| 3200c9e | Matthias J. Kannwischer | 31 October 2024, 08:26:08 UTC | Remove eliminated schemes from NIST PQC digital signature competition (#365) * Remove eliminated schemes from NIST PQC digital signature competition NIST announced the second round candidates on October 24, 2024: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/khAfIZPktRE/m/bBZWmET-AAAJ Eliminated schemes (with implementations in mupq): - ascon-sign - biscuit - meds - sphinca-a - tuov None of those have dedicated implementations in pqm4. aimer and haetae also got eliminated, but remain candidates of KPQC (https://www.kpqc.or.kr/competition.html). Let's keep them around. * adjust README * update mupq * fix aimer skiplist | 31 October 2024, 08:26:08 UTC |
| 229b36b | Matthias J. Kannwischer | 31 October 2024, 06:45:47 UTC | Add AIMer benchmarks (#366) * Add AIMer implementations(m4speed, m4stack) for all NIST security levels * change aimer128f to symlinks * Symlinks updates for AIMer * update benchmarks * update skiplist --------- Co-authored-by: Sangyub Lee <kykypyza3724@gmail.com> | 31 October 2024, 06:45:47 UTC |
| 47fd997 | Sangyub Lee | 31 October 2024, 06:00:50 UTC | Add AIMer implementations(m4speed, m4stack) for all NIST security levels (#361) * Add AIMer implementations(m4speed, m4stack) for all NIST security levels * change aimer128f to symlinks * Symlinks updates for AIMer --------- Co-authored-by: Matthias J. Kannwischer <matthias@kannwischer.eu> | 31 October 2024, 06:00:50 UTC |
| 68e1ca7 | Matthias J. Kannwischer | 22 October 2024, 09:15:12 UTC | Update to FIPS204 and rename Dilithium to ML-DSA (#363) * update Dilithium to final FIPS204 and rename * Dilithium: update and rename m4f+m4fstack implementations * switch to mupq master after merging * ML-DSA: update benchmarks * update skiplist * fix compiler warnings | 22 October 2024, 09:15:12 UTC |
| 7664995 | Matthias J. Kannwischer | 15 October 2024, 02:53:08 UTC | move PR template in right place | 15 October 2024, 02:53:08 UTC |
| 024f636 | Matthias J. Kannwischer | 15 October 2024, 02:50:52 UTC | Create pull_request_template.md | 15 October 2024, 02:50:52 UTC |
| 79a0ddf | Matthias J. Kannwischer | 14 October 2024, 10:16:32 UTC | Update Kyber to final FIPS203 and rename to ML-KEM (#362) | 14 October 2024, 10:16:32 UTC |
| 8d44b72 | Matthias J. Kannwischer | 13 August 2024, 00:06:44 UTC | init msg buffer in {speed,hashing}.c (#351) | 13 August 2024, 00:06:44 UTC |
| 6554684 | Matthias J. Kannwischer | 12 August 2024, 13:38:20 UTC | Update AIMer implementations (#350) * add skiplist entries for new aimer implementations * remove old aimer benchmarks * add AIMer benchmarks * add missing aimer-128f benchmarks * track correct version of mupq | 12 August 2024, 13:38:20 UTC |
| 7cead3c | Matthias J. Kannwischer | 06 August 2024, 07:27:24 UTC | Add dependabot | 06 August 2024, 07:27:24 UTC |
| f2b698a | Matthias J. Kannwischer | 06 August 2024, 07:21:58 UTC | Improve Dilithium (speed) verification stack usage (#346) * Improve Dilithium (speed) verification stack usage Once upon a time, we wrote a paper on memory-efficient Dilithium [1] which included a speed-optimized version of verification that still included some memory optimizations that don't come at a performance penalty. Unfortunately with the update of the reference code to round 3 that version did not get migrated leading to some complaints about verification memory consumption. I finally found some time to port these. Verficication speed is essentially unchanged, but stack consumption is much better. [1] https://eprint.iacr.org/2020/1278.pdf * update benchmarks | 06 August 2024, 07:21:58 UTC |
