Fix x1 mve keccak

bremoran · bremoran · commit 75e788aea653 · 2026-02-12T11:23:24.000Z
diff --git a/mlkem/src/fips202/keccakf1600.c b/mlkem/src/fips202/keccakf1600.c
@@ -34,16 +34,11 @@
 #define MLK_KECCAK_NROUNDS 24
 #define MLK_KECCAK_ROL(a, offset) ((a << offset) ^ (a >> (64 - offset)))
 
-void mlk_keccakf1600_extract_bytes(uint64_t *state, unsigned char *data,
+MLK_STATIC_TESTABLE
+void mlk_keccakf1600_extract_bytes_c(uint64_t *state, unsigned char *data,
                                    unsigned offset, unsigned length)
 {
   unsigned i;
-#if defined(MLK_USE_FIPS202_X1_EXTRACT_BYTES_NATIVE)
-  if(mlk_keccakf1600_extract_bytes_x1_native(state, data, offset, length) == MLK_NATIVE_FUNC_SUCCESS)
-  {
-    return;
-  }
-#endif
 #if defined(MLK_SYS_LITTLE_ENDIAN)
   uint8_t *state_ptr = (uint8_t *)state + offset;
   for (i = 0; i < length; i++)
@@ -62,15 +57,23 @@ void mlk_keccakf1600_extract_bytes(uint64_t *state, unsigned char *data,
 #endif /* !MLK_SYS_LITTLE_ENDIAN */
 }
 
-void mlk_keccakf1600_xor_bytes(uint64_t *state, const unsigned char *data,
-                               unsigned offset, unsigned length)
+void mlk_keccakf1600_extract_bytes(uint64_t *state, unsigned char *data,
+                                   unsigned offset, unsigned length)
 {
-  unsigned i;
-#if defined(MLK_USE_FIPS202_X1_XOR_BYTES_NATIVE)
-  if (mlk_keccakf1600_xor_bytes_x1_native(state, data, offset, length) == MLK_NATIVE_FUNC_SUCCESS) {
+#if defined(MLK_USE_FIPS202_X1_EXTRACT_BYTES_NATIVE)
+  if(mlk_keccakf1600_extract_bytes_x1_native(state, data, offset, length) == MLK_NATIVE_FUNC_SUCCESS)
+  {
     return;
   }
 #endif
+  mlk_keccakf1600_extract_bytes_c(state, data, offset, length);
+}
+
+MLK_STATIC_TESTABLE
+void mlk_keccakf1600_xor_bytes_c(uint64_t *state, const unsigned char *data,
+                               unsigned offset, unsigned length)
+{
+  unsigned i;
 #if defined(MLK_SYS_LITTLE_ENDIAN)
   uint8_t *state_ptr = (uint8_t *)state + offset;
   for (i = 0; i < length; i++)
@@ -89,6 +92,17 @@ void mlk_keccakf1600_xor_bytes(uint64_t *state, const unsigned char *data,
 #endif /* !MLK_SYS_LITTLE_ENDIAN */
 }
 
+void mlk_keccakf1600_xor_bytes(uint64_t *state, const unsigned char *data,
+                               unsigned offset, unsigned length)
+{
+#if defined(MLK_USE_FIPS202_X1_XOR_BYTES_NATIVE)
+  if (mlk_keccakf1600_xor_bytes_x1_native(state, data, offset, length) == MLK_NATIVE_FUNC_SUCCESS) {
+    return;
+  }
+#endif
+  mlk_keccakf1600_xor_bytes_c(state, data, offset, length);
+}
+
 void mlk_keccakf1600x4_extract_bytes(uint64_t *state, unsigned char *data0,
                                      unsigned char *data1, unsigned char *data2,
                                      unsigned char *data3, unsigned offset,
diff --git a/mlkem/src/fips202/native/armv81m/src/state_extract_bytes_x1_mve_asm.S b/mlkem/src/fips202/native/armv81m/src/state_extract_bytes_x1_mve_asm.S
@@ -39,13 +39,13 @@
 .endm
 
 .balign 8
-.macro from_bit_interleaving_x1
+.macro from_bit_interleaving_x1 tmp
     // Input:  q0 = [e0, o0, e1, o1]
     // Output: q0 = [d0l, d0h, d1l, d1h]
     // Clobbers: r0, q1, q2, q3, q4
     
