Force alignment of structures (#151)

Unaligned structures can incur significant performance penalties during memory operations. Signed-off-by: Hanno Becker <[email protected]>
pq-code-package · Sep 24, 2024 · fe8175f · fe8175f
1 parent a1fb12f
commit fe8175f
Show file tree

Hide file tree

Showing 9 changed files with 39 additions and 31 deletions.
diff --git a/mlkem/common.h b/mlkem/common.h
@@ -0,0 +1,7 @@
+// SPDX-License-Identifier: Apache-2.0
+#ifndef COMMON_H
+#define COMMON_H
+
+#define ALIGN(x) __attribute__((aligned(x)))
+
+#endif
diff --git a/mlkem/indcpa.c b/mlkem/indcpa.c
@@ -286,7 +286,7 @@ void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
                            const uint8_t coins[KYBER_SYMBYTES])
 {
     unsigned int i;
-    uint8_t buf[2 * KYBER_SYMBYTES];
+    uint8_t buf[2 * KYBER_SYMBYTES] ALIGN(16);
     const uint8_t *publicseed = buf;
     const uint8_t *noiseseed = buf + KYBER_SYMBYTES;
     polyvec a[KYBER_K], e, pkpv, skpv;
@@ -350,7 +350,7 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
                 const uint8_t coins[KYBER_SYMBYTES])
 {
     unsigned int i;
-    uint8_t seed[KYBER_SYMBYTES];
+    uint8_t seed[KYBER_SYMBYTES] ALIGN(16);
     polyvec sp, pkpv, ep, at[KYBER_K], b;
     polyvec_mulcache sp_cache;
     poly v, k, epp;

diff --git a/mlkem/kem.c b/mlkem/kem.c
@@ -51,7 +51,7 @@ int crypto_kem_keypair_derand(uint8_t *pk,
 int crypto_kem_keypair(uint8_t *pk,
                        uint8_t *sk)
 {
-    uint8_t coins[2 * KYBER_SYMBYTES];
+    uint8_t coins[2 * KYBER_SYMBYTES] ALIGN(16);
     randombytes(coins, 2 * KYBER_SYMBYTES);
     crypto_kem_keypair_derand(pk, sk, coins);
     return 0;
@@ -79,9 +79,9 @@ int crypto_kem_enc_derand(uint8_t *ct,
                           const uint8_t *pk,
                           const uint8_t *coins)
 {
-    uint8_t buf[2 * KYBER_SYMBYTES];
+    uint8_t buf[2 * KYBER_SYMBYTES] ALIGN(16);
     /* Will contain key, coins */
-    uint8_t kr[2 * KYBER_SYMBYTES];
+    uint8_t kr[2 * KYBER_SYMBYTES] ALIGN(16);
 
     memcpy(buf, coins, KYBER_SYMBYTES);
 
@@ -115,7 +115,7 @@ int crypto_kem_enc(uint8_t *ct,
                    uint8_t *ss,
                    const uint8_t *pk)
 {
-    uint8_t coins[KYBER_SYMBYTES];
+    uint8_t coins[KYBER_SYMBYTES] ALIGN(16);
     randombytes(coins, KYBER_SYMBYTES);
     crypto_kem_enc_derand(ct, ss, pk, coins);
     return 0;
@@ -143,10 +143,10 @@ int crypto_kem_dec(uint8_t *ss,
                    const uint8_t *sk)
 {
     int fail;
-    uint8_t buf[2 * KYBER_SYMBYTES];
+    uint8_t buf[2 * KYBER_SYMBYTES] ALIGN(16);
     /* Will contain key, coins */
-    uint8_t kr[2 * KYBER_SYMBYTES];
-    uint8_t cmp[KYBER_CIPHERTEXTBYTES + KYBER_SYMBYTES];
+    uint8_t kr[2 * KYBER_SYMBYTES] ALIGN(16);
+    uint8_t cmp[KYBER_CIPHERTEXTBYTES + KYBER_SYMBYTES] ALIGN(16);
     const uint8_t *pk = sk + KYBER_INDCPA_SECRETKEYBYTES;
 
     indcpa_dec(buf, ct, sk);

diff --git a/mlkem/params.h b/mlkem/params.h
@@ -2,6 +2,7 @@
 #ifndef PARAMS_H
 #define PARAMS_H
 
+#include "common.h"
 #include "cpucap.h"
 
