Skip to content

Commit

Permalink
Kyber: add debug printout support
Browse files Browse the repository at this point in the history 
This debug log is folded away in production builds

Signed-off-by: Stephan Mueller <[email protected]>
  • Loading branch information
@smuellerDD
smuellerDD committed Sep 30, 2023
1 parent 9687d0f commit 499b629
Show file tree
Hide file tree
Showing 10 changed files with 238 additions and 18 deletions.
11 changes: 6 additions & 5 deletions kem/src/armv8/kyber_kem_armv8.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
* DAMAGE.
*/

#include "kyber_debug.h"
#include "kyber_indcpa_armv8.h"
#include "kyber_kem.h"
#include "kyber_kem_armv8.h"
Expand All @@ -31,7 +32,7 @@
LC_INTERFACE_FUNCTION(int, lc_kyber_keypair_armv8, struct lc_kyber_pk *pk,
struct lc_kyber_sk *sk, struct lc_rng_ctx *rng_ctx)
{
static int tester = 0;
static int tester = LC_KYBER_TEST_INIT;

kyber_kem_keygen_selftest(&tester, "Kyber KEM keypair ARMv8",
lc_kyber_keypair_armv8);
Expand All @@ -42,7 +43,7 @@ LC_INTERFACE_FUNCTION(int, lc_kyber_enc_armv8, struct lc_kyber_ct *ct,
struct lc_kyber_ss *ss, const struct lc_kyber_pk *pk,
struct lc_rng_ctx *rng_ctx)
{
static int tester = 0;
static int tester = LC_KYBER_TEST_INIT;

kyber_kem_enc_selftest(&tester, "Kyber KEM enc ARMv8",
lc_kyber_enc_armv8);
Expand All @@ -53,7 +54,7 @@ LC_INTERFACE_FUNCTION(int, lc_kyber_enc_kdf_armv8, struct lc_kyber_ct *ct,
uint8_t *ss, size_t ss_len, const struct lc_kyber_pk *pk,
struct lc_rng_ctx *rng_ctx)
{
static int tester = 0;
static int tester = LC_KYBER_TEST_INIT;

kyber_kem_enc_kdf_selftest(&tester, "Kyber KEM enc KDF ARMv8",
lc_kyber_enc_kdf_armv8);
Expand All @@ -64,7 +65,7 @@ LC_INTERFACE_FUNCTION(int, lc_kyber_dec_armv8, struct lc_kyber_ss *ss,
const struct lc_kyber_ct *ct,
const struct lc_kyber_sk *sk)
{
static int tester = 0;
static int tester = LC_KYBER_TEST_INIT;

kyber_kem_dec_selftest(&tester, "Kyber KEM dec ARMv8",
lc_kyber_dec_armv8);
Expand All @@ -75,7 +76,7 @@ LC_INTERFACE_FUNCTION(int, lc_kyber_dec_kdf_armv8, uint8_t *ss, size_t ss_len,
const struct lc_kyber_ct *ct,
const struct lc_kyber_sk *sk)
{
static int tester = 0;
static int tester = LC_KYBER_TEST_INIT;

kyber_kem_dec_kdf_selftest(&tester, "Kyber KEM dec KDF ARMv8",
lc_kyber_dec_kdf_armv8);
Expand Down
11 changes: 6 additions & 5 deletions kem/src/avx2/kyber_kem_avx2.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
* DAMAGE.
*/

#include "kyber_debug.h"
#include "kyber_indcpa_avx2.h"
#include "kyber_kem.h"
#include "kyber_kem_avx2.h"
Expand All @@ -31,7 +32,7 @@
LC_INTERFACE_FUNCTION(int, lc_kyber_keypair_avx, struct lc_kyber_pk *pk,
struct lc_kyber_sk *sk, struct lc_rng_ctx *rng_ctx)
{
static int tester = 0;
static int tester = LC_KYBER_TEST_INIT;

kyber_kem_keygen_selftest(&tester, "Kyber KEM keypair AVX",
lc_kyber_keypair_avx);
Expand All @@ -42,7 +43,7 @@ LC_INTERFACE_FUNCTION(int, lc_kyber_enc_avx, struct lc_kyber_ct *ct,
struct lc_kyber_ss *ss, const struct lc_kyber_pk *pk,
struct lc_rng_ctx *rng_ctx)
{
static int tester = 0;
static int tester = LC_KYBER_TEST_INIT;

