new kpqc-supercop package
146 views
Skip to first unread message
D. J. Bernstein
May 7, 2024, 1:17:17 PMMay 7
to kpqc-b...@googlegroups.com
I've collected more software patches and notes:
https://cr.yp.to/2024/kpqc-supercop-20240507.tar.gz
Here's my assessment of the overall software status after these patches:
* AIMer, HAETAE, and NTRU+ pass TIMECOP, and I'm planning to include
them in the next SUPERCOP release. However, some NTRU+ parameter
sets fail with some compiler options (see README in the package).
* For MQ-Sign, the reference code passes TIMECOP, but the AVX2 code
doesn't, because it's using table lookups to multiply in F_{256}.
* For NCC-Sign, the original code produces different results between
the reference and optimized code, and the patches don't cover all
of the issues found by TIMECOP.
* For Paloma and SMAUG-T, the patches make the code much slower and
still don't cover all of the issues found by TIMECOP. For Paloma, I
recommend rewriting the software to use the techniques of
https://eprint.iacr.org/2017/793. For SMAUG-T, I don't see how
software modifications can achieve good speeds without breaking
interoperability; I recommend changing the specification to use the
approach from https://cr.yp.to/papers.html#divergence or the
approach from https://eprint.iacr.org/2024/548.
* For REDOG, my understanding is that the submission team is still
working on their initial C code.
---D. J. Bernstein
https://cr.yp.to/2024/kpqc-supercop-20240507.tar.gz
Here's my assessment of the overall software status after these patches:
* AIMer, HAETAE, and NTRU+ pass TIMECOP, and I'm planning to include
them in the next SUPERCOP release. However, some NTRU+ parameter
sets fail with some compiler options (see README in the package).
* For MQ-Sign, the reference code passes TIMECOP, but the AVX2 code
doesn't, because it's using table lookups to multiply in F_{256}.
* For NCC-Sign, the original code produces different results between
the reference and optimized code, and the patches don't cover all
of the issues found by TIMECOP.
* For Paloma and SMAUG-T, the patches make the code much slower and
still don't cover all of the issues found by TIMECOP. For Paloma, I
recommend rewriting the software to use the techniques of
https://eprint.iacr.org/2017/793. For SMAUG-T, I don't see how
software modifications can achieve good speeds without breaking
interoperability; I recommend changing the specification to use the
approach from https://cr.yp.to/papers.html#divergence or the
approach from https://eprint.iacr.org/2024/548.
* For REDOG, my understanding is that the submission team is still
working on their initial C code.
---D. J. Bernstein
Reply all
Reply to author
Forward
0 new messages