RISCV64: Add RVV ML-DSA support

Signed-off-by: Stephan Mueller <smueller@chronox.de>

Author: smuellerDD

CHANGES.md

@@ -21,6 +21,10 @@ Changes 1.2.0
 
 * leancrypto passes X.509 IETF-Hackathon tests: https://ietf-hackathon.github.io/pqc-certificates/pqc_hackathon_results_certs_r4_automated_tests.html
 
+* Add compilation support for (U)EFI environment
+
+* RISCV64 RVV: ML-DSA - add assembler implementation using RVV support
+
 Changes 1.1.0
 * ML-KEM remove modulus check of decapsulation key (not required by FIPS 203)
 

LICENSE

@@ -369,6 +369,10 @@ ml-dsa/src/riscv64/dilithium_ntt_rv64im.h
 ml-dsa/src/riscv64/ntt_8l_dualissue_plant_rv64im.S
 ml-dsa/src/riscv64/dilithium_poly_riscv64.h
 ml-dsa/src/riscv64/dilithium_polyvec_riscv64.h
+ml-dsa/src/riscv64/dilithium_consts_rvv.c
+ml-dsa/src/riscv64/dilithium_consts_rvv.h
+ml-dsa/src/riscv64/dilithium_ntt_rvv.h
+ml-dsa/src/riscv64/ntt_rvv.S
 
 The MIT license, the text of which is below, applies to PQRV in general.
 

meson.build

@@ -503,6 +503,18 @@ if (not get_option('disable-asm'))
 			'-mcmodel=medany'
 		]
 
+		cc_riscv64_asm_rvv_args = [
+			'-march=rv64imadcv',
+			'-mabi=lp64d',
+			'-mcmodel=medany'
+		]
+
+		cc_riscv64_asm_rvv_zbb_args = [
+			'-march=rv64imadcv_zba_zbb',
+			'-mabi=lp64d',
+			'-mcmodel=medany'
+		]
+
 	# elif (host_machine.cpu_family() == 'riscv' and
 	#       cc.get_id() == 'gcc')
 	#

ml-dsa/api/dilithium_type.h

@@ -263,7 +263,7 @@ extern "C" {
 #define lc_dilithium_verify_update_armv7 DILITHIUM_F(verify_update_armv7)
 #define lc_dilithium_verify_final_armv7 DILITHIUM_F(verify_final_armv7)
 
-/* RISCV 64 Implementation */
+/* RISCV 64 ASM Implementation */
 #define lc_dilithium_keypair_riscv64 DILITHIUM_F(keypair_riscv64)
 #define lc_dilithium_keypair_from_seed_riscv64                                 \
 	DILITHIUM_F(keypair_from_seed_riscv64)
@@ -288,6 +288,28 @@ extern "C" {
 #define dilithium_poly_basemul_8l_rv64im DILITHIUM_F(poly_basemul_8l_rv64im)
 #define dilithium_poly_reduce_rv64im DILITHIUM_F(poly_reduce_rv64im)
 
