[SB][Library][Fix] Addressed Crypto Review comments for ML-KEM (#777)

Author: ElenaTyuleneva

sources/include/ml_kem_internal/memory_consumption.h

@@ -44,11 +44,11 @@ __IPPCP_INLINE IppStatus mlkemMemoryConsumption(const IppsMLKEMState* pMLKEMCtx,
     sts = ippsHashGetSizeOptimal_rmf(&hashCtxSizeShake, ippsHashMethod_SHAKE256(3 * 256 * 8));
     IPP_BADARG_RET((sts != ippStsNoErr), sts);
     /* keyGen memory consumption */
-    locKeygenBytes =
-        eta1 * 64 + 3 * k * (int)sizeof(Ipp16sPoly) + hashCtxSizeShake + 5 * CP_ML_KEM_ALIGNMENT;
+    locKeygenBytes = eta1 * 64 + 3 * k * (int)sizeof(Ipp16sPoly) + (int)sizeof(Ipp16sPoly) +
+                     hashCtxSizeShake + 5 * CP_ML_KEM_ALIGNMENT;
 
     /* Encaps memory consumption */
-    locEncapsBytes = 4 * (k * (int)sizeof(Ipp16sPoly)) + eta1 * 64 + 3 * (int)sizeof(Ipp16sPoly) +
+    locEncapsBytes = 4 * (k * (int)sizeof(Ipp16sPoly)) + eta1 * 64 + 4 * (int)sizeof(Ipp16sPoly) +
                      hashCtxSizeShake + 9 * CP_ML_KEM_ALIGNMENT;
 
     /* Decaps memory consumption */
@@ -57,7 +57,7 @@ __IPPCP_INLINE IppStatus mlkemMemoryConsumption(const IppsMLKEMState* pMLKEMCtx,
     int hashCtxSizeSHA3_512 = 0;
     sts = ippsHashGetSizeOptimal_rmf(&hashCtxSizeSHA3_512, ippsHashMethod_SHA3_512());
     IPP_BADARG_RET((sts != ippStsNoErr), sts);
-    locDecapsBytes = IPP_MAX(hashCtxSizeShake, hashCtxSizeSHA3_512) + 2 * (int)sizeof(Ipp16sPoly) +
+    locDecapsBytes = IPP_MAX(hashCtxSizeShake, hashCtxSizeSHA3_512) + 3 * (int)sizeof(Ipp16sPoly) +
                      2 * (k * (int)sizeof(Ipp16sPoly)) + 32 * (d_u * k + d_v) + locEncapsBytes +
                      3 * CP_ML_KEM_ALIGNMENT;
 

sources/include/ml_kem_internal/ml_kem.h

@@ -54,6 +54,12 @@ struct _cpMLKEMState {
  */
 typedef enum { nttTransform, noNttTransform } nttTransformFlag;
 
+/*
+ * Stuff enumerator used in cp_matrixAGen() to conditionally generate
+ * transposed matrix A
+ */
+typedef enum { matrixAOrigin, matrixATransposed } matrixAGenType;
+
 /* State ID set\check helpers */
 #define CP_ML_KEM_SET_ID(pCtx)   ((pCtx)->idCtx = (Ipp32u)idCtxMLKEM ^ (Ipp32u)IPP_UINT_PTR(pCtx))
 #define CP_ML_KEM_VALID_ID(pCtx) ((((pCtx)->idCtx) ^ (Ipp32u)IPP_UINT_PTR(pCtx)) == idCtxMLKEM)
@@ -85,14 +91,40 @@ typedef struct {
 //        Stuff functions
 //-------------------------------//
 
