BIKE submission for PQM4

benchmarks.csv

@@ -1,6 +1,8 @@
 Speed Evaluation,,,,,,,,,,
 Key Encapsulation Schemes,,,,,,,,,,
 Scheme,Implementation,Key Generation [cycles] (mean),Key Generation [cycles] (min),Key Generation [cycles] (max),Encapsulation [cycles] (mean),Encapsulation [cycles] (min),Encapsulation [cycles] (max),Decapsulation [cycles] (mean),Decapsulation [cycles] (min),Decapsulation [cycles] (max)
+bikel1 (100 executions),m4f,25059586,25044097,25080997,3398384,3371979,3417178,54793168,54774340,54823993
+bikel1 (100 executions),ref,65551874,65532779,65569765,4962214,4941128,4978626,116543558,116510779,116572274
 firesaber (100 executions),clean,3723480,3723480,3723480,4622127,4622127,4622127,5233205,5233205,5233205
 firesaber (100 executions),m4f,1007477,1007477,1007477,1256353,1256353,1256353,1231994,1231994,1231994
 frodokem640aes (100 executions),m4,48348105,48348105,48348105,47130922,47130922,47130922,46594383,46594383,46594383
@@ -103,6 +105,8 @@ sphincs-shake256-256s-simple (1 executions),clean,3996764935,3996764935,39967649
 Memory Evaluation,,,,,,,,,,
 Key Encapsulation Schemes,,,,,,,,,,
 Scheme,Implementation,Key Generation [bytes],Encapsulation [bytes],Decapsulation [bytes],,,,,,
+bikel1,m4f,44108,32156,91400,,,,,,
+bikel1,ref,35960,25908,78784,,,,,,
 firesaber,clean,19524,19628,21108,,,,,,
 firesaber,m4f,37116,40484,41964,,,,,,
 frodokem640aes,m4,31992,62488,83104,,,,,,
@@ -205,6 +209,8 @@ sphincs-shake256-256s-simple,clean,5904,5808,5172,,,,,,
 Hashing Evaluation,,,,,,,,,,
 Key Encapsulation Schemes,,,,,,,,,,
 Scheme,Implementation,Key Generation [%],Encapsulation [%],Decapsulation [%],,,,,,
+bikel1,m4f,0.7,15.1,1.3,,,,,,
+bikel1,ref,0.3,10.3,0.6,,,,,,
 firesaber,clean,19.2,19.1,14.1,,,,,,
 firesaber,m4f,70.9,70.1,60.1,,,,,,
 frodokem640aes,m4,74.3,77.8,77.1,,,,,,
@@ -307,6 +313,8 @@ sphincs-shake256-256s-simple,clean,96.3,96.1,96.2,,,,,,
 Size Evaluation,,,,,,,,,,
 Key Encapsulation Schemes,,,,,,,,,,
 Scheme,Implementation,.text [bytes],.data [bytes],.bss [bytes],Total [bytes],,,,,
+bikel1,m4f,181430,24,49,181503,,,,,
+bikel1,ref,35199,24,1,35224,,,,,
 firesaber,clean,10220,0,0,10220,,,,,
 firesaber,m4f,10972,0,0,10972,,,,,
 frodokem640aes,m4,8568,0,0,8568,,,,,

