Kyber: Update to NIST Draft Standard

[mkannwischer]

This updates Kyber to pq-crystals/kyber@4ecce06 via https://github.com/mkannwischer/package-pqclean/tree/146bcfac0befbc5d24755dcf273d0b3f25e5e876.
This should be in line with https://csrc.nist.gov/pubs/fips/203/ipd, but I have not seen NIST publish official NISTKATs anywhere, so we can't be sure.

The aarch64 is not yet updated. I'm cleaning that up in a separte branch and will open a PR shortly.

[mkannwischer]

PQClean/crypto_kem/kyber768/clean/kem.c

Line 161 in 86bc011

PQCLEAN_KYBER768_CLEAN_cmov(ss, kr, KYBER_SYMBYTES, (uint8_t) (1 - fail));

I would appreciate if someone could double check if I correctly replaced the boolean operation from https://github.com/pq-crystals/kyber/blob/standard/ref/kem.c. This went wrong a couple of times in the past.

[mkannwischer]

I updated and fixed the Neon NTT Kyber implementation today and it is now also compatible with the NIST drafts.
#495 should be solved now as well.

I have tested that everything works well on a Graviton instance, but I still want to test it on a Raspberry Pi when I am back in the office on Wednesday.

[thomwiggers]

On Apple Clang I get in the aarch impls:

cc -O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common  -c -o symmetric-shake.o symmetric-shake.c
symmetric-shake.c:78:2: error: no newline at end of file [-Werror,-Wnewline-eof]
}

[mkannwischer]

On Apple Clang I get in the aarch impls:

cc -O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common  -c -o symmetric-shake.o symmetric-shake.c
symmetric-shake.c:78:2: error: no newline at end of file [-Werror,-Wnewline-eof]
}

Thanks. Fixed that one. Can you test again?

[thomwiggers]

Seems to work on Apple now

[thomwiggers]

The PPC failures are related to a change that #500 needs to introduce

[thomwiggers]

I've merged #500. This means that there are a gajillion files in conflict but should also mean that we approach green CI a bit sooner.

[dstebila]

I talked with @cryptojedi about whether the PQCrystals standards branch and the FIPS drafts are equivalent, and there are a subtleties where they are not; Peter says they've notified NIST. To confirm: are you matching the PQCrystals standard branch or the FIPS draft?

[thomwiggers]

PQClean/crypto_kem/kyber768/clean/kem.c

Line 161 in 86bc011

PQCLEAN_KYBER768_CLEAN_cmov(ss, kr, KYBER_SYMBYTES, (uint8_t) (1 - fail));

I would appreciate if someone could double check if I correctly replaced the boolean operation from https://github.com/pq-crystals/kyber/blob/standard/ref/kem.c. This went wrong a couple of times in the past.

By the way, I think it looks plausible but I am also not aware of all potential problems here. @dsprenkels could you maybe have a peek?

[mkannwischer]

I talked with @cryptojedi about whether the PQCrystals standards branch and the FIPS drafts are equivalent, and there are a subtleties where they are not; Peter says they've notified NIST. To confirm: are you matching the PQCrystals standard branch or the FIPS draft?

This PR is matching the PQCrystals standard branch.

[mkannwischer]

I've merged #500. This means that there are a gajillion files in conflict but should also mean that we approach green CI a bit sooner.

Thanks @thomwiggers! I have rebased on top of master just now with some pain.
I have all passing tests now on my AVX2 machine and AArch64 Linux machine.
Will turn this into a real PR now.

[thomwiggers]

Ugh, it seems Astyle is not happy but only on Windows?

[thomwiggers]

Weirdly enough, when I run Astyle 3.4.8 on Windows 11 (Arm64) then I do not get any astyle issues...

[mkannwischer]

Thanks @thomwiggers for reviewing & merging!

[thomwiggers]

We’re not out of the woods yet, because CI still fails on the AStyle formatter (and doesn’t on my Windows VM). I wonder if there is some bug, but I need to set up a x64 VM.