Implement MAYO

[ilway25]

We chose to implement the newer version of MAYO proposed by the authors instead of the one submitted to NIST.

The authors proposed the change to the spec here:
"Nibbling MAYO: Optimized Implementations for AVX2 and Cortex-M4" by Ward Beullens, Fabio Campos, Sofía Celi, Basil Hess, Matthias J. Kannwischer.

This pure Go code is written based on the tricks described in that paper and in their reference C code, specifically the nibbling-mayo branch.

It also passes the KAT tests.

Closes #482

[bwesterb]

Thank you for this. I will review over the coming days.

[bwesterb]

This is only a partial review. There is a lot to like in here, but it still needs work to be easier to review: you need to explain how things are encoded, computed, etc.

Also, did you implement this from scratch or did you translate an existing implementation?

[bwesterb]

^

[bwesterb]

^ "beause"

[bwesterb]

Why not use github.com/cloudflare/circl/internal/nist?

[ilway25]

github.com/cloudflare/circl/internal/nist does not implement io.Reader, which was somehow used during the debug process when implementing MAYO. Can change back to this one.

[ilway25]

Please ignore the previous comment. I think it would be better if github.com/cloudflare/circl/internal/nist implements io.Reader because MAYO's sign takes a random source, which is also used during KAT tests.

[bwesterb]

You duplicate test vectors for each mode across each mode. You can put these tests in the sign/mayo/mayo_test.go instead.

[bwesterb]

Also perhaps just put the hash of the desired outcome here.

[ilway25]

I do not quite agree with this suggestion, because

• we do not have an extra Mode layer like Dilithium does
• this is intended as the internal implementation unit test for each mayo variant, not integration test

Maybe just keep test vectors that belong to each mode in their respective module? (Then we need also to skip mayo_test.go ingen.go)

[bwesterb]

I see you added a sign/mayo/mayo_test.go. I like it. There are some duplicate tests between that one and in the subpackages.

[bwesterb]

In Circl we assume that the PrivateKey and PublicKey types can contain cached data, so it's more natural to use the expanded forms directly for PublicKey and PrivateKey.

[bwesterb]

Also it'll probably help with reducing allocations.

[ilway25]

We made the conclusion that key expansion of pk and sk should go with keygen but not sign or verify.

Does this mean the keygen will expand the pk and sk, even though under some circumstances one just wants to store these new keys without doing signing and verification? (expansion will be wasted)

[bwesterb]

Does this mean the keygen will expand the pk and sk, even though under some circumstances one just wants to store these new keys without doing signing and verification? (expansion will be wasted)

Yes, that's a downside. Keygen is the rarest operation, so I think it's alright.

[bwesterb]

This function needs a better name, and a description of what it does.

[bwesterb]

If p is always P, then just use P and not have the parameter.

[ilway25]

Here a design choice was made so that this is consistent with other similar functions which can be sometimes called with p != P.

[bwesterb]

Missing transpose on S1 and S2?

[bwesterb]

Explain the strategy.

[bwesterb]

Explain what this function does.

[bwesterb]

This function is only called with P. Why bother with the parameter?

[bwesterb]

This is Figure 2 method 3 right? Wouldn't method 2 be faster as we're not using AVX2 instructions?

[ilway25]

Here we chose to multiply by x^-1 all the way through, unlike Method 3 which interleaves *x and *x^-1 which probably gives more parallelism on more complex CPUs. On my MacBook M1 Pro, Method 2 was not faster.

[ilway25]

This is only a partial review. There is a lot to like in here, but it still needs work to be easier to review: you need to explain how things are encoded, computed, etc.

Also, did you implement this from scratch or did you translate an existing implementation?

Thanks for pointing out things to consider. No, it is not written not from scratch. The code basically follows the thought process of the reference code.

[bwesterb]

Thanks for pointing out things to consider. No, it is not written not from scratch. The code basically follows the thought process of the reference code.

You should add a comment acknowledging on which code you've based yours, and mention its license (and make sure it's compatible with Circl's license.)

[armfazh]

Thanks for pointing out things to consider. No, it is not written not from scratch. The code basically follows the thought process of the reference code.

You should add a comment acknowledging on which code you've based yours, and mention its license (and make sure it's compatible with Circl's license.)

about the licensing, I think it suffices to add a line in the gen.go file something such as:

This implementation is a port from the C implementation of MAYO [link} distributed under <LICENSE>.

and there is no need to include the NOTICE and LICENSE files.

[armfazh]

These are a few comments, not a full review. In the meantime @bwesterb will help you polishing the code, and I will review again after that.

[armfazh]

this is not really needed, as it only required to implement one method.

[ilway25]

Yes it can be remove, but this is intended as a static check (self-contained safe guard) that DRBG does implement io.Reader.

[armfazh]

this check can be done in a test file.

[bwesterb]

I agree with Armando.

[armfazh]

Suggested change

	pk, sk, err := mode.GenerateKey(nil)
	pk, sk, err := mode.GenerateKey(rand.Reader)

[bwesterb]

I disagree. nil is fine. (This is meant as a code example, and using rand.Reader is a really bad example.)

[armfazh]

check error

[armfazh]

Suggested change

	if !mode.Verify(pk2, msg, signature) {
	panic("incorrect signature")
	}
	fmt.Printf("O.K.")
	// Output:
	// Supported modes: [MAYO_1 MAYO_2 MAYO_3 MAYO_5]
	// O.K.
	ok := mode.Verify(pk2, msg, signature)
	fmt.Printf("Is valid: %v", ok)
	// Output:
	// Supported modes: [MAYO_1 MAYO_2 MAYO_3 MAYO_5]
	// IsValid: true

[ilway25]

This files is copied from Dilithium. Could you explain what is the intention behind the modification here?

[armfazh]

it's a suggestion to improve the code.

[bwesterb]

I think the original is fine.

[bwesterb]

@ilway25 Thank you so much for the quick changes on our preliminary review. I'll be travelling for another week. After that I'll sit down and continue the review. Thanks again.

[bwesterb]

I agree with Armando.

[bwesterb]

I disagree. nil is fine. (This is meant as a code example, and using rand.Reader is a really bad example.)

[bwesterb]

I think the original is fine.

[bwesterb]

Dilithium has a separate Mode interface, because the Dilithium implementation predates the generic circl/sign.Scheme API. If I'd write Dilithium today, I wouldn't have included the Mode interface. Similarly, if it's not too much trouble, it'd be better to just stick to the generic signature API and do away with the mode interface here. I can do that for you after it's merged if it's too much of a chore.

[bwesterb]

Please mention the repository and commit hash from which you generated these.

[bwesterb]

Nit: S^t.

[bwesterb]

Add comment describing the function.

[bwesterb]

Explain what the function does.

[bwesterb]

Explain what the function does.

[bwesterb]

I'm not sure it makes sense that this is a separate function.

[bwesterb]

The code improved a lot. Still it needs better documentation on the actual arithmetic to make review easier.