-    mov         r0, #0x0F0F
-    vmsr        p0, r0
+    mov         \tmp, #0x0F0F
+    vmsr        p0, \tmp
     //                        // q0.u16: [e0l, e0h, o0l, o0h, e1l, e1h, o1l, o1h] 
     vrev32.u16  q1, q0        // q1.u16: [e0h, e0l, o0h, o0l, e1h, e1l, o1h, o1l] 
     vrev64.u32  q2, q1        // q2.u16: [o0h, o0l, e0h, e0l, o1h, o1l, e1h, e1l]
@@ -58,8 +58,8 @@
     deinterleave_even q0, q2
     deinterleave_even q1, q2
     // Zero garbage bits
-    mov         r0, #0x55
-    vdup.u8     q2, r0
+    mov         \tmp, #0x55
+    vdup.u8     q2, \tmp
     vand.u32    q0, q0, q2
     vand.u32    q1, q1, q2
     // Merge vectors
@@ -120,6 +120,11 @@ MLK_ASM_FN_SYMBOL(keccak_f1600_x1_state_extract_bytes_asm)
     // length -= n
     subs    length, length, nB
 
+    // Load state for the partial lane
+    vldrw.u32 qd, [state], #16
+    // Deinterleave to bytes
+    from_bit_interleaving_x1 tmp
+    // Predicated byte store of up to 16 bytes
     // calculate the predicates
     // mask = (1 << nB) - 1 over 8-bit lanes, then shift by 'off'.
     // vctp.8 sets p0[0..nB-1]=1 (others 0). We read it as an integer mask,
@@ -130,11 +135,6 @@ MLK_ASM_FN_SYMBOL(keccak_f1600_x1_state_extract_bytes_asm)
     // mask << offset
     lsl mask, mask, off
     vmsr p0, mask
-    // Load state for the partial lane
-    vldrw.u32 qd, [state], #16
-    // Deinterleave to bytes
-    from_bit_interleaving_x1
-    // Predicated byte store of up to 16 bytes
     vpst
     vstrbt.u8 qd, [dp], #16
 
@@ -154,7 +154,7 @@ keccak_f1600_x1_state_extract_bytes_asm_main_loop_start:
     // Load 16B (two lanes) from state and bump pointer
     vldrw.u32 qd, [state], #16
     // Deinterleave to bytes
-    from_bit_interleaving_x1
+    from_bit_interleaving_x1 tmp
     // Store 16B of output bytes (post-increment by 16)
     vstrw.u32 qd, [dp], #16
 
@@ -165,16 +165,16 @@ keccak_f1600_x1_state_extract_bytes_asm_main_loop_end:
     // TAIL: if length remaining <8, write it at offset_in_lane=0
     // -------------------------------------------------------------------------
 
-    // length &= 7
-    ands    length, length, #7
+    // length &= 15
+    ands    length, length, #15
     cmp     length, #0
     beq     keccak_f1600_x1_state_extract_bytes_asm_exit
 
-    // Tail via predicated byte stores like prologue, but off=0 (no base adjust)
-    vctp.8  length
     // Load next state lane, deinterleave, store tail
     vldrw.u32 qd, [state], #16
-    from_bit_interleaving_x1
+    from_bit_interleaving_x1 tmp
+    // Tail via predicated byte stores like prologue, but off=0 (no base adjust)
+    vctp.8  length
     vpst
     vstrbt.u8 qd, [dp], #16
 
diff --git a/mlkem/src/fips202/native/armv81m/src/state_xor_bytes_x1_mve_asm.S b/mlkem/src/fips202/native/armv81m/src/state_xor_bytes_x1_mve_asm.S
@@ -28,14 +28,15 @@
 .macro interleave_odds t, u
     vshl.u8     \u, \t, #2       // u = t[5..0],00
     vsri.u8     \t, \u, #1       // t = t[7],u[6..0]  => t = t[7],t[5..0],0
-    vshl.u8     \u, \t, #3       // stage 2 across nibbles
-    vsri.u8     \t, \u, #2
-    vshl.u8     \u, \t, #4       // stage 3 across bytes
-    vsri.u8     \t, \u, #3
-    vshl.u16    \u, \t, #8       // widen within halfwords
-    vsri.u8     \t, \u, #4
-    vshl.u32    \u, \t, #16      // widen within words
-    vsri.u16    \t, \u, #8       // odd bits compacted; per 32b lane: lo16=bytes0..3, hi16=4..7
+    vshl.u8     \u, \t, #3       // u = t[3..0],0000
+    vsri.u8     \t, \u, #2       // t = t[7..6],u[5..0] => t = t[7],t[5],t[3..0],00
+    vshl.u8     \u, \t, #4       // u = t[1..0],000000
+    vsri.u8     \t, \u, #3       // t = t[7],t[5],t[3],u[4..0] => t = t[7],t[5],t[3],t[1..0],000
+                                 // t16 = t[15],t[13],t[11],t[9..8],000,t[7],t[5],t[3],t[1..0],000
+    vshl.u16    \u, \t, #8       // u16 = t[7],t[5],t[3],t[1..0],000
+    vsri.u8     \t, \u, #4       // t16 = t[15,13,11,9,7,5,3,1]
+    vshl.u32    \u, \t, #16      // u32 = t[15,13,11,9,7,5,3,1]
+    vsri.u16    \t, \u, #8       // u16 = t[31,29,27,25,23,21,19,17,15,13,11,9,7,5,3,1]
 .endm
 