benchmarks.md

@@ -2,6 +2,8 @@
 ## Key Encapsulation Schemes
 | scheme | implementation | key generation [cycles] | encapsulation [cycles] | decapsulation [cycles] |
 | ------ | -------------- | ----------------------- | ---------------------- | ---------------------- |
+| bikel1 (100 executions) | m4f | AVG: 25,059,586 <br /> MIN: 25,044,097 <br /> MAX: 25,080,997 | AVG: 3,398,384 <br /> MIN: 3,371,979 <br /> MAX: 3,417,178 | AVG: 54,793,168 <br /> MIN: 54,774,340 <br /> MAX: 54,823,993 |
+| bikel1 (100 executions) | ref | AVG: 65,551,874 <br /> MIN: 65,532,779 <br /> MAX: 65,569,765 | AVG: 4,962,214 <br /> MIN: 4,941,128 <br /> MAX: 4,978,626 | AVG: 116,543,558 <br /> MIN: 116,510,779 <br /> MAX: 116,572,274 |
 | firesaber (100 executions) | clean | AVG: 3,723,480 <br /> MIN: 3,723,480 <br /> MAX: 3,723,480 | AVG: 4,622,127 <br /> MIN: 4,622,127 <br /> MAX: 4,622,127 | AVG: 5,233,205 <br /> MIN: 5,233,205 <br /> MAX: 5,233,205 |
 | firesaber (100 executions) | m4f | AVG: 1,007,477 <br /> MIN: 1,007,477 <br /> MAX: 1,007,477 | AVG: 1,256,353 <br /> MIN: 1,256,353 <br /> MAX: 1,256,353 | AVG: 1,231,994 <br /> MIN: 1,231,994 <br /> MAX: 1,231,994 |
 | frodokem640aes (100 executions) | m4 | AVG: 48,348,105 <br /> MIN: 48,348,105 <br /> MAX: 48,348,105 | AVG: 47,130,922 <br /> MIN: 47,130,922 <br /> MAX: 47,130,922 | AVG: 46,594,383 <br /> MIN: 46,594,383 <br /> MAX: 46,594,383 |
@@ -106,6 +108,8 @@
 ## Key Encapsulation Schemes
 | Scheme | Implementation | Key Generation [bytes] | Encapsulation [bytes] | Decapsulation [bytes] |
 | ------ | -------------- | ---------------------- | --------------------- | --------------------- |
+| bikel1 | m4f | 44,108 | 32,156 | 91,400 |
+| bikel1 | ref | 35,960 | 25,908 | 78,784 |
 | firesaber | clean | 19,524 | 19,628 | 21,108 |
 | firesaber | m4f | 37,116 | 40,484 | 41,964 |
 | frodokem640aes | m4 | 31,992 | 62,488 | 83,104 |
@@ -210,6 +214,8 @@
 ## Key Encapsulation Schemes
 | Scheme | Implementation | Key Generation [%] | Encapsulation [%] | Decapsulation [%] |
 | ------ | -------------- | ------------------ | ----------------- | ----------------- |
+| bikel1 | m4f | 0.7% | 15.1% | 1.3% |
+| bikel1 | ref | 0.3% | 10.3% | 0.6% |
 | firesaber | clean | 19.2% | 19.1% | 14.1% |
 | firesaber | m4f | 70.9% | 70.1% | 60.1% |
 | frodokem640aes | m4 | 74.3% | 77.8% | 77.1% |
@@ -314,6 +320,8 @@
 ## Key Encapsulation Schemes
 | Scheme | Implementation | .text [bytes] | .data [bytes] | .bss [bytes] | Total [bytes] |
 | ------ | -------------- | ------------- | ------------- | ------------ | ------------- |
+| bikel1 | m4f | 181,430 | 24 | 49 | 181,503 |
+| bikel1 | ref | 35,199 | 24 | 1 | 35,224 |
 | firesaber | clean | 10,220 | 0 | 0 | 10,220 |
 | firesaber | m4f | 10,972 | 0 | 0 | 10,972 |
 | frodokem640aes | m4 | 8,568 | 0 | 0 | 8,568 |