| cda61fb | Matthias J. Kannwischer | 03 July 2024, 03:02:34 UTC | Kyber: Fixed secret-dependent branch in poly_fromsg (#345) * Fixed secret-dependent branch in poly_fromsg * update mupq * update Kyber benchmarks * add missing prototype * extend skiplist * add Falcon benchmarks | 03 July 2024, 03:02:34 UTC |
| 006a109 | Amin Abdulrahman | 22 April 2024, 04:56:30 UTC | Symlinks for dilithium m4fstack (#342) | 22 April 2024, 04:56:30 UTC |
| 4584cfc | Matthias J. Kannwischer | 16 April 2024, 01:24:06 UTC | Fix inlining of Kyber re-encryption (#339) * fix inlining of Kyber reencryption * update benchmarks | 16 April 2024, 01:24:06 UTC |
| 149bfc7 | Amin Abdulrahman | 16 April 2024, 01:00:42 UTC | Dilithium/ML-DSA Stack Optimizations (#340) * Init dilithium3 stack optimized variant * Start stack optimization [Passing] * Based on ideas from https://eprint.iacr.org/2022/323.pdf, based on code by Matthias J. Kannwischer * Sample A on-the-fly * Compressed c * Schoolbook mul for ct1 * Compress w * Eliminate z, y * Eliminate cp * Eliminate s1, s2 * Eliminate second poly needed for A*y * Note: Reverts poly_uniform_pointwise_montgomery_polywadd_stack to prior state * Inline sampling uniform and uniform_gamma1 * Inline hint generation * Inline polyw subtraction * Refactor decompose to high/lowbits * Inline Keccak state * Shared buffer for polynomials * rm 257 FFT * Union for small and big poly * Eliminate some smaller buffers * Remove asym small mul * Stack friendly uniform_gamma1 w/o add * Stack optimized Dilithium{2,5} * Switch to Plantard-based 769 NTT * First batch of stack opt for Verify * On-the-fly matrix generation * Schoolbook for ct1 * Challenge compression * On-the-fly unpacking for z, h * Compress w * rm tmp poly, subtract on wcomp * Verify Stack Optimizations * Stack friendly hint decoding * Eliminate second full poly * Remove K-loop from hint unpacking * rm buffers/unionize in Verify * Stack opt key pair * Minor clean up * Overlap buffers * Stack optimized challenge generation * Match 769 Plantard to m4f code * update skiplist * update benchmarks --------- Co-authored-by: Matthias J. Kannwischer <matthias@kannwischer.eu> | 16 April 2024, 01:00:42 UTC |
| 9c2bc41 | Huang Junhao | 15 April 2024, 07:30:22 UTC | Revisiting Keccak and Dilithium Implementations on ARMv7-M (#338) * Use Plantard arithmetic for NTT_769 in Dilithium * rm old smallntt.S * update benchmarks --------- Co-authored-by: Matthias J. Kannwischer <matthias@kannwischer.eu> | 15 April 2024, 07:30:22 UTC |
| 2c48508 | Richard Petri | 27 March 2024, 14:10:26 UTC | Merge pull request #337 from mupq/moreci More CI and add excluded schemes on all platforms | 27 March 2024, 14:10:26 UTC |
| 4f5b5ce | Richard Petri | 26 March 2024, 21:19:31 UTC | Merge pull request #335 from mupq/duallicense Merge branch 'master' of github.com:mupq/pqm4 | 26 March 2024, 21:20:08 UTC |
| cc3481a | Matthias J. Kannwischer | 26 March 2024, 21:09:22 UTC | fix build for other platforms | 26 March 2024, 21:09:22 UTC |
| c33fab9 | Matthias J. Kannwischer | 26 March 2024, 13:56:42 UTC | fix nucleo-l476rg build | 26 March 2024, 13:56:42 UTC |
| c83565b | Matthias J. Kannwischer | 26 March 2024, 13:42:01 UTC | more CI | 26 March 2024, 13:45:42 UTC |
