Skip to content

Commit 856b540

Browse files
mkannwischermkannwischer
committed
Only compute sp mulcache once
Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
1 parent b689893 commit 856b540

5 files changed

Lines changed: 37 additions & 20 deletions

File tree

mlkem/src/indcpa.c

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -419,6 +419,7 @@ static MLK_ALWAYS_INLINE
419419
#endif
420420
int mlk_indcpa_enc_u(uint8_t ct_u[MLKEM_POLYVECCOMPRESSEDBYTES_DU],
421421
mlk_polyvec *sp, mlk_poly *epp,
422+
mlk_polyvec_mulcache *sp_cache,
422423
const uint8_t seed[MLKEM_SYMBYTES],
423424
const uint8_t coins[MLKEM_SYMBYTES],
424425
MLK_CONFIG_CONTEXT_PARAMETER_TYPE context)
@@ -427,9 +428,8 @@ int mlk_indcpa_enc_u(uint8_t ct_u[MLKEM_POLYVECCOMPRESSEDBYTES_DU],
427428
MLK_ALLOC(at, mlk_polymat, 1, context);
428429
MLK_ALLOC(ep, mlk_polyvec, 1, context);
429430
MLK_ALLOC(b, mlk_polyvec, 1, context);
430-
MLK_ALLOC(sp_cache, mlk_polyvec_mulcache, 1, context);
431431

432-
if (at == NULL || ep == NULL || b == NULL || sp_cache == NULL)
432+
if (at == NULL || ep == NULL || b == NULL)
433433
{
434434
ret = MLK_ERR_OUT_OF_MEMORY;
435435
goto cleanup;
@@ -482,7 +482,6 @@ int mlk_indcpa_enc_u(uint8_t ct_u[MLKEM_POLYVECCOMPRESSEDBYTES_DU],
482482
cleanup:
483483
/* Specification: Partially implements
484484
* @[FIPS203, Section 3.3, Destruction of intermediate values] */
485-
MLK_FREE(sp_cache, mlk_polyvec_mulcache, 1, context);
486485
MLK_FREE(b, mlk_polyvec, 1, context);
487486
MLK_FREE(ep, mlk_polyvec, 1, context);
488487
MLK_FREE(at, mlk_polymat, 1, context);
@@ -496,6 +495,7 @@ static MLK_ALWAYS_INLINE
496495
#endif
497496
int mlk_indcpa_enc_v(uint8_t ct_v[MLKEM_POLYCOMPRESSEDBYTES_DV],
498497
const mlk_polyvec *sp, const mlk_poly *epp,
498+
const mlk_polyvec_mulcache *sp_cache,
499499
const uint8_t m[MLKEM_INDCPA_MSGBYTES],
500500
const uint8_t ek_vector[MLKEM_POLYVECBYTES],
501501
MLK_CONFIG_CONTEXT_PARAMETER_TYPE context)
@@ -504,9 +504,8 @@ int mlk_indcpa_enc_v(uint8_t ct_v[MLKEM_POLYCOMPRESSEDBYTES_DV],
504504
MLK_ALLOC(pkpv, mlk_polyvec, 1, context);
505505
MLK_ALLOC(v, mlk_poly, 1, context);
506506
MLK_ALLOC(k, mlk_poly, 1, context);
507-
MLK_ALLOC(sp_cache, mlk_polyvec_mulcache, 1, context);
508507

509-
if (pkpv == NULL || v == NULL || k == NULL || sp_cache == NULL)
508+
if (pkpv == NULL || v == NULL || k == NULL)
510509
{
511510
ret = MLK_ERR_OUT_OF_MEMORY;
512511
goto cleanup;
@@ -515,7 +514,6 @@ int mlk_indcpa_enc_v(uint8_t ct_v[MLKEM_POLYCOMPRESSEDBYTES_DV],
515514
mlk_polyvec_frombytes(pkpv, ek_vector);
516515
mlk_poly_frommsg(k, m);
517516

518-
mlk_polyvec_mulcache_compute(sp_cache, sp);
519517
mlk_polyvec_basemul_acc_montgomery_cached(v, pkpv, sp, sp_cache);
520518

