Kyber derand tasks

[falko-strenzke]

file / task	remove file	add AVX2	no assg. in if	format code	prefix funs	cleanup code	other
kyber.c	N/A	[X]	[X]	[X]	[X]	[X]	[-] implement self test function
							[X] implement _gcry_kyber_check_secret_key
							[-] implement _gcry_kyber_compute_keygrip
							[X] decide nbits implementation
kyber_aux.c/.h	N/A	[X]	[X]	[X]	[X]	[X]
kyber_cbd.c/.h	N/A	[X]	[X]	[X]	[X]	[X]
kyber-common.c/.h	N/A	[X]	[X]	[X]	[X]	[X]
kyber_ntt.c/.h	N/A	[X]	[X]	[X]	[X]	[X]
kyber_params.h	N/A	[X]	[X]	[X]	[X]	[X]
kyber_poly.c/.h	N/A	[X]	[X]	[X]	[X]	[X]
kyber_polyvec.c/.h	N/A	[X]	[X]	[X]	[X]	[X]
kyber_symmetric.c/.h	N/A	[X]	[X]	[X]	[X]	[X]

• bugs
  • resolve memory leak in kyber_check_secret_key()
    • when this function is invoked by kyber_generate(), then after already with three iterations of the gen-enc-dec test, libgcrypt produces an allocation failure. Valgrind show no leak. Needs to be debugged.
  • rework memory allocation:
    • ~~non-secmem for public operations: Use secure memory not for verification operation #14 ~~ N/A for ML-KEM
    • replace sensitive stack arrays
• add AVX implementation
  • make new set of files:
    • kyber_xxx.c => kyber_xxx_avx2.c
  • for now conditional compilation of the code inside the files which implement functions with AVX2
    • libgcrypt does it already in this way:
      if defined(ENABLE_AVX2_SUPPORT)
  • Note that we will be restricted to compilers featuring this immintrin.h
• reduce number of files
• header guards need to be prefixed (e.g. GCRY_KYBER)
• Format code everywhere
• prefix all functions with_gcry_kyber_
• add self-test in cipher/kyber.c
• dynamic kyber parameters
  • Kyber instance modelled by parameter object
  • employ everywhere
  • remove replaced kyber parameter preproc-defs
• use gcry hash/xof everywhere
• Implement new FO transform
  • adapt enc/dec
  • make new testvectors from kyber ref. impl.
• implement and test derand version (the non-derand functions call derand version)
  • implement for key gen
  • imlement for encap
• implement new SHAKE-based randombytes replacement for derand algos (used for test vectors: test/test_vectors.c:randombytes = SHAKE128. we can control the state of this RNG at least in a temporary implementation for the KAT tests. Then we can have full KAT tests (not only decryption as it is now. For a real solution for upstream integration might have to check the RNG framework of libgcrypt)
  • create new test vectors (not NIST-KAT for now, as that requires their AES DRBG)
  • implement new test using derand-functions
    • make derand functions available through API: optional seed argument.
      Note: there is already used in cipher/pubkey-util.c a "random-override" parameter in the S-EXP.
      See the use in src/visibility.c: gcry_pk_hash_sign(), apparently this function is part of the API (is used from tests).
      But only certain functions in this file receive a gcry_ctx_t that can be used for this purpose.
      • for key-gen: place into key-params S-EXP
      • for encap: additional buffer-argument or probably better: add gcry_ctx_t to the signature
• missing function implementations
  • kyber.c:
    • compute_keygrip()
    • selftests_kyber

Notes on GNU coding style matching:

• unsigned char pointers are commonly used in function signatures, see for instance cipher/rsa-common.c

[TJ-91]

• header guards should be prefixed (e.g. _GCRY_KYBER_)