| 0c12777 | Matthias J. Kannwischer | 26 March 2024, 13:32:23 UTC | more CI | 26 March 2024, 13:32:23 UTC |
| 82c6d7a | Matthias J. Kannwischer | 25 March 2024, 19:59:12 UTC | add uov to exluded schemes on nucleo_l446rg.mk | 25 March 2024, 19:59:12 UTC |
| 5d0fe86 | Matthias J. Kannwischer | 20 March 2024, 03:13:23 UTC | Adds Apache-2.0 license in addition to CC0 To enable re-use in https://github.com/pq-code-package/mlkem-c-embedded. This is applied only to the sources of pqm4 itself that are to a vast degree written by the pqm4 maintainers. The scheme implementations plus symmetric primitives have other licenses. | 20 March 2024, 03:24:17 UTC |
| 4b2fc60 | Richard Petri | 19 March 2024, 12:35:18 UTC | Merge pull request #333 from mupq/benchmarkupdate Update benchmarks and skiplist | 19 March 2024, 12:35:18 UTC |
| 527e9d6 | Richard Petri | 17 March 2024, 20:36:16 UTC | Update benchmarks | 17 March 2024, 20:38:49 UTC |
| 470917e | Richard Petri | 17 March 2024, 20:38:08 UTC | Update mupq | 17 March 2024, 20:38:49 UTC |
| b15618e | Richard Petri | 27 February 2024, 20:55:55 UTC | Update README.md to reflect the changes | 27 February 2024, 20:55:55 UTC |
| e698764 | Richard Petri | 27 February 2024, 20:38:09 UTC | Update skiplist.py | 27 February 2024, 20:38:09 UTC |
| e852f55 | Richard Petri | 27 February 2024, 20:37:53 UTC | Update mupq | 27 February 2024, 20:37:53 UTC |
| 403c694 | Richard Petri | 27 February 2024, 19:26:51 UTC | Merge pull request #332 from mupq/nistdraftkyberdilithium NIST Draft version of Kyber and Dilithium; remove divisions by KYBER_Q | 27 February 2024, 19:26:51 UTC |
| c4fd63c | Matthias J. Kannwischer | 23 February 2024, 07:51:58 UTC | fix build on stm32f4discovery | 23 February 2024, 07:51:58 UTC |
| 619a125 | Matthias J. Kannwischer | 23 February 2024, 07:51:41 UTC | include compat.h to allow SPHINCS+ to build | 23 February 2024, 07:51:41 UTC |
| 0fa8f56 | Matthias J. Kannwischer | 23 February 2024, 05:14:13 UTC | Dilithium compatibility with NIST draft | 23 February 2024, 07:50:49 UTC |
| edcf6f6 | Matthias J. Kannwischer | 23 February 2024, 03:11:58 UTC | eliminate / KYBER_Q that may result in variable time division This applies the patches from upstream to poly_compress and polyvec_compress See https://github.com/pq-crystals/kyber/commit/272125f6acc8e8b6850fd68ceb901a660ff48196 https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo/m/ovODsdY7AwAJ | 23 February 2024, 03:29:50 UTC |
| f418bf6 | Matthias J. Kannwischer | 23 February 2024, 02:56:55 UTC | update M4 Kyber to be compatible with NIST Draft | 23 February 2024, 02:56:55 UTC |
| 5087fd8 | Matthias J. Kannwischer | 23 February 2024, 02:56:33 UTC | remove Kyber-90s; won't be standardized | 23 February 2024, 02:56:33 UTC |
| c839498 | Matthias J. Kannwischer | 23 February 2024, 02:55:57 UTC | update PQClean | 23 February 2024, 02:55:57 UTC |
| 62244ef | rpls | 24 January 2024, 11:30:45 UTC | Merge pull request #331 from mupq/haetae-fix Use fixed HAETAE reference | 24 January 2024, 11:30:45 UTC |
| a39a172 | Richard Petri | 24 January 2024, 11:29:33 UTC | Use fixed HAETAE reference | 24 January 2024, 11:29:33 UTC |
| 82f4e23 | Richard Petri | 20 January 2024, 22:39:05 UTC | Merge branch 'update-PERK-m4' improve compression for PERK short levels I and II #328 | 20 January 2024, 22:39:05 UTC |
| 4702ce9 | Marco Palumbi | 20 January 2024, 09:21:05 UTC | improve compression for short levels I and II | 20 January 2024, 09:21:05 UTC |
