQ(Bytes(shake256_expected), Bytes(shake256_output));
+
+  struct BORINGSSL_keccak_st ctx;
+
+  BORINGSSL_keccak_init(&ctx, input.data(), input.size(), boringssl_shake128);
+  for (size_t i = 0; i < sizeof(shake128_output); i++) {
+    BORINGSSL_keccak_squeeze(&ctx, &shake128_output[i], 1);
+  }
+  EXPECT_EQ(Bytes(shake128_expected), Bytes(shake128_output));
+
+  BORINGSSL_keccak_init(&ctx, input.data(), input.size(), boringssl_shake256);
+  for (size_t i = 0; i < sizeof(shake256_output); i++) {
+    BORINGSSL_keccak_squeeze(&ctx, &shake256_output[i], 1);
+  }
+  EXPECT_EQ(Bytes(shake256_expected), Bytes(shake256_output));
+}
+
+TEST(KyberTest, Keccak) {
+  FileTestGTest("crypto/kyber/keccak_tests.txt", KeccakFileTest);
+}

sources.cmake

@@ -66,6 +66,7 @@ set(
   crypto/fipsmodule/rand/ctrdrbg_vectors.txt
   crypto/hmac_extra/hmac_tests.txt
   crypto/hpke/hpke_test_vectors.txt
+  crypto/kyber/keccak_tests.txt
   crypto/pkcs8/test/empty_password.p12
   crypto/pkcs8/test/no_encryption.p12
   crypto/pkcs8/test/nss.p12