 #ifndef KYBER_K

diff --git a/mlkem/poly.c b/mlkem/poly.c
@@ -413,8 +413,8 @@ void poly_getnoise_eta1_4x(poly *r0,
                            uint8_t nonce2,
                            uint8_t nonce3)
 {
-    uint8_t buf[KECCAK_WAY][KYBER_ETA1 * KYBER_N / 4];
-    uint8_t extkey[KECCAK_WAY][KYBER_SYMBYTES + 1];
+    uint8_t buf[KECCAK_WAY][KYBER_ETA1 * KYBER_N / 4] ALIGN(16);
+    uint8_t extkey[KECCAK_WAY][KYBER_SYMBYTES + 1] ALIGN(16);
     memcpy(extkey[0], seed, KYBER_SYMBYTES);
     memcpy(extkey[1], seed, KYBER_SYMBYTES);
     memcpy(extkey[2], seed, KYBER_SYMBYTES);
@@ -445,7 +445,7 @@ void poly_getnoise_eta1_4x(poly *r0,
 **************************************************/
 void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce)
 {
-    uint8_t buf[KYBER_ETA2 * KYBER_N / 4];
+    uint8_t buf[KYBER_ETA2 * KYBER_N / 4] ALIGN(16);
     prf(buf, sizeof(buf), seed, nonce);
     poly_cbd_eta2(r, buf);
 }
@@ -472,8 +472,8 @@ void poly_getnoise_eta2_4x(poly *r0,
                            uint8_t nonce2,
                            uint8_t nonce3)
 {
-    uint8_t buf[KECCAK_WAY][KYBER_ETA2 * KYBER_N / 4];
-    uint8_t extkey[KECCAK_WAY][KYBER_SYMBYTES + 1];
+    uint8_t buf[KECCAK_WAY][KYBER_ETA2 * KYBER_N / 4] ALIGN(16);
+    uint8_t extkey[KECCAK_WAY][KYBER_SYMBYTES + 1] ALIGN(16);
     memcpy(extkey[0], seed, KYBER_SYMBYTES);
     memcpy(extkey[1], seed, KYBER_SYMBYTES);
     memcpy(extkey[2], seed, KYBER_SYMBYTES);
@@ -512,9 +512,9 @@ void poly_getnoise_eta1122_4x(poly *r0,
                               uint8_t nonce2,
                               uint8_t nonce3)
 {
-    uint8_t buf1[KECCAK_WAY/2][KYBER_ETA1 * KYBER_N / 4];
-    uint8_t buf2[KECCAK_WAY/2][KYBER_ETA2 * KYBER_N / 4];
-    uint8_t extkey[KECCAK_WAY][KYBER_SYMBYTES + 1];
+    uint8_t buf1[KECCAK_WAY/2][KYBER_ETA1 * KYBER_N / 4] ALIGN(16);
+    uint8_t buf2[KECCAK_WAY/2][KYBER_ETA2 * KYBER_N / 4] ALIGN(16);
+    uint8_t extkey[KECCAK_WAY][KYBER_SYMBYTES + 1] ALIGN(16);
     memcpy(extkey[0], seed, KYBER_SYMBYTES);
     memcpy(extkey[1], seed, KYBER_SYMBYTES);
     memcpy(extkey[2], seed, KYBER_SYMBYTES);

diff --git a/mlkem/poly.h b/mlkem/poly.h
@@ -14,7 +14,7 @@
 typedef struct
 {
     int16_t coeffs[KYBER_N];
-} poly;
+} ALIGN(16) poly;
 
 /*
  * INTERNAL presentation of precomputed data speeding up

diff --git a/mlkem/polyvec.h b/mlkem/polyvec.h
@@ -9,7 +9,7 @@
 typedef struct
 {
     poly vec[KYBER_K];
-} polyvec;
+} ALIGN(16) polyvec;
 
 // REF-CHANGE: This struct does not exist in the reference implementation
 typedef struct

diff --git a/test/gen_KAT.c b/test/gen_KAT.c
@@ -27,12 +27,12 @@ static void shake256_absorb(shake256incctx *state, const uint8_t *input, size_t
 
 int main(void)
 {
-    uint8_t coins[3 * KYBER_SYMBYTES];
-    uint8_t pk[CRYPTO_PUBLICKEYBYTES];
-    uint8_t sk[CRYPTO_SECRETKEYBYTES];
-    uint8_t ct[CRYPTO_CIPHERTEXTBYTES];
-    uint8_t ss1[CRYPTO_BYTES];
-    uint8_t ss2[CRYPTO_BYTES];
+    uint8_t coins[3 * KYBER_SYMBYTES] ALIGN(16);
+    uint8_t pk[CRYPTO_PUBLICKEYBYTES] ALIGN(16);
+    uint8_t sk[CRYPTO_SECRETKEYBYTES] ALIGN(16);
+    uint8_t ct[CRYPTO_CIPHERTEXTBYTES] ALIGN(16);
+    uint8_t ss1[CRYPTO_BYTES] ALIGN(16);
+    uint8_t ss2[CRYPTO_BYTES] ALIGN(16);
 
     const uint8_t seed[64] = {32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
                               48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,

diff --git a/test/gen_NISTKAT.c b/test/gen_NISTKAT.c
@@ -40,13 +40,13 @@ static void randombytes_nth(uint8_t *seed, size_t nth, size_t len)
 
 int main(void)
 {
-    uint8_t seed[48];
+    uint8_t seed[48] ALIGN(16);
     FILE *fh = stdout;
-    uint8_t public_key[CRYPTO_PUBLICKEYBYTES];
-    uint8_t secret_key[CRYPTO_SECRETKEYBYTES];
-    uint8_t ciphertext[CRYPTO_CIPHERTEXTBYTES];
-    uint8_t shared_secret_e[CRYPTO_BYTES];
-    uint8_t shared_secret_d[CRYPTO_BYTES];
+    uint8_t public_key[CRYPTO_PUBLICKEYBYTES] ALIGN(16);
+    uint8_t secret_key[CRYPTO_SECRETKEYBYTES] ALIGN(16);
+    uint8_t ciphertext[CRYPTO_CIPHERTEXTBYTES] ALIGN(16);
+    uint8_t shared_secret_e[CRYPTO_BYTES] ALIGN(16);
+    uint8_t shared_secret_d[CRYPTO_BYTES] ALIGN(16);
     int rc;
 
     int count = 0;