| ca8b4f3 | rpls | 19 January 2024, 14:03:07 UTC | Merge pull request #327 from mupq/tuov Add Tuov | 19 January 2024, 14:03:07 UTC |
| 1ccd61f | Richard Petri | 19 January 2024, 13:42:57 UTC | Exclude tuov from builds | 19 January 2024, 13:57:15 UTC |
| f514356 | Richard Petri | 19 January 2024, 13:36:36 UTC | Add Tuov | 19 January 2024, 13:36:36 UTC |
| bfd8248 | rpls | 18 January 2024, 12:22:15 UTC | Merge pull request #325 from mupq/mirith-fix Update for MiRitH | 18 January 2024, 12:22:15 UTC |
| a0dec92 | Richard Petri | 18 January 2024, 12:20:05 UTC | Use updated version of mirith, add embedded optimized version | 18 January 2024, 12:20:05 UTC |
| 54d8313 | Richard Petri | 16 January 2024, 22:34:10 UTC | Run only on push to master, and when PR review requested | 16 January 2024, 22:37:11 UTC |
| d2a8800 | Richard Petri | 16 January 2024, 21:36:40 UTC | Properly wrap missing libc functions and shut up linker warning | 16 January 2024, 22:37:11 UTC |
| dfc968a | rpls | 24 November 2023, 12:21:04 UTC | Update workflow dependencies | 16 January 2024, 22:37:11 UTC |
| 0a47489 | rpls | 03 November 2022, 22:00:33 UTC | Checkout submodules recursively | 16 January 2024, 22:37:11 UTC |
| ee2a6ea | rpls | 03 November 2022, 21:55:10 UTC | Add a github workflow | 16 January 2024, 22:37:11 UTC |
| b381da5 | Richard Petri | 16 January 2024, 21:06:29 UTC | Exclude all non-building schemes for cw308t-stm32f415 | 16 January 2024, 21:20:31 UTC |
| 5398081 | Richard Petri | 16 January 2024, 20:58:48 UTC | Merge branch 'master' of https://github.com/37eex9/pqm4 into cw308t-stm32f415 | 16 January 2024, 20:58:48 UTC |
| ff6b7ab | Richard Petri | 16 January 2024, 20:57:20 UTC | Merge remote-tracking branch 'origin/mirith' | 16 January 2024, 20:57:20 UTC |
| cf017cd | Richard Petri | 16 January 2024, 20:56:42 UTC | Merge remote-tracking branch 'origin/biscuit' | 16 January 2024, 20:56:42 UTC |
| 1c27aa0 | Richard Petri | 16 January 2024, 20:54:18 UTC | Add MEDS | 16 January 2024, 20:54:18 UTC |
| d93ba34 | Richard Petri | 16 January 2024, 19:41:35 UTC | Merge remote-tracking branch 'origin/aimer' into master | 16 January 2024, 19:41:35 UTC |
| de6b4d9 | Richard Petri | 16 January 2024, 18:06:55 UTC | Merge remote-tracking branch 'origin/sphinca' into sphincsa Add SPHINCS-alpha #312 | 16 January 2024, 18:06:55 UTC |
| 57bb7dc | Matthias J. Kannwischer | 15 January 2024, 13:19:53 UTC | update mupq | 15 January 2024, 13:19:53 UTC |
| a34a481 | Matthias J. Kannwischer | 12 January 2024, 14:46:55 UTC | add AIMer | 12 January 2024, 16:23:54 UTC |
| 8e64b0e | Richard Petri | 11 January 2024, 19:48:54 UTC | Merge remote-tracking branch 'origin/snova' | 11 January 2024, 19:48:54 UTC |
| fbebf44 | Richard Petri | 11 January 2024, 18:30:42 UTC | Remove old perk entries from skiplist Fixes #321 | 11 January 2024, 18:30:42 UTC |
| c3dbd50 | Matthias J. Kannwischer | 11 January 2024, 10:14:04 UTC | add skiplist entries for mqom | 11 January 2024, 18:22:33 UTC |
| 759389b | Richard Petri | 07 January 2024, 23:21:31 UTC | Add HAETAE to skiplist and update mupq | 07 January 2024, 23:21:31 UTC |
| 4ad3ef6 | Richard Petri | 07 January 2024, 23:08:59 UTC | Merge branch 'haetae' of https://github.com/mmoeller23/pqm4 into mmoeller23-haetae | 07 January 2024, 23:08:59 UTC |
| 1fa2eac | Richard Petri | 07 January 2024, 23:04:19 UTC | Add perk to skiplist and update mupq | 07 January 2024, 23:04:19 UTC |
