Update Kyber to final FIPS203 and rename to ML-KEM (#362)

README.md

@@ -163,22 +163,22 @@ int crypto_sign_open(unsigned char *m, size_t *mlen,
 
 
 ## Running tests and benchmarks
-The build system compiles six binaries for each implemenation which can be used to test and benchmark the schemes. For example, for the reference implementation of [Kyber768](https://pq-crystals.org/kyber/) the following binaries are assembled: 
- - `bin/crypto_kem_kyber768_m4_test.bin` tests if the scheme works as expected. For KEMs this tests if Alice and Bob derive the same shared key and for signature schemes it tests if a generated signature can be verified correctly. Several failure cases are also checked, see [mupq/crypto_kem/test.c](https://github.com/mupq/mupq/blob/master/crypto_kem/test.c) and [mupq/crypto_sign/test.c](https://github.com/mupq/mupq/blob/master/crypto_sign/test.c) for details.
- - `bin/crypto_kem_kyber768_m4_speed.bin` measures the runtime of `crypto_kem_keypair`, `crypto_kem_enc`, and `crypto_kem_dec` for KEMs and `crypto_sign_keypair`, `crypto_sign`, and `crypto_sign_open` for signatures. See [mupq/crypto_kem/speed.c](https://github.com/mupq/mupq/blob/master/crypto_kem/speed.c) and [mupq/crypto_sign/speed.c](https://github.com/mupq/mupq/blob/master/crypto_sign/speed.c).
- - `bin/crypto_kem_kyber768_m4_hashing.bin` measures the cycles spent in SHA-2, SHA-3, and AES of `crypto_kem_keypair`, `crypto_kem_enc`, and `crypto_kem_dec` for KEMs and `crypto_sign_keypair`, `crypto_sign`, and `crypto_sign_open` for signatures. See [mupq/crypto_kem/hashing.c](https://github.com/mupq/mupq/blob/master/crypto_kem/speed.c) and [mupq/crypto_sign/speed.c](https://github.com/mupq/mupq/blob/master/crypto_sign/speed.c).
- - `bin/crypto_kem_kyber768_m4_stack.bin` measures the stack consumption of each of the procedures involved. The memory allocated outside of the procedures (e.g., public keys, private keys, ciphertexts, signatures) is not included. See [mupq/crypto_kem/stack.c](https://github.com/mupq/mupq/blob/master/crypto_kem/stack.c) and [mupq/crypto_sign/stack.c](https://github.com/mupq/mupq/blob/master/crypto_sign/stack.c).
- - `bin/crypto_kem_kyber768_m4_testvectors.bin` uses a deterministic random number generator to generate testvectors for the implementation. These can be used to cross-check different implemenatations of the same scheme. See [mupq/crypto_kem/testvectors.c](https://github.com/mupq/mupq/blob/master/crypto_kem/testvectors.c) and [mupq/crypto_sign/testvectors.c](https://github.com/mupq/mupq/blob/master/crypto_sign/testvectors.c).
-- `bin-host/crypto_kem_kyber768_m4_testvectors` uses the same deterministic random number generator to create the testvectors on your host. See [mupq/crypto_kem/testvectors-host.c](https://github.com/mupq/mupq/blob/master/crypto_kem/testvectors-host.c) and [mupq/crypto_sign/testvectors-host.c](https://github.com/mupq/mupq/blob/master/crypto_sign/testvectors-host.c).
+The build system compiles six binaries for each implemenation which can be used to test and benchmark the schemes. For example, for the reference implementation of [ML-KEM-768](https://pq-crystals.org/kyber/) the following binaries are assembled: 
+ - `bin/crypto_kem_ml-kem-768_m4_test.bin` tests if the scheme works as expected. For KEMs this tests if Alice and Bob derive the same shared key and for signature schemes it tests if a generated signature can be verified correctly. Several failure cases are also checked, see [mupq/crypto_kem/test.c](https://github.com/mupq/mupq/blob/master/crypto_kem/test.c) and [mupq/crypto_sign/test.c](https://github.com/mupq/mupq/blob/master/crypto_sign/test.c) for details.
+ - `bin/crypto_kem_ml-kem-768_m4_speed.bin` measures the runtime of `crypto_kem_keypair`, `crypto_kem_enc`, and `crypto_kem_dec` for KEMs and `crypto_sign_keypair`, `crypto_sign`, and `crypto_sign_open` for signatures. See [mupq/crypto_kem/speed.c](https://github.com/mupq/mupq/blob/master/crypto_kem/speed.c) and [mupq/crypto_sign/speed.c](https://github.com/mupq/mupq/blob/master/crypto_sign/speed.c).
+ - `bin/crypto_kem_ml-kem-768_m4_hashing.bin` measures the cycles spent in SHA-2, SHA-3, and AES of `crypto_kem_keypair`, `crypto_kem_enc`, and `crypto_kem_dec` for KEMs and `crypto_sign_keypair`, `crypto_sign`, and `crypto_sign_open` for signatures. See [mupq/crypto_kem/hashing.c](https://github.com/mupq/mupq/blob/master/crypto_kem/speed.c) and [mupq/crypto_sign/speed.c](https://github.com/mupq/mupq/blob/master/crypto_sign/speed.c).
+ - `bin/crypto_kem_ml-kem-768_m4_stack.bin` measures the stack consumption of each of the procedures involved. The memory allocated outside of the procedures (e.g., public keys, private keys, ciphertexts, signatures) is not included. See [mupq/crypto_kem/stack.c](https://github.com/mupq/mupq/blob/master/crypto_kem/stack.c) and [mupq/crypto_sign/stack.c](https://github.com/mupq/mupq/blob/master/crypto_sign/stack.c).
+ - `bin/crypto_kem_ml-kem-768_m4_testvectors.bin` uses a deterministic random number generator to generate testvectors for the implementation. These can be used to cross-check different implemenatations of the same scheme. See [mupq/crypto_kem/testvectors.c](https://github.com/mupq/mupq/blob/master/crypto_kem/testvectors.c) and [mupq/crypto_sign/testvectors.c](https://github.com/mupq/mupq/blob/master/crypto_sign/testvectors.c).
+- `bin-host/crypto_kem_ml-kem-768_m4_testvectors` uses the same deterministic random number generator to create the testvectors on your host. See [mupq/crypto_kem/testvectors-host.c](https://github.com/mupq/mupq/blob/master/crypto_kem/testvectors-host.c) and [mupq/crypto_sign/testvectors-host.c](https://github.com/mupq/mupq/blob/master/crypto_sign/testvectors-host.c).
 - An `elf` file for each binary is generated in the `elf/` folder if desired.
 