crypto_kem/bikel1/m4f/aes_ctr_prf.c

@@ -0,0 +1,97 @@
+/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0"
+ *
+ * Written by Nir Drucker, Shay Gueron and Dusan Kostic,
+ * AWS Cryptographic Algorithms Group.
+ */
+
+#include "aes_ctr_prf.h"
+#include "utilities.h"
+
+ret_t init_aes_ctr_prf_state(OUT aes_ctr_prf_state_t *s,
+                             IN const uint32_t        max_invokations,
+                             IN const seed_t *seed)
+{
+  if(0 == max_invokations) {
+    BIKE_ERROR(E_AES_CTR_PRF_INIT_FAIL);
+  }
+
+  // Set the key schedule (from seed).
+  // Make sure the size matches the AES256 key size.
+  DEFER_CLEANUP(aes256_key_t key, aes256_key_cleanup);
+
+  bike_static_assert(sizeof(*seed) == sizeof(key.raw), seed_size_equals_ky_size);
+  bike_memcpy(key.raw, seed->raw, sizeof(key.raw));
+
+  GUARD(aes256_key_expansion(&s->ks, &key));
+
+  // Initialize buffer and counter
+  s->ctr.u.qw[0]    = 0;
+  s->ctr.u.qw[1]    = 0;
+  s->buffer.u.qw[0] = 0;
+  s->buffer.u.qw[1] = 0;
+
+  s->pos             = AES256_BLOCK_BYTES;
+  s->rem_invokations = max_invokations;
+
+  DMSG("    Init aes_prf_ctr state:\n");
+  DMSG("      s.pos = %d\n", s->pos);
+  DMSG("      s.rem_invokations = %u\n", s->rem_invokations);
+
+  return SUCCESS;
+}
+
+_INLINE_ ret_t perform_aes(OUT uint8_t *ct, IN OUT aes_ctr_prf_state_t *s)
+{
+  // Ensure that the CTR is large enough
+  bike_static_assert(
+    ((sizeof(s->ctr.u.qw[0]) == 8) && (BIT(33) >= MAX_AES_INVOKATION)),
+    ctr_size_is_too_small);
+
+  if(0 == s->rem_invokations) {
+    BIKE_ERROR(E_AES_OVER_USED);
+  }
+
+  GUARD(aes256_enc(ct, s->ctr.u.bytes, &s->ks));
+
+  s->ctr.u.qw[0]++;
+  s->rem_invokations--;
+
+  return SUCCESS;
+}
+
+ret_t aes_ctr_prf(OUT uint8_t *a,
+                  IN OUT aes_ctr_prf_state_t *s,
+                  IN const uint32_t           len)
+{
+  // When Len is smaller than use what's left in the buffer,
+  // there is no need for additional AES invocations.
+  if((len + s->pos) <= AES256_BLOCK_BYTES) {
+    bike_memcpy(a, &s->buffer.u.bytes[s->pos], len);
+    s->pos += len;
+
+    return SUCCESS;
+  }
+
+  // If s.pos != AES256_BLOCK_BYTES then copy what's left in the buffer.
+  // Else copy zero bytes
+  uint32_t idx = AES256_BLOCK_BYTES - s->pos;
+  bike_memcpy(a, &s->buffer.u.bytes[s->pos], idx);
+
+  // Init s.pos
+  s->pos = 0;
+
+  // Copy full AES blocks
+  while((len - idx) >= AES256_BLOCK_BYTES) {
+    GUARD(perform_aes(&a[idx], s));
+    idx += AES256_BLOCK_BYTES;
+  }
+
+  GUARD(perform_aes(s->buffer.u.bytes, s));
+
+  // Copy the tail
+  s->pos = len - idx;
+  bike_memcpy(&a[idx], s->buffer.u.bytes, s->pos);
+
+  return SUCCESS;
+}

crypto_kem/bikel1/m4f/aes_ctr_prf.h

@@ -0,0 +1,43 @@
+/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0"
+ *
+ * Written by Nir Drucker, Shay Gueron and Dusan Kostic,
+ * AWS Cryptographic Algorithms Group.
+ */
+
+#pragma once
+
+#include "bike_aes.h"
+
+//////////////////////////////
+//        Types
+/////////////////////////////
+
+typedef struct aes_ctr_prf_state_s {
+  uint128_t   ctr;
+  uint128_t   buffer;
+  aes256_ks_t ks;
+  uint32_t    rem_invokations;
+  uint8_t     pos;
+} aes_ctr_prf_state_t;
+
+//////////////////////////////
+//        Methods
+/////////////////////////////
+
+ret_t init_aes_ctr_prf_state(OUT aes_ctr_prf_state_t *s,
+                             IN uint32_t              max_invokations,
+                             IN const seed_t *seed);
+
+ret_t aes_ctr_prf(OUT uint8_t *a, IN OUT aes_ctr_prf_state_t *s, IN uint32_t len);
+
+_INLINE_ void finalize_aes_ctr_prf(IN OUT aes_ctr_prf_state_t *s)
+{
+  aes256_free_ks(&s->ks);
+  secure_clean((uint8_t *)s, sizeof(*s));
+}
+
+_INLINE_ void aes_ctr_prf_state_cleanup(IN OUT aes_ctr_prf_state_t *s)
+{
+  finalize_aes_ctr_prf(s);
+}

crypto_kem/bikel1/m4f/api.h

@@ -0,0 +1,15 @@
+/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0"
+ *
+ * Written by Nir Drucker and Shay Gueron
+ * AWS Cryptographic Algorithms Group.
+ */
+
+#pragma once
+
+#include "types.h"
+
+#define CRYPTO_SECRETKEYBYTES  sizeof(sk_t)
+#define CRYPTO_PUBLICKEYBYTES  sizeof(pk_t)
+#define CRYPTO_CIPHERTEXTBYTES sizeof(ct_t)
+#define CRYPTO_BYTES           sizeof(ss_t)