Merge pull request #302 from pq-code-package/keccak

Add native Keccak backend for x86_64 and AArch64

Author: hanno-becker

mldsa/common.h

@@ -48,4 +48,7 @@
  * The following is to avoid compilers complaining about this. */
 #define MLD_EMPTY_CU(s) extern int MLD_NAMESPACE(empty_cu_##s);
 
+#if defined(MLD_CONFIG_USE_NATIVE_BACKEND_FIPS202)
+#include MLD_CONFIG_FIPS202_BACKEND_FILE
+#endif
 #endif /* !MLD_COMMON_H */

mldsa/config.h

@@ -45,4 +45,21 @@
 #define MLD_CONFIG_ARITH_BACKEND_FILE "native/meta.h"
 #endif
 
+/******************************************************************************
+ * Name:        MLD_CONFIG_FIPS202_BACKEND_FILE
+ *
+ * Description: The FIPS-202 backend to use.
+ *
+ *              If MLD_CONFIG_USE_NATIVE_BACKEND_FIPS202 is set, this option
+ *              must either be undefined or the filename of a FIPS202 backend.
+ *              If unset, the default backend will be used.
+ *
+ *              This can be set using CFLAGS.
+ *
+ *****************************************************************************/
+#if defined(MLD_CONFIG_USE_NATIVE_BACKEND_FIPS202) && \
+    !defined(MLD_CONFIG_FIPS202_BACKEND_FILE)
+#define MLD_CONFIG_FIPS202_BACKEND_FILE "fips202/native/auto.h"
+#endif
+
 #endif /* !MLD_CONFIG_H */

mldsa/fips202/keccakf1600.c

@@ -31,6 +31,7 @@
 #include <stdint.h>
 
 #include "keccakf1600.h"
+#if !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED)
 
 #define MLD_KECCAK_NROUNDS 24
 #define MLD_KECCAK_ROL(a, offset) ((a << offset) ^ (a >> (64 - offset)))
@@ -111,12 +112,20 @@ void mld_keccakf1600x4_xor_bytes(uint64_t *state, const unsigned char *data0,
 
 void mld_keccakf1600x4_permute(uint64_t *state)
 {
+#if defined(MLD_USE_FIPS202_X4_NATIVE)
+  mld_keccak_f1600_x4_native(state);
+#elif defined(MLD_USE_FIPS202_X2_NATIVE)
+  mld_keccak_f1600_x2_native(state + 0 * MLD_KECCAK_LANES);
+  mld_keccak_f1600_x2_native(state + 2 * MLD_KECCAK_LANES);
+#else
   mld_keccakf1600_permute(state + MLD_KECCAK_LANES * 0);
   mld_keccakf1600_permute(state + MLD_KECCAK_LANES * 1);
   mld_keccakf1600_permute(state + MLD_KECCAK_LANES * 2);
   mld_keccakf1600_permute(state + MLD_KECCAK_LANES * 3);
+#endif /* !MLD_USE_FIPS202_X4_NATIVE && !MLD_USE_FIPS202_X2_NATIVE */
 }
 
+#if !defined(MLD_USE_FIPS202_X1_NATIVE)
 static const uint64_t mld_KeccakF_RoundConstants[MLD_KECCAK_NROUNDS] = {
     (uint64_t)0x0000000000000001ULL, (uint64_t)0x0000000000008082ULL,
     (uint64_t)0x800000000000808aULL, (uint64_t)0x8000000080008000ULL,
@@ -396,6 +405,18 @@ void mld_keccakf1600_permute(uint64_t *state)
   state[23] = Aso;
   state[24] = Asu;
 }
+#else  /* !MLD_USE_FIPS202_X1_NATIVE */
+void mld_keccakf1600_permute(uint64_t *state)
+{
+  mld_keccak_f1600_x1_native(state);
+}
+#endif /* MLD_USE_FIPS202_X1_NATIVE */
+
+#else /* !MLD_CONFIG_MULTILEVEL_NO_SHARED */
+
+MLD_EMPTY_CU(keccakf1600)
+
+#endif /* MLD_CONFIG_MULTILEVEL_NO_SHARED */
 
 /* To facilitate single-compilation-unit (SCU) builds, undefine all macros.
  * Don't modify by hand -- this is auto-generated by scripts/autogen. */