 The `elf` files or binaries can be flashed to your board using an appropriate
-tool. For example, the `stm32f4discovery` platform uses `st-flash`, e.g., `st-flash write bin/crypto_kem_kyber768_m4_test.bin 0x8000000`. To receive the output, run `python3 hostside/host_unidirectional.py`. 
+tool. For example, the `stm32f4discovery` platform uses `st-flash`, e.g., `st-flash write bin/crypto_kem_ml-kem-768_m4_test.bin 0x8000000`. To receive the output, run `python3 hostside/host_unidirectional.py`. 
 
 If you target the `mps2-an386` platform, you can also run the `elf` file using
 the QEMU ARM emulator:
 ```
-qemu-system-arm -M mps2-an386 -nographic -semihosting -kernel elf/crypto_kem_kyber512_m4_test.elf
+qemu-system-arm -M mps2-an386 -nographic -semihosting -kernel elf/crypto_kem_ml-kem-512_m4_test.elf
 ```
 The emulator should exit automatically when the test / benchmark completes. If
 you run into an error, you can exit QEMU pressing CTRL+A and then X.
@@ -197,7 +197,7 @@ The scripts take a number of command line arguments, which you'll need to adapt:
 If you change any of these values, you'll need to run `make clean` (the build
 system will remind you).
 
-In case you don't want to include all schemes, pass a list of schemes you want to include to any of the scripts, e.g., `python3 test.py kyber768 sphincs-shake256-128f-simple`. 
+In case you don't want to include all schemes, pass a list of schemes you want to include to any of the scripts, e.g., `python3 test.py ml-kem-768 sphincs-shake256-128f-simple`. 
 In case you want to exclude certain schemes pass `--exclude`, e.g., `python3 test.py --exclude saber`.
 