kyber_kem_enc_selftest(&tester, "Kyber KEM enc AVX", lc_kyber_enc_avx);
return _lc_kyber_enc(ct, ss, pk, rng_ctx, indcpa_enc_avx);
Expand All @@ -52,7 +53,7 @@ LC_INTERFACE_FUNCTION(int, lc_kyber_enc_kdf_avx, struct lc_kyber_ct *ct,
uint8_t *ss, size_t ss_len, const struct lc_kyber_pk *pk,
struct lc_rng_ctx *rng_ctx)
{
static int tester = 0;
static int tester = LC_KYBER_TEST_INIT;

kyber_kem_enc_kdf_selftest(&tester, "Kyber KEM enc KDF AVX",
lc_kyber_enc_kdf_avx);
Expand All @@ -63,7 +64,7 @@ LC_INTERFACE_FUNCTION(int, lc_kyber_dec_avx, struct lc_kyber_ss *ss,
const struct lc_kyber_ct *ct,
const struct lc_kyber_sk *sk)
{
static int tester = 0;
static int tester = LC_KYBER_TEST_INIT;

kyber_kem_dec_selftest(&tester, "Kyber KEM dec AVX", lc_kyber_dec_avx);
return _lc_kyber_dec(ss, ct, sk, indcpa_dec_avx, indcpa_enc_avx);
Expand All @@ -73,7 +74,7 @@ LC_INTERFACE_FUNCTION(int, lc_kyber_dec_kdf_avx, uint8_t *ss, size_t ss_len,
const struct lc_kyber_ct *ct,
const struct lc_kyber_sk *sk)
{
static int tester = 0;
static int tester = LC_KYBER_TEST_INIT;

kyber_kem_dec_kdf_selftest(&tester, "Kyber KEM dec KDF AVX",
lc_kyber_dec_kdf_avx);
Expand Down
52 changes: 52 additions & 0 deletions kem/src/kyber_debug.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
/*
* Copyright (C) 2023, Stephan Mueller <[email protected]>
*
* License: see LICENSE file in root directory
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
* WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
* USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
* DAMAGE.
*/

#include "binhexbin.h"
#include "kyber_debug.h"

void kyber_print_buffer(const uint8_t *buffer, const size_t bufferlen,
const char *explanation)
{
bin2print(buffer, bufferlen, stdout, explanation);
}

void kyber_print_polyvec(polyvec *polyvec_val, const char *explanation)
{
unsigned int i, j;

printf("%s", explanation);
for (i = 0; i < LC_KYBER_K; i++) {
printf("\nK(%u) x N: ", i);
for (j = 0; j < LC_KYBER_N; j++) {
printf("%d ", polyvec_val->vec[i].coeffs[j]);
}
}
printf("\n");
}

void kyber_print_poly(poly *vec, const char *explanation)
{
unsigned int i;

printf("%s\n", explanation);
for (i = 0; i < LC_KYBER_N; i++) {
printf("%d ", vec->coeffs[i]);
}
printf("\n");
}
74 changes: 74 additions & 0 deletions kem/src/kyber_debug.h
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
/*
* Copyright (C) 2023, Stephan Mueller <[email protected]>
*
* License: see LICENSE file in root directory
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
* WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
* USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
* DAMAGE.
*/

#ifndef KYBER_DEBUG_H
#define KYBER_DEBUG_H

#include "kyber_poly.h"
#include "kyber_polyvec.h"
#include "lc_kyber.h"

#ifdef __cplusplus
extern "C" {
#endif

#ifdef LC_KYBER_DEBUG

/* Disable selftests */
#define LC_KYBER_TEST_INIT 1

void kyber_print_buffer(const uint8_t *buffer, const size_t bufferlen,
const char *explanation);
void kyber_print_polyvec(polyvec *polyvec_val, const char *explanation);
void kyber_print_poly(poly *vec, const char *explanation);

#else /* LC_KYBER_DEBUG */

/* Enable selftests */
#define LC_KYBER_TEST_INIT 0

static inline void kyber_print_buffer(const uint8_t *buffer,
const size_t bufferlen,
const char *explanation)
{
(void)buffer;
(void)bufferlen;
(void)explanation;
}

static inline void kyber_print_polyvec(polyvec *polyvec_val,
const char *explanation)
{
(void)polyvec_val;
(void)explanation;
}

static inline void kyber_print_poly(poly *vec, const char *explanation)
{
(void)vec;
(void)explanation;
}

