SLH-DSA: reduce number of SHAKE initializations

Signed-off-by: Stephan Mueller <smueller@chronox.de>

Author: smuellerDD

slh-dsa/src/armv8/sphincs_fors_armv8.c

@@ -38,7 +38,10 @@
 static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx,
 			uint32_t fors_leaf_addr[8])
 {
-	prf_addr(sk, ctx, fors_leaf_addr);
+	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
+
+	prf_addr(hash_ctx, sk, ctx, fors_leaf_addr);
+	lc_hash_zero(hash_ctx);
 }
 
 static void fors_gen_skx2(unsigned char *sk0, unsigned char *sk1,
@@ -50,7 +53,10 @@ static void fors_gen_skx2(unsigned char *sk0, unsigned char *sk1,
 static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk,
 			    const spx_ctx *ctx, uint32_t fors_leaf_addr[8])
 {
-	thash(leaf, sk, 1, ctx->pub_seed, fors_leaf_addr);
+	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
+
+	thash(hash_ctx, leaf, sk, 1, ctx->pub_seed, fors_leaf_addr);
+	lc_hash_zero(hash_ctx);
 }
 
 static void fors_sk_to_leafx2(unsigned char *leaf0, unsigned char *leaf1,
@@ -134,6 +140,7 @@ int fors_sign_armv8(uint8_t sig[LC_SPX_FORS_BYTES], uint8_t pk[LC_SPX_N],
 	uint32_t *fors_leaf_addr;
 	uint32_t idx_offset;
 	unsigned int i;
+	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
 	LC_DECLARE_MEM(ws, struct workspace, sizeof(uint64_t));
 
 	fors_leaf_addr = ws->fors_info.leaf_addrx;
@@ -169,9 +176,10 @@ int fors_sign_armv8(uint8_t sig[LC_SPX_FORS_BYTES], uint8_t pk[LC_SPX_N],
 	}
 
 	/* Hash horizontally across all tree roots to derive the public key. */
-	thash(pk, ws->roots, LC_SPX_FORS_TREES, ctx->pub_seed,
+	thash(hash_ctx, pk, ws->roots, LC_SPX_FORS_TREES, ctx->pub_seed,
 	      ws->fors_pk_addr);
 
+	lc_hash_zero(hash_ctx);
 	LC_RELEASE_MEM(ws);
 	return 0;
 }
@@ -197,6 +205,7 @@ int fors_pk_from_sig_armv8(uint8_t pk[LC_SPX_N],
 	};
 	uint32_t idx_offset;
 	unsigned int i;
+	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
 	LC_DECLARE_MEM(ws, struct workspace, sizeof(uint64_t));
 
 	copy_keypair_addr(ws->fors_tree_addr, fors_addr);
@@ -225,9 +234,10 @@ int fors_pk_from_sig_armv8(uint8_t pk[LC_SPX_N],
 	}
 
 	/* Hash horizontally across all tree roots to derive the public key. */
-	thash(pk, ws->roots, LC_SPX_FORS_TREES, ctx->pub_seed,
+	thash(hash_ctx, pk, ws->roots, LC_SPX_FORS_TREES, ctx->pub_seed,
 	      ws->fors_pk_addr);
 
+	lc_hash_zero(hash_ctx);
 	LC_RELEASE_MEM(ws);
 	return 0;
 }

slh-dsa/src/avx2/sphincs_fors_avx2.c

@@ -37,7 +37,10 @@
 static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx,
 			uint32_t fors_leaf_addr[8])
 {
-	prf_addr(sk, ctx, fors_leaf_addr);
+	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
+
+	prf_addr(hash_ctx, sk, ctx, fors_leaf_addr);
+	lc_hash_zero(hash_ctx);
 }
 
 static void fors_gen_skx4(unsigned char *sk0, unsigned char *sk1,
@@ -50,7 +53,10 @@ static void fors_gen_skx4(unsigned char *sk0, unsigned char *sk1,
 static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk,
 			    const spx_ctx *ctx, uint32_t fors_leaf_addr[8])
 {
-	thash(leaf, sk, 1, ctx->pub_seed, fors_leaf_addr);
+	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
+
+	thash(hash_ctx, leaf, sk, 1, ctx->pub_seed, fors_leaf_addr);
+	lc_hash_zero(hash_ctx);
 }
 
 static void fors_sk_to_leafx4(unsigned char *leaf0, unsigned char *leaf1,
@@ -139,6 +145,7 @@ int fors_sign_avx2(uint8_t sig[LC_SPX_FORS_BYTES], uint8_t pk[LC_SPX_N],
 		uint8_t roots[LC_SPX_FORS_TREES * LC_SPX_N];
 		uint8_t stackx4[LC_SPX_FORS_HEIGHT * 4 * LC_SPX_N];
 	};
+	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
 	uint32_t *fors_leaf_addr;
 	uint32_t idx_offset;
 	unsigned int i;
@@ -178,10 +185,11 @@ int fors_sign_avx2(uint8_t sig[LC_SPX_FORS_BYTES], uint8_t pk[LC_SPX_N],
 	}
 