 The benchmark results (in `benchmarks/`) created by 

benchmarks.csv

@@ -8,15 +8,15 @@ bikel3 (10 executions),opt,248083316,248083286,248083345,16405238,16405236,16405
 hqc-128 (10 executions),clean,52705201,52705180,52705224,105650897,105650877,105650927,159569179,159569176,159569183
 hqc-192 (10 executions),clean,161458617,161458590,161458638,323146261,323146250,323146292,486156251,486156214,486156266
 hqc-256 (10 executions),clean,295934078,295934057,295934104,591853870,591853850,591853898,891163005,891162988,891163038
-kyber1024 (10 executions),clean,1540394,1537580,1549267,1712150,1709337,1721019,2024408,2021583,2033304
-kyber1024 (10 executions),m4fspeed,1006341,1004590,1016692,1029398,1027642,1039752,1091847,1090091,1102201
-kyber1024 (10 executions),m4fstack,1009603,1007702,1019835,1038001,1036100,1048226,1101208,1099307,1111470
-kyber512 (10 executions),clean,597372,596106,607563,702227,700957,712416,890274,889008,900467
-kyber512 (10 executions),m4fspeed,387341,386762,387769,391098,390520,391527,428365,427786,428794
-kyber512 (10 executions),m4fstack,386853,386573,387221,392801,392521,393166,430140,429861,430504
-kyber768 (10 executions),clean,989247,987825,999577,1138807,1137381,1149131,1388568,1387146,1398896
-kyber768 (10 executions),m4fspeed,631912,631599,632459,656455,656155,656969,705524,705223,706037
-kyber768 (10 executions),m4fstack,634213,632786,644273,662556,661130,672615,712081,710655,722140
+ml-kem-1024 (10 executions),clean,1540607,1535678,1547404,1712361,1707431,1719164,2024616,2019674,2031410
+ml-kem-1024 (10 executions),m4fspeed,1007759,1004549,1017159,1030702,1027443,1040101,1093153,1089895,1102552
+ml-kem-1024 (10 executions),m4fstack,1010100,1007459,1018999,1038190,1035550,1047090,1101234,1098594,1110134
+ml-kem-512 (10 executions),clean,595882,595636,596329,700689,700440,701134,888740,888494,889189
+ml-kem-512 (10 executions),m4fspeed,388544,387190,398814,392178,390825,402445,429456,428102,439722
+ml-kem-512 (10 executions),m4fstack,386999,386677,387465,392813,392492,393280,430152,429831,430619
+ml-kem-768 (10 executions),clean,990901,986123,997663,1140412,1135630,1147169,1390176,1385399,1396936
+ml-kem-768 (10 executions),m4fspeed,631949,631658,632164,656369,656082,656596,705436,705148,705663
+ml-kem-768 (10 executions),m4fstack,634227,632761,644635,662468,661003,672877,711996,710530,722405
 Signature Schemes,,,,,,,,,,
 Scheme,Implementation,Key Generation [cycles] (mean),Key Generation [cycles] (min),Key Generation [cycles] (max),Sign [cycles] (mean),Sign [cycles] (min),Sign [cycles] (max),Verify [cycles] (mean),Verify [cycles] (min),Verify [cycles] (max)
 aimer128f (10 executions),mem_opt,564325,564324,564326,46875341,46874593,46876276,26989249,26988505,26989828
@@ -168,15 +168,15 @@ bikel3,opt,69444,50556,155388,,,,,,
 hqc-128,clean,33644,51428,55892,,,,,,
 hqc-192,clean,65668,101636,110660,,,,,,
 hqc-256,clean,103756,161508,175972,,,,,,