| f376768 | Richard Petri | 07 January 2024, 22:28:47 UTC | Merge branch 'add-PERK-m4' of https://github.com/marco-palumbi/pqm4 into marco-palumbi-add-PERK-m4 | 07 January 2024, 22:28:47 UTC |
| a7fe0c1 | Marco Palumbi | 05 January 2024, 18:19:56 UTC | use symbolic links whenever possible | 05 January 2024, 18:19:56 UTC |
| d98a162 | Matthias J. Kannwischer | 18 December 2023, 02:07:27 UTC | Update Kyber poly_tomsg to fix timing leak (w/ -Os) This (partially) addresses https://github.com/mupq/pqm4/issues/319. The function poly_tomsg from the reference implementation of Kyber (which was copied into the M4-optimized implementations) would result in a variable-time udiv instruction operating on secret data when compiled with gcc using -Os. I tried a couple of versions from gcc 11 to gcc 13, but did not see any difference. This commit updates the m4-specific code to use the patch from https://github.com/pq-crystals/kyber/commit/dda29cc63af721981ee2c831cf00822e69be3220. Note that the code in PQClean has not yet been updated and hence the clean implementation within pqm4 is still vulnerable. | 19 December 2023, 13:44:24 UTC |
| 4956a30 | Marco Palumbi | 07 December 2023, 13:17:04 UTC | fix ldscripts for the stm32f4discovery board | 07 December 2023, 13:17:04 UTC |
| d581941 | Marco Palumbi | 07 December 2023, 13:10:59 UTC | use fullram linker script with some version | 07 December 2023, 13:10:59 UTC |
| 8dc5cf5 | Marco Palumbi | 07 December 2023, 12:59:00 UTC | add PERK for all NIST levels Implementation compliant with version v1.1 of 2023/10/16 https://pqc-perk.org/ | 07 December 2023, 13:06:08 UTC |
| 8719b8e | Marc | 01 December 2023, 10:39:22 UTC | Move reference implementations to MUPQ/MUPQ The pure C reference implementations were removed from this pull request. A corresponding pull request in MUPQ/MUPQ has been initiated: https://github.com/mupq/mupq/pull/131 | 01 December 2023, 10:39:30 UTC |
| f7aedf0 | Marc | 01 December 2023, 08:30:58 UTC | Add low-mem ref implementation to all schemes Add slightly modified reference implementations to haetae2, haetae3 and haetae5, labeled as `ref`, with lower stack memory footprint than the original reference implementation. This enables running testvectors.py for all schemes. CAVEAT: This commit modifies the following PQM4 core files * ldscripts/stm32f4discovery.ld * ldscripts/stm32f4discovery_fullram.ld * mk/stm32f4discovery.mk The two load scripts are modified as recommended in [issue 310](https://github.com/mupq/pqm4/issues/310#issuecomment-1810255939). The make file is modified to use full ram for the implementations m4f and ref of scheme haetae5, as they would run out of memory otherwise, similar to dilithium5. The stack memory footprint was reduced by: * Storing A1 using uint16 instead of int32, halving its footprint * Grouping some vectors inside `crypto_sign_signature()`, whose periods of liveliness do not overlap, into unions. The modification is light enough to easily verify consistency with the reference implementation. | 01 December 2023, 08:38:02 UTC |