#endif /* LC_KYBER_DEBUG */

#ifdef __cplusplus
}
#endif

#endif /* KYBER_DEBUG_H */
48 changes: 48 additions & 0 deletions kem/src/kyber_indcpa.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
*/

#include "build_bug_on.h"
#include "kyber_debug.h"
#include "kyber_indcpa.h"
#include "kyber_poly.h"
#include "kyber_polyvec.h"
Expand Down Expand Up @@ -242,18 +243,28 @@ int indcpa_keypair(uint8_t pk[LC_KYBER_INDCPA_PUBLICKEYBYTES],
noiseseed = ws->buf + LC_KYBER_SYMBYTES;

CKINT(lc_rng_generate(rng_ctx, NULL, 0, buf, LC_KYBER_SYMBYTES));

lc_hash(lc_sha3_512, buf, LC_KYBER_SYMBYTES, buf);
kyber_print_buffer(buf, LC_KYBER_SYMBYTES, "Keygen: RHO");
kyber_print_buffer(buf + LC_KYBER_SYMBYTES, LC_KYBER_SYMBYTES,
"Keygen: Sigma");

gen_a(ws->a, publicseed);
kyber_print_polyvec(ws->a, "Keygen: Generated matrix A");

for (i = 0; i < LC_KYBER_K; i++) {
poly_getnoise_eta1(&ws->skpv.vec[i], noiseseed, nonce++,
ws->poly_getnoise_eta1_buf);
poly_getnoise_eta1(&ws->e.vec[i], noiseseed, nonce2++,
ws->poly_getnoise_eta1_buf);
}
kyber_print_polyvec(ws->a, "Keygen: Generated matrix s");
kyber_print_polyvec(ws->a, "Keygen: Generated matrix e");

polyvec_ntt(&ws->skpv);
polyvec_ntt(&ws->e);
kyber_print_polyvec(ws->a, "Keygen: Matrix s after NTT");
kyber_print_polyvec(ws->a, "Keygen: Matrix e after NTT");

// matrix-vector multiplication
for (i = 0; i < LC_KYBER_K; i++) {
Expand All @@ -264,6 +275,7 @@ int indcpa_keypair(uint8_t pk[LC_KYBER_INDCPA_PUBLICKEYBYTES],

polyvec_add(&ws->pkpv, &ws->pkpv, &ws->e);
polyvec_reduce(&ws->pkpv);
kyber_print_polyvec(&ws->pkpv, "Keygen: Matrix t");

pack_sk(sk, &ws->skpv);
pack_pk(pk, &ws->pkpv, publicseed);
Expand Down Expand Up @@ -298,14 +310,18 @@ int indcpa_enc(uint8_t c[LC_KYBER_INDCPA_BYTES],
*/
BUILD_BUG_ON(POLY_GETNOISE_ETA1_BUFSIZE < LC_KYBER_SYMBYTES);
unpack_pk(&ws->pkpv, ws->poly_getnoise_eta1_buf /* ws->seed */, pk);
kyber_print_polyvec(&ws->pkpv,
"K-PKE Encrypt: Matrix t after ByteDecode");

/* Validate input */
CKINT(kyber_kem_iv_pk_modulus(pk, &ws->pkpv,
ws->poly_getnoise_eta1_buf /* ws->seed */,
pack_pk));

poly_frommsg(&ws->k, m);
kyber_print_poly(&ws->k, "K-PKE Encrypt: Vector mu");
gen_at(ws->at, ws->poly_getnoise_eta1_buf /* ws->seed */);
kyber_print_polyvec(ws->at, "K-PKE Encrypt: Generated matrix A");

/*
* Use the poly_getnoise_eta1_buf for this operation as
Expand All @@ -319,27 +335,46 @@ int indcpa_enc(uint8_t c[LC_KYBER_INDCPA_BYTES],
poly_getnoise_eta2(ws->ep.vec + i, coins, nonce2++,
ws->poly_getnoise_eta1_buf);
}
kyber_print_polyvec(&ws->sp, "K-PKE Encrypt: Matrix r");
kyber_print_polyvec(&ws->ep, "K-PKE Encrypt: Matrix e");

poly_getnoise_eta2(&ws->epp, coins, nonce2, ws->poly_getnoise_eta1_buf);
kyber_print_polyvec(&ws->ep, "K-PKE Encrypt: Vector e2");

polyvec_ntt(&ws->sp);
kyber_print_polyvec(&ws->sp, "K-PKE Encrypt: Matrix r after NTT");

