From 39fa1ccfc7ceb38cdb0777eed6b3562c8c7eeaa6 Mon Sep 17 00:00:00 2001
From: Thom Wiggers <thom@thomwiggers.nl>
Date: Mon, 9 Mar 2020 17:57:43 -0400
Subject: [PATCH] Fix reduce.c's overflowing multiplication

---
 crypto_kem/kyber1024-90s/clean/reduce.c | 2 +-
 crypto_kem/kyber1024/clean/reduce.c     | 2 +-
 crypto_kem/kyber512-90s/clean/reduce.c  | 2 +-
 crypto_kem/kyber512/clean/reduce.c      | 2 +-
 crypto_kem/kyber768-90s/clean/reduce.c  | 2 +-
 crypto_kem/kyber768/clean/reduce.c      | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/crypto_kem/kyber1024-90s/clean/reduce.c b/crypto_kem/kyber1024-90s/clean/reduce.c
index 8d72e790..b7b3722b 100644
--- a/crypto_kem/kyber1024-90s/clean/reduce.c
+++ b/crypto_kem/kyber1024-90s/clean/reduce.c
@@ -18,7 +18,7 @@ int16_t PQCLEAN_KYBER102490S_CLEAN_montgomery_reduce(int32_t a) {
     int32_t t;
     int16_t u;
 
-    u = (int16_t)(a * QINV);
+    u = (int16_t)(a * (int64_t)QINV);
     t = (int32_t)u * KYBER_Q;
     t = a - t;
     t >>= 16;
diff --git a/crypto_kem/kyber1024/clean/reduce.c b/crypto_kem/kyber1024/clean/reduce.c
index 62da4756..340fd618 100644
--- a/crypto_kem/kyber1024/clean/reduce.c
+++ b/crypto_kem/kyber1024/clean/reduce.c
@@ -18,7 +18,7 @@ int16_t PQCLEAN_KYBER1024_CLEAN_montgomery_reduce(int32_t a) {
     int32_t t;
     int16_t u;
 
-    u = (int16_t)(a * QINV);
+    u = (int16_t)(a * (int64_t)QINV);
     t = (int32_t)u * KYBER_Q;
     t = a - t;
     t >>= 16;
diff --git a/crypto_kem/kyber512-90s/clean/reduce.c b/crypto_kem/kyber512-90s/clean/reduce.c
index 5e7f0936..2447fef1 100644
--- a/crypto_kem/kyber512-90s/clean/reduce.c
+++ b/crypto_kem/kyber512-90s/clean/reduce.c
@@ -18,7 +18,7 @@ int16_t PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce(int32_t a) {
     int32_t t;
     int16_t u;
 
-    u = (int16_t)(a * QINV);
+    u = (int16_t)(a * (int64_t)QINV);
     t = (int32_t)u * KYBER_Q;
     t = a - t;
     t >>= 16;
diff --git a/crypto_kem/kyber512/clean/reduce.c b/crypto_kem/kyber512/clean/reduce.c
index 8932c0ff..60415dee 100644
--- a/crypto_kem/kyber512/clean/reduce.c
+++ b/crypto_kem/kyber512/clean/reduce.c
@@ -18,7 +18,7 @@ int16_t PQCLEAN_KYBER512_CLEAN_montgomery_reduce(int32_t a) {
     int32_t t;
     int16_t u;
 
-    u = (int16_t)(a * QINV);
+    u = (int16_t)(a * (int64_t)QINV);
     t = (int32_t)u * KYBER_Q;
     t = a - t;
     t >>= 16;
diff --git a/crypto_kem/kyber768-90s/clean/reduce.c b/crypto_kem/kyber768-90s/clean/reduce.c
index 965a45bc..9aa7f5bf 100644
--- a/crypto_kem/kyber768-90s/clean/reduce.c
+++ b/crypto_kem/kyber768-90s/clean/reduce.c
@@ -18,7 +18,7 @@ int16_t PQCLEAN_KYBER76890S_CLEAN_montgomery_reduce(int32_t a) {
     int32_t t;
     int16_t u;
 
-    u = (int16_t)(a * QINV);
+    u = (int16_t)(a * (int64_t)QINV);
     t = (int32_t)u * KYBER_Q;
     t = a - t;
     t >>= 16;
diff --git a/crypto_kem/kyber768/clean/reduce.c b/crypto_kem/kyber768/clean/reduce.c
index 5dd90f8b..ea2aa1b0 100644
--- a/crypto_kem/kyber768/clean/reduce.c
+++ b/crypto_kem/kyber768/clean/reduce.c
@@ -18,7 +18,7 @@ int16_t PQCLEAN_KYBER768_CLEAN_montgomery_reduce(int32_t a) {
     int32_t t;
     int16_t u;
 
-    u = (int16_t)(a * QINV);
+    u = (int16_t)(a * (int64_t)QINV);
     t = (int32_t)u * KYBER_Q;
     t = a - t;
     t >>= 16;