 	/* Hash horizontally across all tree roots to derive the public key. */
-	thash(pk, ws->roots, LC_SPX_FORS_TREES, ctx->pub_seed,
+	thash(hash_ctx, pk, ws->roots, LC_SPX_FORS_TREES, ctx->pub_seed,
 	      ws->fors_pk_addr);
 
 	LC_RELEASE_MEM(ws);
+	lc_hash_zero(hash_ctx);
 	return 0;
 }
 
@@ -204,6 +212,7 @@ int fors_pk_from_sig_avx2(uint8_t pk[LC_SPX_N],
 		uint8_t roots[LC_SPX_FORS_TREES * LC_SPX_N];
 		uint8_t leaf[LC_SPX_N];
 	};
+	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
 	uint32_t idx_offset;
 	unsigned int i;
 	LC_DECLARE_MEM(ws, struct workspace, sizeof(uint64_t));
@@ -234,9 +243,10 @@ int fors_pk_from_sig_avx2(uint8_t pk[LC_SPX_N],
 	}
 
 	/* Hash horizontally across all tree roots to derive the public key. */
-	thash(pk, ws->roots, LC_SPX_FORS_TREES, ctx->pub_seed,
+	thash(hash_ctx, pk, ws->roots, LC_SPX_FORS_TREES, ctx->pub_seed,
 	      ws->fors_pk_addr);
 
 	LC_RELEASE_MEM(ws);
+	lc_hash_zero(hash_ctx);
 	return 0;
 }

slh-dsa/src/sphincs_fors.c

@@ -35,13 +35,19 @@
 static void fors_gen_sk(uint8_t *sk, const spx_ctx *ctx,
 			uint32_t fors_leaf_addr[8])
 {
-	prf_addr(sk, ctx, fors_leaf_addr);
+	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
+
+	prf_addr(hash_ctx, sk, ctx, fors_leaf_addr);
+	lc_hash_zero(hash_ctx);
 }
 
 static void fors_sk_to_leaf(uint8_t *leaf, const uint8_t *sk,
 			    const spx_ctx *ctx, uint32_t fors_leaf_addr[8])
 {
-	thash(leaf, sk, 1, ctx->pub_seed, fors_leaf_addr);
+	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
+
+	thash(hash_ctx, leaf, sk, 1, ctx->pub_seed, fors_leaf_addr);
+	lc_hash_zero(hash_ctx);
 }
 
 struct fors_gen_leaf_info {
@@ -103,6 +109,7 @@ int fors_sign_c(uint8_t sig[LC_SPX_FORS_BYTES], uint8_t pk[LC_SPX_N],
 	uint32_t *fors_leaf_addr;
 	uint32_t idx_offset;
 	unsigned int i;
+	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
 	LC_DECLARE_MEM(ws, struct workspace, sizeof(uint64_t));
 
 	fors_leaf_addr = ws->fors_info.leaf_addrx;
@@ -143,9 +150,10 @@ int fors_sign_c(uint8_t sig[LC_SPX_FORS_BYTES], uint8_t pk[LC_SPX_N],
 	}
 
 	/* Hash horizontally across all tree roots to derive the public key. */
-	thash(pk, ws->roots, LC_SPX_FORS_TREES, ctx->pub_seed,
+	thash(hash_ctx, pk, ws->roots, LC_SPX_FORS_TREES, ctx->pub_seed,
 	      ws->fors_pk_addr);
 
+	lc_hash_zero(hash_ctx);
 	LC_RELEASE_MEM(ws);
 	return 0;
 }
@@ -171,6 +179,7 @@ int fors_pk_from_sig_c(uint8_t pk[LC_SPX_N],
 	};
 	uint32_t idx_offset;
 	unsigned int i;
+	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
 	LC_DECLARE_MEM(ws, struct workspace, sizeof(uint64_t));
 
 	copy_keypair_addr(ws->fors_tree_addr, fors_addr);
@@ -199,9 +208,10 @@ int fors_pk_from_sig_c(uint8_t pk[LC_SPX_N],
 	}
 
 	/* Hash horizontally across all tree roots to derive the public key. */
-	thash(pk, ws->roots, LC_SPX_FORS_TREES, ctx->pub_seed,
+	thash(hash_ctx, pk, ws->roots, LC_SPX_FORS_TREES, ctx->pub_seed,
 	      ws->fors_pk_addr);
 