-#define CP_CHECK_FREE_RET(IN_RET_CONDITION, IN_STATUS, IN_P_STORAGE) \
-    {                                                                \
-        if (IN_RET_CONDITION) {                                      \
-            cp_mlkemStorageReleaseAll(IN_P_STORAGE);                 \
-            return IN_STATUS;                                        \
-        }                                                            \
+#define CP_CHECK_FREE_RET(IN_RET_CONDITION, IN_STATUS, IN_P_STORAGE)        \
+    {                                                                       \
+        if (IN_RET_CONDITION) {                                             \
+            IppStatus releaseSts = cp_mlkemStorageReleaseAll(IN_P_STORAGE); \
+            return (IN_STATUS) | releaseSts;                                \
+        }                                                                   \
     }
 
+/* Memory allocation helpers for poly and polyvec */
+/* clang-format off */
+#define CP_ML_KEM_ALLOCATE_ALIGNED_POLYVEC(NAME, SIZE, STORAGE)                                  \
+    Ipp16sPoly*(NAME) = (Ipp16sPoly*)cp_mlkemStorageAllocate((STORAGE),                          \
+                                             (SIZE) * sizeof(Ipp16sPoly) + CP_ML_KEM_ALIGNMENT); \
+    CP_CHECK_FREE_RET((NAME) == NULL, ippStsMemAllocErr, (STORAGE));                             \
+    (NAME) = IPP_ALIGNED_PTR((NAME), CP_ML_KEM_ALIGNMENT);
+/* clang-format on */
+
+#define CP_ML_KEM_ALLOCATE_ALIGNED_POLY(NAME, STORAGE) \
+    CP_ML_KEM_ALLOCATE_ALIGNED_POLYVEC((NAME), 1, (STORAGE))
+
+/* Memory release helpers for poly and polyvec */
+#define CP_ML_KEM_RELEASE_ALIGNED_POLYVEC(SIZE, STORAGE, STATUS) \
+    (STATUS) |=                                                  \
+        cp_mlkemStorageRelease((STORAGE), (SIZE) * sizeof(Ipp16sPoly) + CP_ML_KEM_ALIGNMENT);
+
+#define CP_ML_KEM_RELEASE_ALIGNED_POLY(STORAGE, STATUS) \
+    CP_ML_KEM_RELEASE_ALIGNED_POLYVEC(1, (STORAGE), (STATUS))
+
+#ifdef __GNUC__
+#define ASM_VOLATILE(a) __asm__ __volatile__(a);
+#else
+#define ASM_VOLATILE(a)
+#endif
+
 /*
  * Memory allocation primitive working with _cpMLKEMStorage structure.
  * Input: storage     - pointer to _cpMLKEMStorage structure
@@ -127,7 +159,10 @@ __IPPCP_INLINE IppStatus cp_mlkemStorageRelease(_cpMLKEMStorage* storage, Ipp64s
     PurgeBlock(storage->pStorageData + storage->bytesUsed - bytesRelease, (int)bytesRelease);
 
     storage->bytesUsed -= bytesRelease;
-    return ippStsNoErr;
+    ASM_VOLATILE("" ::: "memory")
+
+    // Check that the memory was released and zeroized as intended
+    return (*(storage->pStorageData + storage->bytesUsed) == 0) ? ippStsNoErr : ippStsMemAllocErr;
 }
 
 /*
@@ -136,18 +171,24 @@ __IPPCP_INLINE IppStatus cp_mlkemStorageRelease(_cpMLKEMStorage* storage, Ipp64s
  *
  * Note: the operation release the whole buffer, safe to be used for an empty storage.
  */
-__IPPCP_INLINE void cp_mlkemStorageReleaseAll(_cpMLKEMStorage* storage)
+__IPPCP_INLINE IppStatus cp_mlkemStorageReleaseAll(_cpMLKEMStorage* storage)
 {
     // Zeroize the buffer (minimum amount between bytesUsed and bytesCapacity)
     PurgeBlock(storage->pStorageData,
                IPP_MIN((int)storage->bytesUsed, (int)storage->bytesCapacity));
     storage->bytesUsed = 0;
+    ASM_VOLATILE("" ::: "memory")
+
+    return (*(storage->pStorageData + storage->bytesUsed) == 0) ? ippStsNoErr : ippStsMemAllocErr;
 }
 