| e122421 | Marc | 01 December 2023, 08:17:04 UTC | add low-mem ref implementation to all schemes Add slightly modified reference implementations to haetae2, Add slightly modified reference implementations to haetae2, haetae3 and haetae5 with lower stack memory footprint than the original reference implementation. This enables the test vector comparison for all schemes. CAVEAT: This commit modifies the following PQM4 core files * ldscripts/stm32f4discovery.ld * ldscripts/stm32f4discovery_fullram.ld * mk/stm32f4discovery.mk The two load scripts are modified as recommended in [issue 310](https://github.com/mupq/pqm4/issues/310#issuecomment-1810255939). The make file is modified to use full ram for the implementations m4f and ref of scheme haetae5, as they would run out of memory otherwise, similar to dilithium5. The stack memory footprint was reduced by: * Storing A1 using uint16 instead of int32, halving its footprint * Grouping some vectors inside `crypto_sign_signature()`, whose periods of liveliness do not overlap, into unions. The modification is light enough to easily verify consistency with the reference implementation. | 01 December 2023, 08:18:31 UTC |
| 258a11f | Marc | 27 November 2023, 10:36:32 UTC | add ref implementation for haetae2 stack usage (keypair/sign/verify): * haetae2: 26152 / 83128 / 29856 | 01 December 2023, 08:14:29 UTC |
| 76f069c | Till Eifert | 27 October 2023, 05:48:26 UTC | stm32f415: enable hw rng and extend clock setup update interface.py platform_memory to handle stm32f415 | 26 November 2023, 12:06:42 UTC |
| bd9b47d | Matthias J. Kannwischer | 25 November 2023, 07:24:26 UTC | recompute static tables | 25 November 2023, 07:24:26 UTC |
| c8b3456 | Matthias J. Kannwischer | 24 November 2023, 09:11:57 UTC | do expensive pre-computation only once | 24 November 2023, 09:11:57 UTC |
| dc26f54 | Richard Petri | 24 November 2023, 08:56:49 UTC | Update mupq | 24 November 2023, 08:56:49 UTC |
| 991a5b6 | Richard Petri | 24 November 2023, 08:53:06 UTC | Update skiplist for bike | 24 November 2023, 08:54:00 UTC |
| c37de3c | Richard Petri | 24 November 2023, 08:36:28 UTC | Merge branch 'bike-round4' of https://github.com/37eex9/pqm4 into 37eex9-bike-round4 | 24 November 2023, 08:36:28 UTC |
| 8821d31 | Richard Petri | 24 November 2023, 08:05:20 UTC | Add MiRitH | 24 November 2023, 08:05:20 UTC |
| 71f0daa | Richard Petri | 24 November 2023, 07:58:50 UTC | Add biscuit | 24 November 2023, 08:02:41 UTC |
| d436546 | Richard Petri | 24 November 2023, 07:54:08 UTC | Merge remote-tracking branch 'origin/cross' | 24 November 2023, 07:54:08 UTC |
| 694a4a8 | Matthias J. Kannwischer | 24 November 2023, 07:52:07 UTC | eliminate static memory | 24 November 2023, 07:52:07 UTC |
| 968fbef | Richard Petri | 24 November 2023, 07:51:35 UTC | Merge remote-tracking branch 'origin/asconsign' | 24 November 2023, 07:51:35 UTC |
| f955de1 | Richard Petri | 24 November 2023, 07:49:22 UTC | Merge remote-tracking branch 'origin/perk' | 24 November 2023, 07:49:22 UTC |
| 111ea35 | Richard Petri | 24 November 2023, 07:48:02 UTC | Merge remote-tracking branch 'origin/hawk' | 24 November 2023, 07:48:02 UTC |
| a35e15b | Richard Petri | 24 November 2023, 07:45:36 UTC | Merge remote-tracking branch 'origin/mayo' | 24 November 2023, 07:45:36 UTC |
| c2438e0 | Matthias J. Kannwischer | 24 November 2023, 07:41:59 UTC | turn into symlinks | 24 November 2023, 07:41:59 UTC |