 // interleave_evens: in-place SWAR bit permutation that compacts even-numbered
@@ -55,7 +56,7 @@
 .endm
 
 .balign 8
-.macro to_bit_interleaving_x1
+.macro to_bit_interleaving_x1 tmp
     // NOTE: This macro clobbers r0, q0, q1, q2, q3
     // Inputs on entry:
     //   q0 = [d0l, d0h, d1l, d1h] (Two complete 64-bit lanes in 32-bit chunks)
@@ -68,10 +69,10 @@
     vrev64.u32 q2, q1       // || d0l | d0h | d1l | d1h || e0l | e0h | e1l | e1h || e0h | e0l | e1h | e1l ||  X  |  X  |  X  |  X  ||
     vsli.u32   q1, q2, #16  // || d0l | d0h | d1l | d1h || e0  |  X  | e1  |  X  || e0h | e0l | e1h | e1l ||  X  |  X  |  X  |  X  ||
     interleave_odds  q0, q3 // || o0l | o0h | o1l | o1h || e0  |  X  | e1  |  X  || e0h | e0l | e1h | e1l ||  X  |  X  |  X  |  X  ||
-    vrev64.u32 q0, q3       // || o0l | o0h | o1l | o1h || e0  |  X  | e1  |  X  || e0h | e0l | e1h | e1l || o0h | o0l | o1h | o1l ||
+    vrev64.u32 q3, q0       // || o0l | o0h | o1l | o1h || e0  |  X  | e1  |  X  || e0h | e0l | e1h | e1l || o0h | o0l | o1h | o1l ||
     vsri.u32   q0, q3, #16  // ||  X  | o0  |  X  | o1  || e0  |  X  | e1  |  X  || e0h | e0l | e1h | e1l || o0h | o0l | o1h | o1l ||
-    mov r0, #0x0F0F
-    vmsr p0, r0
+    mov \tmp, #0x0F0F
+    vmsr p0, \tmp
     vpsel q0, q1, q0        // || e0  | o0  | e1  | o1  || e0  |  X  | e1  |  X  || e0h | e0l | e1h | e1l || o0h | o0l | o1h | o1l ||
 .endm
 
@@ -145,7 +146,7 @@ MLK_ASM_FN_SYMBOL(keccak_f1600_x1_state_xor_bytes_asm)
 
     // Bit interleave
     // NOTE: q2,q3,q4 are dead here and not preserved.
-    to_bit_interleaving_x1
+    to_bit_interleaving_x1 tmp
 
     vldrw.u32 qs, [state]
     veor      qs, qs, qd
@@ -168,7 +169,7 @@ keccak_f1600_x1_state_xor_bytes_asm_main_loop_start:
     vldrw.u32 qd, [dp], #16
     // Bit interleave
     // NOTE: q2,q3,q4 are dead here and not preserved.
-    to_bit_interleaving_x1
+    to_bit_interleaving_x1 tmp
 
     // XOR into state (stores post-increment state by 16)
     vldrw.u32 qs, [state]
@@ -182,26 +183,20 @@ keccak_f1600_x1_state_xor_bytes_asm_main_loop_end:
     // TAIL: if length remaining <8, absorb it at offset_in_lane=0
     // -------------------------------------------------------------------------
 
-    // length &= 7
+    // length &= 15
     // Placeholder: if r6 == 0, done.
-    ands    length, length, #7
+    ands    length, length, #15
     cmp     length, #0
     beq     keccak_f1600_x1_state_xor_bytes_asm_exit
 
     // Tail via predicated byte loads like prologue, but off=0 (no base adjust)
     vctp.8  length
-    vctp.8 nB
-    vmrs mask, p0
-    // mask << offset
-    lsl mask, mask, off
-    vmsr p0, mask
-    // now load the partial lanes
     vpst
     vldrbt.u8 qd, [dp], #16
 