 //-------------------------------//
 // Kernel functions declaration
 //-------------------------------//
 
+#define cp_mlkemBarrettReduce OWNAPI(cp_mlkemBarrettReduce)
+IPP_OWN_DECL(Ipp16s, cp_mlkemBarrettReduce, (Ipp32s x))
+
 #define cp_polyAdd OWNAPI(cp_polyAdd)
 IPP_OWN_DECL(void, cp_polyAdd, (const Ipp16sPoly* f, const Ipp16sPoly* g, Ipp16sPoly* h))
 #define cp_polySub OWNAPI(cp_polySub)
@@ -169,7 +210,9 @@ IPP_OWN_DECL(IppStatus, cp_Decompress, (Ipp16u * out, const Ipp16s in, const Ipp
 #define cp_byteEncode OWNAPI(cp_byteEncode)
 IPP_OWN_DECL(IppStatus, cp_byteEncode, (Ipp8u * B, const Ipp16u d, const Ipp16sPoly* pPolyF))
 #define cp_byteDecode OWNAPI(cp_byteDecode)
-IPP_OWN_DECL(IppStatus, cp_byteDecode, (Ipp16sPoly * pPolyF, const Ipp16u d, const Ipp8u* B))
+IPP_OWN_DECL(IppStatus,
+             cp_byteDecode,
+             (Ipp16sPoly * pPolyF, const Ipp16u d, const Ipp8u* B, const int bByteSize))
 
 #define cp_samplePolyCBD OWNAPI(cp_samplePolyCBD)
 IPP_OWN_DECL(IppStatus, cp_samplePolyCBD, (Ipp16sPoly * pPoly, const Ipp8u* pSeed, const Ipp8u eta))
@@ -180,7 +223,7 @@ IPP_OWN_DECL(IppStatus, cp_SampleNTT,
 
 #define cp_matrixAGen OWNAPI(cp_matrixAGen)
 IPP_OWN_DECL(IppStatus, cp_matrixAGen,
-            (Ipp16sPoly * matrixA, Ipp8u rho_j_i[34], IppsMLKEMState* mlkemCtx))
+            (Ipp16sPoly * matrixA, Ipp8u rho_j_i[34], matrixAGenType matrixType, IppsMLKEMState* mlkemCtx))
 /* clang-format on */
 
 #define cp_NTT OWNAPI(cp_NTT)

sources/ippcp/ml_kem/internal/internal_decaps.c

@@ -69,8 +69,7 @@ IPP_OWN_DEFN(IppStatus, cp_MLKEMdecaps_internal, (Ipp8u K[CP_SHARED_SECRET_BYTES
 
     /* 5: m` <- K-PKE.Decrypt(dkPKE, c) */
     Ipp8u message[32];
-    sts = cp_KPKE_Decrypt(message, pPKE_DecKey, ciphertext, mlkemCtx);
-    CP_CHECK_FREE_RET(sts != ippStsNoErr, sts, pStorage);
+    IppStatus decryptSts = cp_KPKE_Decrypt(message, pPKE_DecKey, ciphertext, mlkemCtx);
 
     /* 6: (K`, r`) <- G(m`||h) */
 
@@ -116,16 +115,12 @@ IPP_OWN_DEFN(IppStatus, cp_MLKEMdecaps_internal, (Ipp8u K[CP_SHARED_SECRET_BYTES
 
     /* 9-10: if c != c` then K` <- K`` */
     BNU_CHUNK_T is_equal = cpIsEquBlock_ct(ciphertext, ciphertext1, ciphertext_size);
-    if (is_equal) {
-        CopyBlock(K1, K, CP_SHARED_SECRET_BYTES);
-    } else {
-        CopyBlock(K2, K, CP_SHARED_SECRET_BYTES);
-    }
+    MASKED_COPY_BNU(K, is_equal, K1, K2, CP_SHARED_SECRET_BYTES);
 
