Kyber: Implementation in wolfSSL

Put Kyber implementation into wolfSSL.
2025-07-29 18:27:29 +02:00 · 2024-03-12 09:43:26 +10:00
parent 5dba7d3975
commit 25b2c664f4
5 changed files with 32352 additions and 26 deletions
--- a/configure.ac
+++ b/configure.ac
@ -1121,10 +1121,6 @@ do
    ;;
  no)
    ;;
-  wolfssl)
-    ENABLED_WC_KYBER=yes
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_KYBER"
-    ;;
  small)
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KYBER_SMALL"
    ;;
@ -1146,6 +1142,12 @@ done
 if test "$ENABLED_KYBER" != "no"
 then
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_KYBER"
+    # Use liboqs if specified.
+    if test "$ENABLED_LIBOQS" = "no"; then
+        ENABLED_WC_KYBER=yes
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WC_KYBER"
+        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_WC_KYBER"
+    fi

    if test "$ENABLED_KYBER512" = ""; then
        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER512"
@ -1162,12 +1164,6 @@ then
        test "$enable_sha3" = "" && enable_sha3=yes
        test "$enable_shake128" = "" && enable_shake128=yes
        test "$enable_shake256" = "" && enable_shake256=yes
-    else
-        # Default is to use liboqs. Make sure its enabled.
-        if test "$ENABLED_LIBOQS" = "no"; then
-            AC_MSG_ERROR([The default implementation for kyber is liboqs.
-            Please use --with-liboqs.])
-        fi
    fi
 fi

--- a/wolfcrypt/src/wc_kyber.c
+++ b/wolfcrypt/src/wc_kyber.c
--- a/wolfcrypt/src/wc_kyber_asm.S
+++ b/wolfcrypt/src/wc_kyber_asm.S
--- a/wolfcrypt/src/wc_kyber_poly.c
+++ b/wolfcrypt/src/wc_kyber_poly.c
--- a/wolfssl/wolfcrypt/wc_kyber.h
+++ b/wolfssl/wolfcrypt/wc_kyber.h
@ -1,3 +1,281 @@
+/* wc_kyber.h
+ *
+ * Copyright (C) 2006-2024 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */

-#error "Contact wolfSSL to get the implementation of this file"
+/*!
+    \file wolfssl/wolfcrypt/wc_kyber.h
+*/
+
+
+#ifndef WOLF_CRYPT_WC_KYBER_H
+#define WOLF_CRYPT_WC_KYBER_H
+
+#include <wolfssl/wolfcrypt/types.h>
+#include <wolfssl/wolfcrypt/random.h>
+#include <wolfssl/wolfcrypt/sha3.h>
+#include <wolfssl/wolfcrypt/kyber.h>
+
+#ifdef WOLFSSL_HAVE_KYBER
+
+#if defined(_MSC_VER)
+    #define KYBER_NOINLINE __declspec(noinline)
+#elif defined(__GNUC__)
+    #define KYBER_NOINLINE __attribute__((noinline))
+#else
+    #define KYBER_NOINLINE
+#endif
+
+/* Define algorithm type when not excluded. */
+
+#ifndef WOLFSSL_NO_KYBER512
+#define WOLFSSL_KYBER512
+#endif
+#ifndef WOLFSSL_NO_KYBER768
+#define WOLFSSL_KYBER768
+#endif
+#ifndef WOLFSSL_NO_KYBER1024
+#define WOLFSSL_KYBER1024
+#endif
+
+enum {
+    /* Flags of Kyber keys. */
+    KYBER_FLAG_PRIV_SET = 0x0001,
+    KYBER_FLAG_PUB_SET  = 0x0002,
+    KYBER_FLAG_BOTH_SET = 0x0003,
+    KYBER_FLAG_H_SET    = 0x0004,
+
+    /* 2 bits of random used to create noise value. */
+    KYBER_CBD_ETA2          = 2,
+    /* 3 bits of random used to create noise value. */
+    KYBER_CBD_ETA3          = 3,
+
+    /* Number of bits to compress to. */
+    KYBER_COMP_4BITS    =  4,
+    KYBER_COMP_5BITS    =  5,