     // Bit interleave
     // NOTE: q2,q3,q4 are dead here and not preserved.
-    to_bit_interleaving_x1
+    to_bit_interleaving_x1 tmp
 
     vldrw.u32 qs, [state]
     veor      qs, qs, qd
diff --git a/test/src/test_unit.c b/test/src/test_unit.c
@@ -43,7 +43,10 @@ void mlk_polyvec_basemul_acc_montgomery_cached_c(
     const mlk_polyvec_mulcache *b_cache);
 void mlk_poly_mulcache_compute_c(mlk_poly_mulcache *x, const mlk_poly *a);
 void mlk_keccakf1600_permute_c(uint64_t *state);
-
+void mlk_keccakf1600_xor_bytes_c(uint64_t *state, const unsigned char *data,
+                               unsigned offset, unsigned length);
+void mlk_keccakf1600_extract_bytes_c(uint64_t *state, unsigned char *data,
+                                   unsigned offset, unsigned length);
 #define CHECK(x)                                              \
   do                                                          \
   {                                                           \
@@ -638,21 +641,43 @@ static int test_native_polyvec_basemul(void)
 #endif /* MLK_USE_NATIVE_POLYVEC_BASEMUL_ACC_MONTGOMERY_CACHED */
 
 #ifdef MLK_USE_FIPS202_X1_NATIVE
-static int test_keccakf1600_permute(void)
+#define MAX_RATE 136
+static int test_keccakf1600_xor_permute_extract(void)
 {
-  uint64_t state[MLK_KECCAK_LANES];
-  uint64_t state_ref[MLK_KECCAK_LANES];
+  uint64_t input[MLK_KECCAK_LANES];
+  uint64_t state_native[MLK_KECCAK_LANES];
+  uint64_t state_c[MLK_KECCAK_LANES];
+  uint64_t output_native[MLK_KECCAK_LANES];
+  uint64_t output_c[MLK_KECCAK_LANES];
+  uint8_t xor_offset, xor_length, ext_offset, ext_length;
   int i;
 
   for (i = 0; i < NUM_RANDOM_TESTS; i++)
   {
-    randombytes((uint8_t *)state, sizeof(state));
-    memcpy(state_ref, state, sizeof(state));
-
-    mlk_keccakf1600_permute(state);
-    mlk_keccakf1600_permute_c(state_ref);
-
-    CHECK(compare_u64_arrays(state, state_ref, MLK_KECCAK_LANES,
+    randombytes(&xor_offset,1);
+    randombytes(&xor_length,1);
+    xor_offset = xor_offset % MAX_RATE;
+    xor_length = (uint8_t)(1 + (xor_length % (MAX_RATE - xor_offset)));
+    randombytes(&ext_offset, 1);
+    randombytes(&ext_length, 1);
+    ext_offset = ext_offset % MAX_RATE;
+    ext_length = (uint8_t)(1 + (ext_length % (MAX_RATE - ext_offset)));
+
+    randombytes((uint8_t *)input, xor_length);
+    memset(state_native, 0, sizeof(state_native));
+    memset(output_native, 0, sizeof(output_native));
+
+    mlk_keccakf1600_xor_bytes(state_native, (uint8_t *)input, xor_offset, xor_length);
+    mlk_keccakf1600_permute(state_native);
+    mlk_keccakf1600_extract_bytes(state_native, (uint8_t *)output_native, ext_offset, ext_length);
+
+    memset(state_c, 0, sizeof(state_c));
+    memset(output_c, 0, sizeof(output_c));
+    mlk_keccakf1600_xor_bytes_c(state_c, (uint8_t *)input, xor_offset, xor_length);
+    mlk_keccakf1600_permute_c(state_c);
+    mlk_keccakf1600_extract_bytes_c(state_c, (uint8_t *)output_c, ext_offset, ext_length);
+
+    CHECK(compare_u64_arrays(output_native, output_c, MLK_KECCAK_LANES,
                              "keccakf1600_permute"));
   }
 
@@ -722,7 +747,7 @@ static int test_backend_units(void)
 #endif
 
 #ifdef MLK_USE_FIPS202_X1_NATIVE
-  CHECK(test_keccakf1600_permute() == 0);
+  CHECK(test_keccakf1600_xor_permute_extract() == 0);
 #endif
 
 #ifdef MLK_USE_FIPS202_X4_NATIVE