     /* Release locally used storage */
     sts = cp_mlkemStorageRelease(pStorage, hash_size + CP_ML_KEM_ALIGNMENT); // hash_state
     sts |= cp_mlkemStorageRelease(pStorage,
                                   ciphertext_size + CP_ML_KEM_ALIGNMENT);    // ciphertext1
 
-    return sts;
+    return sts | decryptSts;
 }

sources/ippcp/ml_kem/internal/k_pke/k_pke_decrypt.c

@@ -44,19 +44,21 @@ IPP_OWN_DEFN(IppStatus, cp_KPKE_Decrypt, (Ipp8u * message,
     const Ipp8u d_v           = mlkemCtx->params.d_v;
     _cpMLKEMStorage* pStorage = &mlkemCtx->storage;
 
+    /* Allocate memory for temporary objects */
+    CP_ML_KEM_ALLOCATE_ALIGNED_POLYVEC(u, k, pStorage)
+    CP_ML_KEM_ALLOCATE_ALIGNED_POLY(v, pStorage)
+    CP_ML_KEM_ALLOCATE_ALIGNED_POLYVEC(s, k, pStorage)
+    CP_ML_KEM_ALLOCATE_ALIGNED_POLY(w, pStorage)
+
     /* 1: c1 <- c[0 : 32*d_{u}*k] */
     Ipp8u* c1 = (Ipp8u*)ciphertext;
     /* 2: c2 <- c[32*d_{u}*k : 32(d_{u}*k + d_{v})] */
     Ipp8u* c2 = c1 + (32 * d_u * k);
 
     /* 3: u` <- Decompress_{d_{u}}(cp_byteDecode_{d_{u}}(c1)) */
-    Ipp16sPoly* u =
-        (Ipp16sPoly*)cp_mlkemStorageAllocate(pStorage,
-                                             k * sizeof(Ipp16sPoly) + CP_ML_KEM_ALIGNMENT);
-    CP_CHECK_FREE_RET(u == NULL, ippStsMemAllocErr, pStorage);
-    u = IPP_ALIGNED_PTR(u, CP_ML_KEM_ALIGNMENT);
     for (Ipp8u i = 0; i < k; i++) {
-        cp_byteDecode(&u[i], d_u, c1 + i * 32 * d_u);
+        sts = cp_byteDecode(&u[i], d_u, c1 + i * 32 * d_u, 32 * d_u * (k - i));
+        IPP_BADARG_RET((sts != ippStsNoErr), sts);
 
         for (Ipp32u j = 0; j < 256; j++) {
             sts = cp_Decompress((Ipp16u*)&u[i].values[j], u[i].values[j], d_u);
@@ -65,42 +67,29 @@ IPP_OWN_DEFN(IppStatus, cp_KPKE_Decrypt, (Ipp8u * message,
     }
 
     /* 4: v` <- Decompress_{d_{v}}(cp_byteDecode_{d_{v}}(c2)) */
-    Ipp16sPoly* v =
-        (Ipp16sPoly*)cp_mlkemStorageAllocate(pStorage, sizeof(Ipp16sPoly) + CP_ML_KEM_ALIGNMENT);
-    CP_CHECK_FREE_RET(v == NULL, ippStsMemAllocErr, pStorage);
-    v = IPP_ALIGNED_PTR(v, CP_ML_KEM_ALIGNMENT);
-    cp_byteDecode(v, d_v, c2);
+    sts = cp_byteDecode(v, d_v, c2, 32 * d_v);
+    IPP_BADARG_RET((sts != ippStsNoErr), sts);
     for (Ipp32u j = 0; j < 256; j++) {
-
         sts = cp_Decompress((Ipp16u*)&v->values[j], v->values[j], d_v);
         IPP_BADARG_RET((sts != ippStsNoErr), sts);
     }
 