+    KYBER_COMP_10BITS   = 10,
+    KYBER_COMP_11BITS   = 11,
+};
+
+
+/* SHAKE128 rate. */
+#define XOF_BLOCK_SIZE      168
+
+/* Modulus of co-efficients of polynomial. */
+#define KYBER_Q             3329
+
+
+/* Kyber-512 parameters */
+#ifdef WOLFSSL_KYBER512
+/* Number of bits of random to create noise from. */
+#define KYBER512_ETA1       KYBER_CBD_ETA3
+#endif /* WOLFSSL_KYBER512 */
+
+/* Kyber-768 parameters */
+#ifdef WOLFSSL_KYBER768
+/* Number of bits of random to create noise from. */
+#define KYBER768_ETA1       KYBER_CBD_ETA2
+#endif /* WOLFSSL_KYBER768 */
+
+/* Kyber-1024 parameters */
+#ifdef WOLFSSL_KYBER1024
+/* Number of bits of random to create noise from. */
+#define KYBER1024_ETA1      KYBER_CBD_ETA2
+#endif /* WOLFSSL_KYBER1024 */
+
+
+
+/* The data type of the pseudo-random function. */
+#define KYBER_PRF_T     wc_Shake
+
+/* Kyber key. */
+struct KyberKey {
+    /* Type of key: KYBER512, KYBER768, KYBER1024 */
+    int type;
+    /* Dynamic memory allocation hint. */
+    void* heap;
+#if defined(WOLF_CRYPTO_CB)
+    /* Device Id. */
+    int* devId;
+#endif
+    /* Flags indicating what is stored in the key. */
+    int flags;
+
+    /* A pseudo-random function object. */
+    KYBER_PRF_T prf;
+
+    /* Private key as a vector. */
+    sword16 priv[KYBER_MAX_K * KYBER_N];
+    /* Public key as a vector. */
+    sword16 pub[KYBER_MAX_K * KYBER_N];
+    /* Public seed. */
+    byte pubSeed[KYBER_SYM_SZ];
+    /* Public hash - hash of encoded public key. */
+    byte h[KYBER_SYM_SZ];
+    /* Randomizer for decapsulation. */
+    byte z[KYBER_SYM_SZ];
+};
+
+#ifdef __cplusplus
+    extern "C" {
+#endif
+
+WOLFSSL_LOCAL
+void kyber_init(void);
+WOLFSSL_LOCAL
+void kyber_keygen(sword16* priv, sword16* pub, sword16* e, const sword16* a,
+    int kp);
+WOLFSSL_LOCAL
+void kyber_encapsulate(const sword16* pub, sword16* bp, sword16* v,
+    const sword16* at, sword16* sp, const sword16* ep, const sword16* epp,
+    const sword16* m, int kp);
+WOLFSSL_LOCAL
+void kyber_decapsulate(const sword16* priv, sword16* mp, sword16* bp,
+    const sword16* v, int kp);
+
+WOLFSSL_LOCAL
+int kyber_gen_matrix(KYBER_PRF_T* prf, sword16* a, int kp, byte* seed,
+    int transposed);
+WOLFSSL_LOCAL
+int kyber_get_noise(KYBER_PRF_T* prf, int kp, sword16* vec1, sword16* vec2,
+    sword16* poly, byte* seed);
+
+#ifdef USE_INTEL_SPEEDUP
+WOLFSSL_LOCAL
+int kyber_kdf(byte* seed, int seedLen, byte* out, int outLen);
+#endif
+WOLFSSL_LOCAL
+void kyber_prf_init(KYBER_PRF_T* prf);
+WOLFSSL_LOCAL
+int kyber_prf_new(KYBER_PRF_T* prf, void* heap, int devId);
+WOLFSSL_LOCAL
+void kyber_prf_free(KYBER_PRF_T* prf);
+
+WOLFSSL_LOCAL
+int kyber_cmp(const byte* a, const byte* b, int sz);
+
+WOLFSSL_LOCAL
+void kyber_vec_compress_10(byte* r, sword16* v, unsigned int kp);
+WOLFSSL_LOCAL
+void kyber_vec_compress_11(byte* r, sword16* v);
+WOLFSSL_LOCAL
+void kyber_vec_decompress_10(sword16* v, const unsigned char* b,
+    unsigned int kp);
+WOLFSSL_LOCAL
+void kyber_vec_decompress_11(sword16* v, const unsigned char* b);
+
+WOLFSSL_LOCAL