-kyber1024,clean,15136,18784,20360,,,,,,
-kyber1024,m4fspeed,6436,7500,7484,,,,,,
-kyber1024,m4fstack,3332,3372,3356,,,,,,
-kyber512,clean,6168,8800,9576,,,,,,
-kyber512,m4fspeed,4364,5436,5412,,,,,,
-kyber512,m4fstack,2292,2348,2332,,,,,,
-kyber768,clean,10272,13408,14504,,,,,,
-kyber768,m4fspeed,5396,6468,6452,,,,,,
-kyber768,m4fstack,2820,2860,2844,,,,,,
+ml-kem-1024,clean,15128,18776,20352,,,,,,
+ml-kem-1024,m4fspeed,6436,7500,7484,,,,,,
+ml-kem-1024,m4fstack,3332,3372,3356,,,,,,
+ml-kem-512,clean,6152,8784,9560,,,,,,
+ml-kem-512,m4fspeed,4372,5436,5412,,,,,,
+ml-kem-512,m4fstack,2300,2348,2332,,,,,,
+ml-kem-768,clean,10248,13384,14480,,,,,,
+ml-kem-768,m4fspeed,5396,6468,6452,,,,,,
+ml-kem-768,m4fstack,2820,2860,2844,,,,,,
 Signature Schemes,,,,,,,,,,
 Scheme,Implementation,Key Generation [bytes],Sign [bytes],Verify [bytes],,,,,,
 aimer128f,mem_opt,8728,13864,15440,,,,,,
@@ -329,15 +329,15 @@ bikel3,opt,0.0,6.3,0.2,,,,,,
 hqc-128,clean,0.4,0.8,0.5,,,,,,
 hqc-192,clean,0.3,0.5,0.3,,,,,,
 hqc-256,clean,0.2,0.4,0.3,,,,,,
-kyber1024,clean,49.9,45.6,38.6,,,,,,
-kyber1024,m4fspeed,76.1,75.5,71.2,,,,,,
-kyber1024,m4fstack,75.8,74.9,70.6,,,,,,
-kyber512,clean,49.8,41.1,32.5,,,,,,
-kyber512,m4fspeed,76.5,73.5,67.1,,,,,,
-kyber512,m4fstack,76.5,73.1,66.8,,,,,,
-kyber768,clean,48.5,43.2,35.4,,,,,,
-kyber768,m4fspeed,75.4,74.4,69.2,,,,,,
-kyber768,m4fstack,75.3,73.8,68.7,,,,,,
+ml-kem-1024,clean,50.0,45.6,38.6,,,,,,
+ml-kem-1024,m4fspeed,76.1,75.5,71.2,,,,,,
+ml-kem-1024,m4fstack,75.9,74.9,70.7,,,,,,
+ml-kem-512,clean,49.9,41.1,32.5,,,,,,
+ml-kem-512,m4fspeed,76.5,73.5,67.2,,,,,,
+ml-kem-512,m4fstack,76.6,73.2,66.9,,,,,,
+ml-kem-768,clean,48.6,43.2,35.4,,,,,,
+ml-kem-768,m4fspeed,75.5,74.4,69.3,,,,,,
+ml-kem-768,m4fstack,75.3,73.9,68.7,,,,,,
 Signature Schemes,,,,,,,,,,
 Scheme,Implementation,Key Generation [%],Sign [%],Verify [%],,,,,,
 aimer128f,mem_opt,50.6,66.1,49.6,,,,,,
@@ -489,15 +489,15 @@ bikel3,opt,43091,24,1,43116,,,,,
 hqc-128,clean,18628,0,0,18628,,,,,
 hqc-192,clean,21104,0,0,21104,,,,,
 hqc-256,clean,26260,0,0,26260,,,,,
-kyber1024,clean,6264,0,0,6264,,,,,
-kyber1024,m4fspeed,16884,0,0,16884,,,,,
-kyber1024,m4fstack,14092,0,0,14092,,,,,
-kyber512,clean,5132,0,0,5132,,,,,
-kyber512,m4fspeed,15796,0,0,15796,,,,,
-kyber512,m4fstack,13280,0,0,13280,,,,,
-kyber768,clean,5136,0,0,5136,,,,,
-kyber768,m4fspeed,15964,0,0,15964,,,,,
-kyber768,m4fstack,13288,0,0,13288,,,,,
+ml-kem-1024,clean,6160,0,0,6160,,,,,
+ml-kem-1024,m4fspeed,16912,0,0,16912,,,,,
+ml-kem-1024,m4fstack,14012,0,0,14012,,,,,
+ml-kem-512,clean,5116,0,0,5116,,,,,
+ml-kem-512,m4fspeed,15844,0,0,15844,,,,,
+ml-kem-512,m4fstack,13324,0,0,13324,,,,,
+ml-kem-768,clean,5120,0,0,5120,,,,,
+ml-kem-768,m4fspeed,16012,0,0,16012,,,,,
+ml-kem-768,m4fstack,13316,0,0,13316,,,,,
 Signature Schemes,,,,,,,,,,
 Scheme,Implementation,.text [bytes],.data [bytes],.bss [bytes],Total [bytes],,,,,
 aimer128f,mem_opt,17476,0,0,17476,,,,,