// matrix-vector multiplication
for (i = 0; i < LC_KYBER_K; i++)
polyvec_basemul_acc_montgomery(&ws->b.vec[i], &ws->at[i],
&ws->sp);
kyber_print_polyvec(&ws->b, "K-PKE Encrypt: u = A * r");

polyvec_basemul_acc_montgomery(&ws->v, &ws->pkpv, &ws->sp);
kyber_print_poly(&ws->v, "K-PKE Encrypt: v = t * r");

polyvec_invntt_tomont(&ws->b);
kyber_print_polyvec(&ws->b, "K-PKE Encrypt: u = NTT=1(A * r)");
poly_invntt_tomont(&ws->v);
kyber_print_poly(&ws->v, "K-PKE Encrypt: v = NTT-1(t * r)");

polyvec_add(&ws->b, &ws->b, &ws->ep);
kyber_print_polyvec(&ws->b, "K-PKE Encrypt: u = NTT=1(A * r) + e1");
poly_add(&ws->v, &ws->v, &ws->epp);
kyber_print_poly(&ws->v, "K-PKE Encrypt: v = NTT-1(t * r) + e2");
poly_add(&ws->v, &ws->v, &ws->k);
kyber_print_poly(&ws->v, "K-PKE Encrypt: v = NTT-1(t * r) + e2 + mu");
polyvec_reduce(&ws->b);
kyber_print_polyvec(&ws->b, "K-PKE Encrypt: u after reduction");
poly_reduce(&ws->v);
kyber_print_poly(&ws->v, "K-PKE Encrypt: v after reduction");

pack_ciphertext(c, &ws->b, &ws->v);
kyber_print_buffer(c, LC_KYBER_POLYVECCOMPRESSEDBYTES,
"K-PKE Encrypt: c1 = ByteEncode(Compress(u))");
kyber_print_buffer(c + LC_KYBER_POLYVECCOMPRESSEDBYTES,
LC_KYBER_POLYCOMPRESSEDBYTES,
"K-PKE Encrypt: c2 = ByteEncode(Compress(v))");

out:
LC_RELEASE_MEM(ws);
Expand All @@ -358,19 +393,32 @@ int indcpa_dec(uint8_t m[LC_KYBER_INDCPA_MSGBYTES],
LC_DECLARE_MEM(ws, struct workspace, sizeof(uint64_t));

unpack_ciphertext(&ws->b, &ws->v, c);
kyber_print_polyvec(&ws->b,
"K-PKE Decrypt: u = Decompress(Bytedecode(c1))");
kyber_print_poly(&ws->v,
"K-PKE Decrypt: v = Decompress(Bytedecode(c2))");
unpack_sk(&ws->skpv, sk);
kyber_print_polyvec(&ws->skpv,
"K-PKE Decrypt: s = Decompress(Bytedecode(dk))");

/* Validate input */
CKINT(kyber_kem_iv_sk_modulus(sk, &ws->skpv, pack_sk));

polyvec_ntt(&ws->b);
kyber_print_polyvec(&ws->b,
"K-PKE Decrypt: NTT(u)");
polyvec_basemul_acc_montgomery(&ws->mp, &ws->skpv, &ws->b);
kyber_print_poly(&ws->mp, "K-PKE Decrypt: s * NTT(u)");
poly_invntt_tomont(&ws->mp);
kyber_print_poly(&ws->mp, "K-PKE Decrypt: NTT-1(s * NTT(u))");

poly_sub(&ws->mp, &ws->v, &ws->mp);
kyber_print_poly(&ws->mp, "K-PKE Decrypt: w = v - NTT-1(s * NTT(u))");
poly_reduce(&ws->mp);

poly_tomsg(m, &ws->mp);
kyber_print_buffer(m, LC_KYBER_INDCPA_MSGBYTES,
"K-PKE Encrypt: m = ByteEncode(Compress(w))");

out:
LC_RELEASE_MEM(ws);
Expand Down
Loading

0 comments on commit 499b629

Please sign in to comment.