| 3bac106 | Marc | 23 November 2023, 09:44:48 UTC | Adds HAETAE This commit implements the post-quantum signature scheme HAETAE from https://eprint.iacr.org/2023/624 https://kpqc.cryptolab.co.kr/haetae The stack strategy can be selected in config.h by setting STACK_STRATEGY to the appropriate value (run "make clean" after the change). * 0 or undefined: Optimized for speed (default). * 1: Disable buffers for the polynomials of the verification key in crypto_sign_keypair() and crypto_sign(). This reduces speed, as the key needs to be recomputed after each rejection. * 2: In addition to 1, sample the hyperball in multiple passes, such that some intermediate values are computed on demand, rather than being buffered. This roughly doubles the runtime of crypto_sign(). | 23 November 2023, 09:44:59 UTC |
| 8e19ad7 | Matthias J. Kannwischer | 23 November 2023, 09:07:07 UTC | add SPHINCS-alpha | 23 November 2023, 09:07:07 UTC |
| b48968e | Marc | 22 November 2023, 16:28:46 UTC | Update HAETAE This commit implements the post-quantum signature scheme HAETAE from https://eprint.iacr.org/2023/624 https://kpqc.cryptolab.co.kr/haetae The stack strategy can be chosen config.h by setting STACK_STRATEGY to the appropriate value (run "make clean" when changing it). * 0 or undefined: Optimized for speed (default). * 1: Disable buffers for the polynomials of the verification key in crypto_sign_keypair() and crypto_sign(). This reduces speed, as the key needs to be recomputed after each rejection. * 2: In addition to 1, sample the hyperball in multiple passes, such that some intermediate values are computed on demand, rather than being buffered. This roughly doubles the runtime of crypto_sign(). The scheme HAETAE2 contains a reference implementation, which has been renamed from "clean" in previous commits to "ref". The reference implementation would run out of memory for schemes HAETAE3 and HAETAE5 and is therefore not included for these schemes. | 22 November 2023, 16:28:54 UTC |
| fe44f74 | Marc | 22 November 2023, 16:13:43 UTC | Merge branch 'haetae_dev' into haetae | 22 November 2023, 16:13:43 UTC |
| 0bdc33e | Marc | 22 November 2023, 16:10:51 UTC | add clean implementation for HAETAE2 The clean implementation is only minimally changed from the reference implementation to conform with the PQM4 API. The clean implementation would run out of memory for HAETAE3 and HAETAE5 and is therefore not added for those modes. | 22 November 2023, 16:10:51 UTC |
| a031ee4 | Marc | 22 November 2023, 14:56:35 UTC | add STACK_STRATEGY switch to config.h This implementation offers different stack strategies: * 0: Optimized for speed. * 1: Does not buffer the polynomials of the verification key in crypto_sign_keypair() and crypto_sign_signature(), thus reducing stack usage at the cost of some speed. * 2: In addition to 1, the hyperballs are sampled in multiple passes in crypto_sign_signature(), which reduces the stack usage for temporary variables. This roughly doubles the execution time of crypto_sign_signature(). | 22 November 2023, 14:56:44 UTC |
| 7eee34e | Marc | 21 November 2023, 22:58:03 UTC | compute challenge polynomial directly and sample hyperball coin deterministically * Move challenge seed generation from crypto_sign() to poly_challenge(). * Sample the random byte b deterministically inside of polyfixveclk_sample_hyperball(). It is used to: * determine the sign in hyperball sampling (bit mask 0x01) * reject with 50% odds in the overlap region (bit mask 0x02) * M4F version corresponds to reference version of 2023-11-20. | 22 November 2023, 07:33:13 UTC |
| 564ac86 | Marc | 20 November 2023, 23:01:11 UTC | initial commit of HAETAE M4F version corresponds to reference version of 2023-10-21. | 20 November 2023, 23:01:11 UTC |