521519
mlk_poly_invntt_tomont(v);
@@ -529,7 +527,6 @@ int mlk_indcpa_enc_v(uint8_t ct_v[MLKEM_POLYCOMPRESSEDBYTES_DV],
529527
cleanup:
530528
/* Specification: Partially implements
531529
* @[FIPS203, Section 3.3, Destruction of intermediate values] */
532-
MLK_FREE(sp_cache, mlk_polyvec_mulcache, 1, context);
533530
MLK_FREE(k, mlk_poly, 1, context);
534531
MLK_FREE(v, mlk_poly, 1, context);
535532
MLK_FREE(pkpv, mlk_polyvec, 1, context);
@@ -550,27 +547,30 @@ int mlk_indcpa_enc(uint8_t c[MLKEM_INDCPA_BYTES],
550547
int ret = 0;
551548
MLK_ALLOC(sp, mlk_polyvec, 1, context);
552549
MLK_ALLOC(epp, mlk_poly, 1, context);
550+
MLK_ALLOC(sp_cache, mlk_polyvec_mulcache, 1, context);
553551

554-
if (sp == NULL || epp == NULL)
552+
if (sp == NULL || epp == NULL || sp_cache == NULL)
555553
{
556554
ret = MLK_ERR_OUT_OF_MEMORY;
557555
goto cleanup;
558556
}
559557

560-
/* Phase 1: compute ct_u and intermediate state (sp, epp) */
561-
ret = mlk_indcpa_enc_u(c, sp, epp, pk + MLKEM_POLYVECBYTES, coins, context);
558+
/* Phase 1: compute ct_u and intermediate state (sp, epp, sp_cache) */
559+
ret = mlk_indcpa_enc_u(c, sp, epp, sp_cache, pk + MLKEM_POLYVECBYTES, coins,
560+
context);
562561
if (ret != 0)
563562
{
564563
goto cleanup;
565564
}
566565

567566
/* Phase 2: compute ct_v using intermediate state */
568-
ret = mlk_indcpa_enc_v(c + MLKEM_POLYVECCOMPRESSEDBYTES_DU, sp, epp, m, pk,
569-
context);
567+
ret = mlk_indcpa_enc_v(c + MLKEM_POLYVECCOMPRESSEDBYTES_DU, sp, epp, sp_cache,
568+
m, pk, context);
570569

571570
cleanup:
572571
/* Specification: Partially implements
573572
* @[FIPS203, Section 3.3, Destruction of intermediate values] */
573+
MLK_FREE(sp_cache, mlk_polyvec_mulcache, 1, context);
574574
MLK_FREE(epp, mlk_poly, 1, context);
575575
MLK_FREE(sp, mlk_polyvec, 1, context);
576576
return ret;

mlkem/src/indcpa.h

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -124,9 +124,9 @@ __contract__(
124124
return_value == MLK_ERR_OUT_OF_MEMORY)
125125
);
126126

127-
#define mlk_indcpa_enc_u MLK_NAMESPACE_K(indcpa_enc_u) MLK_CONTEXT_PARAMETERS_5
127+
#define mlk_indcpa_enc_u MLK_NAMESPACE_K(indcpa_enc_u) MLK_CONTEXT_PARAMETERS_6
128128

129-
#define mlk_indcpa_enc_v MLK_NAMESPACE_K(indcpa_enc_v) MLK_CONTEXT_PARAMETERS_5
129+
#define mlk_indcpa_enc_v MLK_NAMESPACE_K(indcpa_enc_v) MLK_CONTEXT_PARAMETERS_6
130130