mldsa/fips202/native/aarch64/auto.h

@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+#ifndef MLD_FIPS202_NATIVE_AARCH64_AUTO_H
+#define MLD_FIPS202_NATIVE_AARCH64_AUTO_H
+/* Default FIPS202 assembly profile for AArch64 systems */
+
+/*
+ * Default logic to decide which implementation to use.
+ *
+ */
+
+/*
+ * Keccak-f1600
+ *
+ * - On Arm-based Apple CPUs, we pick a pure Neon implementation.
+ * - Otherwise, unless MLD_SYS_AARCH64_SLOW_BARREL_SHIFTER is set,
+ *   we use lazy-rotation scalar assembly from @[HYBRID].
+ * - Otherwise, if MLD_SYS_AARCH64_SLOW_BARREL_SHIFTER is set, we
+ *   fall back to the standard C implementation.
+ */
+#if defined(__ARM_FEATURE_SHA3) && defined(__APPLE__)
+#include "x1_v84a.h"
+#elif !defined(MLD_SYS_AARCH64_SLOW_BARREL_SHIFTER)
+#include "x1_scalar.h"
+#endif
+
+/*
+ * Keccak-f1600x2/x4
+ *
+ * The optimal implementation is highly CPU-specific; see @[HYBRID].
+ *
+ * For now, if v8.4-A is not implemented, we fall back to Keccak-f1600.
+ * If v8.4-A is implemented and we are on an Apple CPU, we use a plain
+ * Neon-based implementation.
+ * If v8.4-A is implemented and we are not on an Apple CPU, we use a
+ * scalar/Neon/Neon hybrid.
+ * The reason for this distinction is that Apple CPUs appear to implement
+ * the SHA3 instructions on all SIMD units, while Arm CPUs prior to Cortex-X4
+ * don't, and ordinary Neon instructions are still needed.
+ */
+#if defined(__ARM_FEATURE_SHA3)
+/*
+ * For Apple-M cores, we use a plain implementation leveraging SHA3
+ * instructions only.
+ */
+#if defined(__APPLE__)
+#include "x2_v84a.h"
+#else
+#include "x4_v8a_v84a_scalar.h"
+#endif
+
+#else /* __ARM_FEATURE_SHA3 */
+
+#include "x4_v8a_scalar.h"
+
+#endif /* !__ARM_FEATURE_SHA3 */
+
+#endif /* !MLD_FIPS202_NATIVE_AARCH64_AUTO_H */

mldsa/fips202/native/aarch64/src/fips202_native_aarch64.h

@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+#ifndef MLD_FIPS202_NATIVE_AARCH64_SRC_FIPS202_NATIVE_AARCH64_H
+#define MLD_FIPS202_NATIVE_AARCH64_SRC_FIPS202_NATIVE_AARCH64_H
+
+#include <stdint.h>
+#include "../../../../cbmc.h"
+#include "../../../../common.h"
+
+
+#define mld_keccakf1600_round_constants \
+  MLD_NAMESPACE(keccakf1600_round_constants)
+extern const uint64_t mld_keccakf1600_round_constants[];
+
+#define mld_keccak_f1600_x1_scalar_asm MLD_NAMESPACE(keccak_f1600_x1_scalar_asm)
+void mld_keccak_f1600_x1_scalar_asm(uint64_t *state, uint64_t const *rc)
+__contract__(
+  requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 1))
+  requires(rc == mld_keccakf1600_round_constants)
+  assigns(memory_slice(state, sizeof(uint64_t) * 25 * 1))
+);
+
+#define mld_keccak_f1600_x1_v84a_asm MLD_NAMESPACE(keccak_f1600_x1_v84a_asm)
+void mld_keccak_f1600_x1_v84a_asm(uint64_t *state, uint64_t const *rc)
+__contract__(
+  requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 1))
+  requires(rc == mld_keccakf1600_round_constants)
+  assigns(memory_slice(state, sizeof(uint64_t) * 25 * 1))
+);
+
+#define mld_keccak_f1600_x2_v84a_asm MLD_NAMESPACE(keccak_f1600_x2_v84a_asm)
+void mld_keccak_f1600_x2_v84a_asm(uint64_t *state, uint64_t const *rc)
+__contract__(
+  requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 2))
+  requires(rc == mld_keccakf1600_round_constants)
+  assigns(memory_slice(state, sizeof(uint64_t) * 25 * 2))
+);
+
+#define mld_keccak_f1600_x4_scalar_v8a_hybrid_asm \
+  MLD_NAMESPACE(keccak_f1600_x4_scalar_v8a_hybrid_asm)
+void mld_keccak_f1600_x4_scalar_v8a_hybrid_asm(uint64_t *state,
+                                               uint64_t const *rc)
+__contract__(
+  requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 4))
+  requires(rc == mld_keccakf1600_round_constants)
+  assigns(memory_slice(state, sizeof(uint64_t) * 25 * 4))
+);
+
+#define mld_keccak_f1600_x4_scalar_v8a_v84a_hybrid_asm \
+  MLD_NAMESPACE(keccak_f1600_x4_scalar_v8a_v84a_hybrid_asm)
+void mld_keccak_f1600_x4_scalar_v8a_v84a_hybrid_asm(uint64_t *state,
+                                                    uint64_t const *rc)
+__contract__(
+  requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 4))
+  requires(rc == mld_keccakf1600_round_constants)
+  assigns(memory_slice(state, sizeof(uint64_t) * 25 * 4))
+);
+
+#endif /* !MLD_FIPS202_NATIVE_AARCH64_SRC_FIPS202_NATIVE_AARCH64_H */