     /* 5: s` <- cp_byteDecode_{12}(dk_{pke}) */
-    Ipp16sPoly* s =
-        (Ipp16sPoly*)cp_mlkemStorageAllocate(pStorage,
-                                             k * sizeof(Ipp16sPoly) + CP_ML_KEM_ALIGNMENT);
-    CP_CHECK_FREE_RET(s == NULL, ippStsMemAllocErr, pStorage);
-    s = IPP_ALIGNED_PTR(s, CP_ML_KEM_ALIGNMENT);
-
     for (Ipp8u i = 0; i < k; i++) {
-        cp_byteDecode(&s[i], 12, pPKE_DecKey + 384 * i);
+        sts = cp_byteDecode(&s[i], 12, pPKE_DecKey + 384 * i, 384 * (k - i));
+        IPP_BADARG_RET((sts != ippStsNoErr), sts);
     }
 
     /* 6: w <- v` - cp_NTT^{-1}(s`^{T} * cp_NTT(u`)) */
-    Ipp16sPoly* w =
-        (Ipp16sPoly*)cp_mlkemStorageAllocate(pStorage, sizeof(Ipp16sPoly) + CP_ML_KEM_ALIGNMENT);
-    CP_CHECK_FREE_RET(w == NULL, ippStsMemAllocErr, pStorage);
-    w = IPP_ALIGNED_PTR(w, CP_ML_KEM_ALIGNMENT);
-
     cp_NTT(&u[0]);
     cp_multiplyNTT(&s[0], &u[0], w);
+    CP_ML_KEM_ALLOCATE_ALIGNED_POLY(tmpPoly, pStorage)
     for (Ipp8u i = 1; i < k; i++) {
         cp_NTT(&u[i]);
-        Ipp16sPoly tmpPoly;
-        cp_multiplyNTT(&s[i], &u[i], &tmpPoly);
-        cp_polyAdd(&tmpPoly, w, w);
+        cp_multiplyNTT(&s[i], &u[i], tmpPoly);
+        cp_polyAdd(tmpPoly, w, w);
     }
+    CP_ML_KEM_RELEASE_ALIGNED_POLY(pStorage, sts) // Ipp16sPoly tmpPoly
     cp_inverseNTT(w);
     cp_polySub(v, w, w);
 
@@ -113,16 +102,10 @@ IPP_OWN_DEFN(IppStatus, cp_KPKE_Decrypt, (Ipp8u * message,
     IPP_BADARG_RET((sts != ippStsNoErr), sts);
 
     /* Release locally used storage */
-    /* clang-format off */
-    sts  = cp_mlkemStorageRelease(pStorage, // Ipp16sPoly u[k]
-                                  k * sizeof(Ipp16sPoly) + CP_ML_KEM_ALIGNMENT); 
-    sts |= cp_mlkemStorageRelease(pStorage, // Ipp16sPoly v
-                                  sizeof(Ipp16sPoly) + CP_ML_KEM_ALIGNMENT);
-    sts |= cp_mlkemStorageRelease(pStorage, // Ipp16sPoly s[k]
-                                  k * sizeof(Ipp16sPoly) + CP_ML_KEM_ALIGNMENT);
-    sts |= cp_mlkemStorageRelease(pStorage, // Ipp16sPoly w
-                                  sizeof(Ipp16sPoly) + CP_ML_KEM_ALIGNMENT);
-    /* clang-format on */
+    CP_ML_KEM_RELEASE_ALIGNED_POLYVEC(k, pStorage, sts) // Ipp16sPoly u[k]
+    CP_ML_KEM_RELEASE_ALIGNED_POLY(pStorage, sts)       // Ipp16sPoly v
+    CP_ML_KEM_RELEASE_ALIGNED_POLYVEC(k, pStorage, sts) // Ipp16sPoly s[k]
+    CP_ML_KEM_RELEASE_ALIGNED_POLY(pStorage, sts)       // Ipp16sPoly w
 
     return sts;
 }