131131
#if defined(MLK_CONFIG_ENABLE_MLKEM_BRAID)
132132
/*************************************************
@@ -157,18 +157,21 @@ MLK_INTERNAL_API
157157
MLK_MUST_CHECK_RETURN_VALUE
158158
int mlk_indcpa_enc_u(uint8_t ct_u[MLKEM_POLYVECCOMPRESSEDBYTES_DU],
159159
mlk_polyvec *sp, mlk_poly *epp,
160+
mlk_polyvec_mulcache *sp_cache,
160161
const uint8_t seed[MLKEM_SYMBYTES],
161162
const uint8_t coins[MLKEM_SYMBYTES],
162163
MLK_CONFIG_CONTEXT_PARAMETER_TYPE context)
163164
__contract__(
164165
requires(memory_no_alias(ct_u, MLKEM_POLYVECCOMPRESSEDBYTES_DU))
165166
requires(memory_no_alias(sp, sizeof(mlk_polyvec)))
166167
requires(memory_no_alias(epp, sizeof(mlk_poly)))
168+
requires(memory_no_alias(sp_cache, sizeof(mlk_polyvec_mulcache)))
167169
requires(memory_no_alias(seed, MLKEM_SYMBYTES))
168170
requires(memory_no_alias(coins, MLKEM_SYMBYTES))
169171
assigns(memory_slice(ct_u, MLKEM_POLYVECCOMPRESSEDBYTES_DU))
170172
assigns(memory_slice(sp, sizeof(mlk_polyvec)))
171173
assigns(memory_slice(epp, sizeof(mlk_poly)))
174+
assigns(memory_slice(sp_cache, sizeof(mlk_polyvec_mulcache)))
172175
ensures(return_value == 0 || return_value == MLK_ERR_OUT_OF_MEMORY)
173176
ensures(return_value == 0 ==>
174177
array_abs_bound(epp->coeffs, 0, MLKEM_N, MLKEM_ETA2 + 1))
@@ -201,13 +204,15 @@ MLK_INTERNAL_API
201204
MLK_MUST_CHECK_RETURN_VALUE
202205
int mlk_indcpa_enc_v(uint8_t ct_v[MLKEM_POLYCOMPRESSEDBYTES_DV],
203206
const mlk_polyvec *sp, const mlk_poly *epp,
207+
const mlk_polyvec_mulcache *sp_cache,
204208
const uint8_t m[MLKEM_INDCPA_MSGBYTES],
205209
const uint8_t ek_vector[MLKEM_POLYVECBYTES],
206210
MLK_CONFIG_CONTEXT_PARAMETER_TYPE context)
207211
__contract__(
208212
requires(memory_no_alias(ct_v, MLKEM_POLYCOMPRESSEDBYTES_DV))
209213
requires(memory_no_alias(sp, sizeof(mlk_polyvec)))
210214
requires(memory_no_alias(epp, sizeof(mlk_poly)))
215+
requires(memory_no_alias(sp_cache, sizeof(mlk_polyvec_mulcache)))
211216
requires(array_abs_bound(epp->coeffs, 0, MLKEM_N, 16))
212217
requires(memory_no_alias(m, MLKEM_INDCPA_MSGBYTES))
213218
requires(memory_no_alias(ek_vector, MLKEM_POLYVECBYTES))

mlkem/src/kem.c

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -474,8 +474,10 @@ int mlk_kem_enc_derand_u(uint8_t ct_u[MLKEM_POLYVECCOMPRESSEDBYTES_DU],
474474
MLK_ALLOC(kr, uint8_t, 2 * MLKEM_SYMBYTES, context);
475475
MLK_ALLOC(sp, mlk_polyvec, 1, context);
476476
MLK_ALLOC(epp, mlk_poly, 1, context);
477+
MLK_ALLOC(sp_cache, mlk_polyvec_mulcache, 1, context);
477478

478-
if (buf == NULL || kr == NULL || sp == NULL || epp == NULL)
479+
if (buf == NULL || kr == NULL || sp == NULL || epp == NULL ||
480+
sp_cache == NULL)
479481
{
480482
ret = MLK_ERR_OUT_OF_MEMORY;
481483
goto cleanup;
@@ -487,7 +489,8 @@ int mlk_kem_enc_derand_u(uint8_t ct_u[MLKEM_POLYVECCOMPRESSEDBYTES_DU],
487489
mlk_hash_g(kr, buf, 2 * MLKEM_SYMBYTES);
488490