+void kyber_compress_4(byte* b, sword16* p);
+WOLFSSL_LOCAL
+void kyber_compress_5(byte* b, sword16* p);
+WOLFSSL_LOCAL
+void kyber_decompress_4(sword16* p, const unsigned char* b);
+WOLFSSL_LOCAL
+void kyber_decompress_5(sword16* p, const unsigned char* b);
+
+WOLFSSL_LOCAL
+void kyber_from_msg(sword16* p, const byte* msg);
+WOLFSSL_LOCAL
+void kyber_to_msg(byte* msg, sword16* p);
+WOLFSSL_LOCAL
+void kyber_from_bytes(sword16* p, const byte* b, int k);
+WOLFSSL_LOCAL
+void kyber_to_bytes(byte* b, sword16* p, int k);
+
+#ifdef USE_INTEL_SPEEDUP
+WOLFSSL_LOCAL
+void kyber_keygen_avx2(sword16* priv, sword16* pub, sword16* e,
+    const sword16* a, int kp);
+WOLFSSL_LOCAL
+void kyber_encapsulate_avx2(const sword16* pub, sword16* bp, sword16* v,
+    const sword16* at, sword16* sp, const sword16* ep, const sword16* epp,
+    const sword16* m, int kp);
+WOLFSSL_LOCAL
+void kyber_decapsulate_avx2(const sword16* priv, sword16* mp, sword16* bp,
+    const sword16* v, int kp);
+
+WOLFSSL_LOCAL
+unsigned int kyber_rej_uniform_n_avx2(sword16* p, unsigned int len,
+    const byte* r, unsigned int rLen);
+WOLFSSL_LOCAL
+unsigned int kyber_rej_uniform_avx2(sword16* p, unsigned int len, const byte* r,
+    unsigned int rLen);
+WOLFSSL_LOCAL
+void kyber_redistribute_21_rand_avx2(const word64* s, byte* r0, byte* r1,
+    byte* r2, byte* r3);
+void kyber_redistribute_17_rand_avx2(const word64* s, byte* r0, byte* r1,
+    byte* r2, byte* r3);
+void kyber_redistribute_16_rand_avx2(const word64* s, byte* r0, byte* r1,
+    byte* r2, byte* r3);
+void kyber_redistribute_8_rand_avx2(const word64* s, byte* r0, byte* r1,
+    byte* r2, byte* r3);
+
+WOLFSSL_LOCAL
+void kyber_sha3_blocksx4_avx2(word64* s);
+WOLFSSL_LOCAL
+void kyber_sha3_128_blocksx4_seed_avx2(word64* s, byte* seed);
+WOLFSSL_LOCAL
+void kyber_sha3_256_blocksx4_seed_avx2(word64* s, byte* seed);
+
+WOLFSSL_LOCAL
+void kyber_cbd_eta2_avx2(sword16* p, const byte* r);
+WOLFSSL_LOCAL
+void kyber_cbd_eta3_avx2(sword16* p, const byte* r);
+
+WOLFSSL_LOCAL
+void kyber_from_msg_avx2(sword16* p, const byte* msg);
+WOLFSSL_LOCAL
+void kyber_to_msg_avx2(byte* msg, sword16* p);
+
+WOLFSSL_LOCAL
+void kyber_from_bytes_avx2(sword16* p, const byte* b);
+WOLFSSL_LOCAL
+void kyber_to_bytes_avx2(byte* b, sword16* p);
+
+WOLFSSL_LOCAL
+void kyber_compress_10_avx2(byte* r, const sword16* p, int n);
+WOLFSSL_LOCAL
+void kyber_decompress_10_avx2(sword16* p, const byte* r, int n);
+WOLFSSL_LOCAL
+void kyber_compress_11_avx2(byte* r, const sword16* p, int n);
+WOLFSSL_LOCAL
+void kyber_decompress_11_avx2(sword16* p, const byte* r, int n);
+
+WOLFSSL_LOCAL
+void kyber_compress_4_avx2(byte* r, const sword16* p);
+WOLFSSL_LOCAL
+void kyber_decompress_4_avx2(sword16* p, const byte* r);
+WOLFSSL_LOCAL
+void kyber_compress_5_avx2(byte* r, const sword16* p);
+WOLFSSL_LOCAL
+void kyber_decompress_5_avx2(sword16* p, const byte* r);
+
+
+WOLFSSL_LOCAL
+int kyber_cmp_avx2(const byte* a, const byte* b, int sz);
+#endif
+
+#ifdef __cplusplus
+    } /* extern "C" */
+#endif
+
+#endif /* WOLFSSL_HAVE_KYBER */
+
+#endif /* WOLF_CRYPT_WC_KYBER_H */