Kyber ARMv8: change keygen to be FIPS 203 compliant

smuellerDD · smuellerDD · commit 91f3435fb40c · 2024-08-15T16:56:08.000+02:00
Signed-off-by: Stephan Mueller &lt;smueller@chronox.de&gt;
diff --git a/kem/src/armv8/kyber_indcpa_armv8.c b/kem/src/armv8/kyber_indcpa_armv8.c
@@ -230,11 +230,13 @@ int indcpa_keypair_armv8(uint8_t pk[LC_KYBER_INDCPA_PUBLICKEYBYTES],
 		uint8_t poly_getnoise_eta1_buf[POLY_GETNOISE_ETA1_BUFSIZE];
 		polyvec a[LC_KYBER_K], e, pkpv, skpv;
 	};
+	static const uint8_t kval = LC_KYBER_K;
 	unsigned int i;
 	uint8_t *buf;
 	const uint8_t *publicseed, *noiseseed;
 	uint8_t nonce = 0, nonce2 = LC_KYBER_K;
 	int ret;
+	LC_HASH_CTX_ON_STACK(sha3_512_ctx, lc_sha3_512);
 	LC_DECLARE_MEM(ws, struct workspace, 32);
 
 	buf = ws->buf;
@@ -245,7 +247,12 @@ int indcpa_keypair_armv8(uint8_t pk[LC_KYBER_INDCPA_PUBLICKEYBYTES],
 	poison(noiseseed, LC_KYBER_SYMBYTES);
 
 	CKINT(lc_rng_generate(rng_ctx, NULL, 0, buf, LC_KYBER_SYMBYTES));
-	lc_hash(lc_sha3_512, buf, LC_KYBER_SYMBYTES, buf);
+	lc_hash_init(sha3_512_ctx);
+	lc_hash_update(sha3_512_ctx, buf, LC_KYBER_SYMBYTES);
+	lc_hash_update(sha3_512_ctx, &kval, sizeof(kval));
+	lc_hash_final(sha3_512_ctx, buf);
+	lc_hash_zero(sha3_512_ctx);
+
 	gen_a(ws->a, publicseed);
 
 	for (i = 0; i < LC_KYBER_K; i++) {