+/* RISCV 64 RVV Implementation */
+#define lc_dilithium_keypair_riscv64_rvv DILITHIUM_F(keypair_riscv64_rvv)
+#define lc_dilithium_keypair_from_seed_riscv64_rvv                                 \
+	DILITHIUM_F(keypair_from_seed_riscv64_rvv)
+#define lc_dilithium_sign_riscv64_rvv DILITHIUM_F(sign_riscv64_rvv)
+#define lc_dilithium_sign_ctx_riscv64_rvv DILITHIUM_F(sign_ctx_riscv64_rvv)
+#define lc_dilithium_sign_init_riscv64_rvv DILITHIUM_F(sign_init_riscv64_rvv)
+#define lc_dilithium_sign_update_riscv64_rvv DILITHIUM_F(sign_update_riscv64_rvv)
+#define lc_dilithium_sign_final_riscv64_rvv DILITHIUM_F(sign_final_riscv64_rvv)
+#define lc_dilithium_verify_riscv64_rvv DILITHIUM_F(verify_riscv64_rvv)
+#define lc_dilithium_verify_ctx_riscv64_rvv DILITHIUM_F(verify_ctx_riscv64_rvv)
+#define lc_dilithium_verify_init_riscv64_rvv DILITHIUM_F(verify_init_riscv64_rvv)
+#define lc_dilithium_verify_update_riscv64_rvv DILITHIUM_F(verify_update_riscv64_rvv)
+#define lc_dilithium_verify_final_riscv64_rvv DILITHIUM_F(verify_final_riscv64_rvv)
+#define dilithium_ntt_8l_rvv DILITHIUM_F(ntt_8l_rvv)
+#define dilithium_intt_8l_rvv DILITHIUM_F(intt_8l_rvv)
+#define dilithium_poly_basemul_8l_rvv DILITHIUM_F(poly_basemul_8l_rvv)
+#define dilithium_poly_basemul_acc_8l_rvv DILITHIUM_F(poly_basemul_acc_8l_rvv)
+#define dilithium_ntt2normal_order_8l_rvv DILITHIUM_F(ntt2normal_order_8l_rvv)
+#define dilithium_normal2ntt_order_8l_rvv DILITHIUM_F(normal2ntt_order_8l_rvv)
+#define dilithium_poly_reduce_rvv DILITHIUM_F(poly_reduce_rvv)
+
 #ifdef __cplusplus
 }
 #endif

ml-dsa/src/riscv64/dilithium_consts_rvv.c

@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2024, Stephan Mueller <smueller@chronox.de>
+ *
+ * License: see LICENSE file in root directory
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
+ * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ */
+/*
+ * This file is derived from https://github.com/Ji-Peng/PQRV which uses the
+ * following license.
+ *
+ * The MIT license, the text of which is below, applies to PQRV in general.
+ *
+ * Copyright (c) 2024 Jipeng Zhang (jp-zhang@outlook.com)
+ * SPDX-License-Identifier: MIT
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef DILITHIUM_CONSTS_RVV_H
+#define DILITHIUM_CONSTS_RVV_H
+
+#include "dilithium_type.h"
+#include "ext_headers.h"
+
+extern const int32_t dilithium_qdata_rvv[1296];
+
+#endif /* DILITHIUM_CONSTS_RVV_H */

ml-dsa/src/riscv64/dilithium_consts_rvv.h

@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2024, Stephan Mueller <smueller@chronox.de>
+ *
+ * License: see LICENSE file in root directory
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
+ * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ */
+/*
+ * This file is derived from https://github.com/Ji-Peng/PQRV which uses the
+ * following license.
+ *
+ * The MIT license, the text of which is below, applies to PQRV in general.
+ *
+ * Copyright (c) 2024 Jipeng Zhang (jp-zhang@outlook.com)
+ * SPDX-License-Identifier: MIT
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef DILITHIUM_NTT_RVV_H
+#define DILITHIUM_NTT_RVV_H
+
+#include "dilithium_consts_rvv.h"
+
+extern void dilithium_ntt_8l_rvv(int32_t *r, const int32_t *qdata);
+extern void dilithium_intt_8l_rvv(int32_t *r, const int32_t *qdata);
+extern void dilithium_poly_basemul_8l_rvv(int32_t *r, const int32_t *a,
+                                const int32_t *b);
+extern void dilithium_poly_basemul_acc_8l_rvv(int32_t *r, const int32_t *a,
+                                    const int32_t *b);
+extern void dilithium_ntt2normal_order_8l_rvv(int32_t *r, const int32_t *qdata);
+extern void dilithium_normal2ntt_order_8l_rvv(int32_t *r, const int32_t *qdata);
+extern void dilithium_poly_reduce_rvv(int32_t *r);
+
+#endif /* DILITHIUM_NTT_RVV_H */

ml-dsa/src/riscv64/dilithium_ntt_rvv.h

@@ -49,6 +49,7 @@
 
 #include "dilithium_type.h"
 #include "dilithium_ntt_rv64im.h"
+#include "dilithium_ntt_rvv.h"
 #include "dilithium_zetas_riscv64.h"
 