+	lc_hash_zero(hash_ctx);
 	LC_RELEASE_MEM(ws);
 	return 0;
 }

slh-dsa/src/sphincs_hash.h

@@ -37,28 +37,23 @@ extern "C" {
 /*
  * Computes PRF(pk_seed, sk_seed, addr)
  */
-static inline void prf_addr(uint8_t out[LC_SPX_N], const spx_ctx *ctx,
-			    const uint32_t addr[8])
+static inline void prf_addr(struct lc_hash_ctx *hash_ctx, uint8_t out[LC_SPX_N],
+			    const spx_ctx *ctx, const uint32_t addr[8])
 {
-	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
-
 	lc_hash_init(hash_ctx);
 	lc_hash_update(hash_ctx, ctx->pub_seed, LC_SPX_N);
 	lc_hash_update(hash_ctx, (uint8_t *)addr, LC_SPX_ADDR_BYTES);
 	lc_hash_update(hash_ctx, ctx->sk_seed, LC_SPX_N);
 	lc_hash_set_digestsize(hash_ctx, LC_SPX_N);
 	lc_hash_final(hash_ctx, out);
-
-	lc_hash_zero(hash_ctx);
 }
 
-static inline void prf_addr_ascon(uint8_t out[LC_SPX_N], const spx_ctx *ctx,
+static inline void prf_addr_ascon(struct lc_hash_ctx *hash_ctx,
+				  uint8_t out[LC_SPX_N], const spx_ctx *ctx,
 				  const uint32_t addr[8],
 				  unsigned int addr_static,
 				  uint8_t *ascon_state, int first)
 {
-	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
-
 	lc_hash_init(hash_ctx);
 	if (first) {
 		lc_hash_update(hash_ctx, ctx->pub_seed, LC_SPX_N);
@@ -74,8 +69,6 @@ static inline void prf_addr_ascon(uint8_t out[LC_SPX_N], const spx_ctx *ctx,
 	lc_hash_update(hash_ctx, ctx->sk_seed, LC_SPX_N);
 	lc_hash_set_digestsize(hash_ctx, LC_SPX_N);
 	lc_hash_final(hash_ctx, out);
-
-	lc_hash_zero(hash_ctx);
 }
 
 int gen_message_random(uint8_t R[LC_SPX_N], const uint8_t sk_prf[LC_SPX_N],

slh-dsa/src/sphincs_sign.c

@@ -448,6 +448,7 @@ LC_INTERFACE_FUNCTION(int, lc_sphincs_verify_ctx,
 		uint8_t wots_pk[LC_SPX_WOTS_BYTES];
 		uint8_t mhash[LC_SPX_FORS_MSG_BYTES];
 	};
+	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
 	unsigned int i;
 	const struct lc_sphincs_func_ctx *f_ctx = lc_sphincs_get_ctx();
 	spx_ctx ctx_int;
@@ -501,7 +502,7 @@ LC_INTERFACE_FUNCTION(int, lc_sphincs_verify_ctx,
 		wots_sig += LC_SPX_WOTS_BYTES;
 
 		/* Compute the leaf node using the WOTS public key. */
-		thash(ws->leaf, ws->wots_pk, LC_SPX_WOTS_LEN, pk->pk,
+		thash(hash_ctx, ws->leaf, ws->wots_pk, LC_SPX_WOTS_LEN, pk->pk,
 		      ws->wots_pk_addr);
 
 		/* Compute the root node of this subtree. */
@@ -520,6 +521,7 @@ LC_INTERFACE_FUNCTION(int, lc_sphincs_verify_ctx,
 
 out:
 	LC_RELEASE_MEM(ws);
+	lc_hash_zero(hash_ctx);
 	return ret;
 }
 

slh-dsa/src/sphincs_thash.h

@@ -33,12 +33,13 @@
 extern "C" {
 #endif
 
-void thash(uint8_t out[LC_SPX_N], const uint8_t *in, unsigned int inblocks,
+void thash(struct lc_hash_ctx *hash_ctx, uint8_t out[LC_SPX_N],
+	   const uint8_t *in, unsigned int inblocks,
 	   const uint8_t pub_seed[LC_SPX_N], uint32_t addr[8]);
-void thash_ascon(uint8_t out[LC_SPX_N], const uint8_t *in,
-		 unsigned int inblocks, const uint8_t pub_seed[LC_SPX_N],
-		 uint32_t addr[8], unsigned int addr_static,
-		 uint8_t *ascon_state, int first);
+void thash_ascon(struct lc_hash_ctx *hash_ctx, uint8_t out[LC_SPX_N],
+		 const uint8_t *in, unsigned int inblocks,
+		 const uint8_t pub_seed[LC_SPX_N], uint32_t addr[8],
+		 unsigned int addr_static, uint8_t *ascon_state, int first);
 