489491
/* Compute ct_u using derived randomness r */
490-
ret = mlk_indcpa_enc_u(ct_u, sp, epp, seed, kr + MLKEM_SYMBYTES, context);
492+
ret = mlk_indcpa_enc_u(ct_u, sp, epp, sp_cache, seed, kr + MLKEM_SYMBYTES,
493+
context);
491494
if (ret != 0)
492495
{
493496
goto cleanup;
@@ -506,6 +509,7 @@ int mlk_kem_enc_derand_u(uint8_t ct_u[MLKEM_POLYVECCOMPRESSEDBYTES_DU],
506509
cleanup:
507510
/* Specification: Partially implements
508511
* @[FIPS203, Section 3.3, Destruction of intermediate values] */
512+
MLK_FREE(sp_cache, mlk_polyvec_mulcache, 1, context);
509513
MLK_FREE(epp, mlk_poly, 1, context);
510514
MLK_FREE(sp, mlk_polyvec, 1, context);
511515
MLK_FREE(kr, uint8_t, 2 * MLKEM_SYMBYTES, context);
@@ -524,10 +528,12 @@ int mlk_kem_enc_v(uint8_t ct_v[MLKEM_POLYCOMPRESSEDBYTES_DV],
524528
int ret = 0;
525529
MLK_ALLOC(sp, mlk_polyvec, 1, context);
526530
MLK_ALLOC(epp, mlk_poly, 1, context);
531+
MLK_ALLOC(sp_cache, mlk_polyvec_mulcache, 1, context);
527532
MLK_ALLOC(p, mlk_polyvec, 1, context);
528533
MLK_ALLOC(p_reencoded, uint8_t, MLKEM_POLYVECBYTES, context);
529534

530-
if (sp == NULL || epp == NULL || p == NULL || p_reencoded == NULL)
535+
if (sp == NULL || epp == NULL || sp_cache == NULL || p == NULL ||
536+
p_reencoded == NULL)
531537
{
532538
ret = MLK_ERR_OUT_OF_MEMORY;
533539
goto cleanup;
@@ -549,13 +555,17 @@ int mlk_kem_enc_v(uint8_t ct_v[MLKEM_POLYCOMPRESSEDBYTES_DV],
549555
mlk_deserialize_polyvec_16le(sp, sp_serial);
550556
mlk_deserialize_epp(epp, epp_serial);
551557

552-
ret = mlk_indcpa_enc_v(ct_v, sp, epp, coins, ek_vector, context);
558+
/* Compute mulcache for deserialized sp */
559+
mlk_polyvec_mulcache_compute(sp_cache, sp);
560+
561+
ret = mlk_indcpa_enc_v(ct_v, sp, epp, sp_cache, coins, ek_vector, context);
553562

554563
cleanup:
555564
/* Specification: Partially implements
556565
* @[FIPS203, Section 3.3, Destruction of intermediate values] */
557566
MLK_FREE(p_reencoded, uint8_t, MLKEM_POLYVECBYTES, context);
558567
MLK_FREE(p, mlk_polyvec, 1, context);
568+
MLK_FREE(sp_cache, mlk_polyvec_mulcache, 1, context);
559569
MLK_FREE(epp, mlk_poly, 1, context);
560570
MLK_FREE(sp, mlk_polyvec, 1, context);
561571
return ret;

proofs/cbmc/indcpa_enc_u/indcpa_enc_u_harness.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,9 @@ void harness(void)
88
uint8_t *ct_u;
99
mlk_polyvec *sp;
1010
mlk_poly *epp;
11+
mlk_polyvec_mulcache *sp_cache;
1112
uint8_t *seed;
1213
uint8_t *coins;
13-
mlk_indcpa_enc_u(ct_u, sp, epp, seed, coins,
14+
mlk_indcpa_enc_u(ct_u, sp, epp, sp_cache, seed, coins,
1415
NULL /* context will be dropped by preprocessor */);
1516
}

proofs/cbmc/indcpa_enc_v/indcpa_enc_v_harness.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,9 @@ void harness(void)
88
uint8_t *ct_v;
99
mlk_polyvec *sp;
1010
mlk_poly *epp;
11+
mlk_polyvec_mulcache *sp_cache;
1112
uint8_t *m;
1213
uint8_t *ek_vector;
13-
mlk_indcpa_enc_v(ct_v, sp, epp, m, ek_vector,
14+
mlk_indcpa_enc_v(ct_v, sp, epp, sp_cache, m, ek_vector,
1415
NULL /* context will be dropped by preprocessor */);
1516
}

0 commit comments

Comments
 (0)