 #ifdef __cplusplus
@@ -65,7 +66,11 @@ typedef struct {
 
 static inline void poly_reduce(poly *a)
 {
+#ifdef LC_DILITHIUM_RISCV64_RVV
+	dilithium_poly_reduce_rvv(a->coeffs);
+#else
 	dilithium_poly_reduce_rv64im(a->coeffs);
+#endif
 }
 
 static inline void poly_basemul_init(poly_double *r, const poly *a,
@@ -87,20 +92,37 @@ static inline void poly_basemul_acc_end(poly *r, const poly *a, const poly *b,
 						 b->coeffs, r_double->coeffs);
 }
 
+static inline void poly_basemul_acc_rvv(poly *c, const poly *a, const poly *b)
+{
+	dilithium_poly_basemul_acc_8l_rvv(c->coeffs, a->coeffs, b->coeffs);
+}
+
 static inline void poly_pointwise_montgomery(poly *c, const poly *a,
 					     const poly *b)
 {
+#ifdef LC_DILITHIUM_RISCV64_RVV
+	dilithium_poly_basemul_8l_rvv(c->coeffs, a->coeffs, b->coeffs);
+#else
 	dilithium_poly_basemul_8l_rv64im(c->coeffs, a->coeffs, b->coeffs);
+#endif
 }
 
 static inline void poly_ntt(poly *a)
 {
+#ifdef LC_DILITHIUM_RISCV64_RVV
+	dilithium_ntt_8l_rvv(a->coeffs, dilithium_qdata_rvv);
+#else
 	dilithium_ntt_8l_rv64im(a->coeffs, zetas_ntt_8l_rv64im);
+#endif
 }
 
 static inline void poly_invntt_tomont(poly *a)
 {
+#ifdef LC_DILITHIUM_RISCV64_RVV
+	dilithium_intt_8l_rvv(a->coeffs, dilithium_qdata_rvv);
+#else
 	dilithium_intt_8l_rv64im(a->coeffs, zetas_intt_8l_rv64im);
+#endif
 }
 
 /**

ml-dsa/src/riscv64/dilithium_poly_riscv64.h

@@ -102,13 +102,36 @@ polyvec_matrix_expand(polyvecl mat[LC_DILITHIUM_K],
 	unsigned int i, j;
 
 	for (i = 0; i < LC_DILITHIUM_K; ++i)
-		for (j = 0; j < LC_DILITHIUM_L; ++j)
+		for (j = 0; j < LC_DILITHIUM_L; ++j) {
 			poly_uniform(
 				&mat[i].vec[j], rho,
 				le_bswap16((uint16_t)(i << 8) + (uint16_t)j),
 				ws_buf);
+#ifdef LC_DILITHIUM_RISCV64_RVV
+			dilithium_normal2ntt_order_8l_rvv(mat[i].vec[j].coeffs,
+							  dilithium_qdata_rvv);
+#endif
+		}
+}
+
+#ifdef LC_DILITHIUM_RISCV64_RVV
+
+static inline void polyvecl_pointwise_acc_montgomery(poly *w, const polyvecl *u,
+						     const polyvecl *v,
+						     void *ws_buf)
+{
+	unsigned int i;
+
+	(void)ws_buf;
+
+	poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]);
+	for (i = 1; i < LC_DILITHIUM_L; ++i) {
+		poly_basemul_acc_rvv(w, &u->vec[i], &v->vec[i]);
+	}
 }
 
+#else /* LC_DILITHIUM_RISCV64_RVV */
+
 static inline void polyvecl_pointwise_acc_montgomery(poly *w, const polyvecl *u,
 						     const polyvecl *v,
 						     void *ws_buf)
@@ -122,8 +145,11 @@ static inline void polyvecl_pointwise_acc_montgomery(poly *w, const polyvecl *u,
 	for (i = 1; i < LC_DILITHIUM_L - 1; ++i)
 		poly_basemul_acc(&w_double, &u->vec[i], &v->vec[i]);
 	poly_basemul_acc_end(w, &u->vec[i], &v->vec[i], &w_double);
+	lc_memset_secure(&w_double, 0, sizeof(w_double));
 }
 
+#endif /* LC_DILITHIUM_RISCV64_RVV */
+
 static inline void
 polyvec_matrix_pointwise_montgomery(polyveck *t,
 				    const polyvecl mat[LC_DILITHIUM_K],