 #ifdef __cplusplus
 }

slh-dsa/src/sphincs_thash_shake_simple.c

@@ -31,52 +31,53 @@
 /**
  * Takes an array of inblocks concatenated arrays of LC_SPX_N bytes.
  */
-void thash(uint8_t out[LC_SPX_N], const uint8_t *in, unsigned int inblocks,
+void thash(struct lc_hash_ctx *hash_ctx, uint8_t out[LC_SPX_N],
+	   const uint8_t *in, unsigned int inblocks,
 	   const uint8_t pub_seed[LC_SPX_N], uint32_t addr[8])
 {
-	LC_HASH_CTX_ON_STACK(buf_ctx, LC_SPHINCS_HASH_TYPE);
+//	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
 
-	lc_hash_init(buf_ctx);
-	lc_hash_update(buf_ctx, pub_seed, LC_SPX_N);
-	lc_hash_update(buf_ctx, (uint8_t *)addr, LC_SPX_ADDR_BYTES);
-	lc_hash_update(buf_ctx, in, LC_SPX_N * inblocks);
+	lc_hash_init(hash_ctx);
+	lc_hash_update(hash_ctx, pub_seed, LC_SPX_N);
+	lc_hash_update(hash_ctx, (uint8_t *)addr, LC_SPX_ADDR_BYTES);
+	lc_hash_update(hash_ctx, in, LC_SPX_N * inblocks);
 
 	/* Squeeze out the final data point */
-	lc_hash_set_digestsize(buf_ctx, LC_SPX_N);
-	lc_hash_final(buf_ctx, out);
+	lc_hash_set_digestsize(hash_ctx, LC_SPX_N);
+	lc_hash_final(hash_ctx, out);
 
-	lc_hash_zero(buf_ctx);
+//	lc_hash_zero(hash_ctx);
 }
 
 /*
  * Identical operation to thash, but with a shortcut for Ascon: since Ascon's
  * rate is only 8 bytes, cache the Ascon state for the static part of the
  * operation to avoid reruning Ascon permutations on already known data.
  */
-void thash_ascon(uint8_t out[LC_SPX_N], const uint8_t *in,
-		 unsigned int inblocks, const uint8_t pub_seed[LC_SPX_N],
-		 uint32_t addr[8], unsigned int addr_static,
-		 uint8_t *ascon_state, int first)
+void thash_ascon(struct lc_hash_ctx *hash_ctx, uint8_t out[LC_SPX_N],
+		 const uint8_t *in, unsigned int inblocks,
+		 const uint8_t pub_seed[LC_SPX_N], uint32_t addr[8],
+		 unsigned int addr_static, uint8_t *ascon_state, int first)
 {
-	LC_HASH_CTX_ON_STACK(buf_ctx, LC_SPHINCS_HASH_TYPE);
+//	LC_HASH_CTX_ON_STACK(hash_ctx, LC_SPHINCS_HASH_TYPE);
 
-	lc_hash_init(buf_ctx);
+	lc_hash_init(hash_ctx);
 	if (first) {
-		lc_hash_update(buf_ctx, pub_seed, LC_SPX_N);
-		lc_hash_update(buf_ctx, (uint8_t *)addr, addr_static);
-		memcpy(ascon_state, buf_ctx->hash_state,
+		lc_hash_update(hash_ctx, pub_seed, LC_SPX_N);
+		lc_hash_update(hash_ctx, (uint8_t *)addr, addr_static);
+		memcpy(ascon_state, hash_ctx->hash_state,
 		       LC_ASCON_HASH_STATE_SIZE);
 	} else {
-		memcpy(buf_ctx->hash_state, ascon_state,
+		memcpy(hash_ctx->hash_state, ascon_state,
 		       LC_ASCON_HASH_STATE_SIZE);
 	}
-	lc_hash_update(buf_ctx, (uint8_t *)addr + addr_static,
+	lc_hash_update(hash_ctx, (uint8_t *)addr + addr_static,
 		       LC_SPX_ADDR_BYTES - addr_static);
-	lc_hash_update(buf_ctx, in, LC_SPX_N * inblocks);
+	lc_hash_update(hash_ctx, in, LC_SPX_N * inblocks);
 
 	/* Squeeze out the final data point */
-	lc_hash_set_digestsize(buf_ctx, LC_SPX_N);
-	lc_hash_final(buf_ctx, out);
+	lc_hash_set_digestsize(hash_ctx, LC_SPX_N);
+	lc_hash_final(hash_ctx, out);
 
-	lc_hash_zero(buf_ctx);
+//	lc_hash_zero(hash_ctx);
 }