WIP

CMakeLists.txt

@@ -555,6 +555,23 @@ target_link_libraries(
   pqclean_dilithium5_clean
 )
 
+add_executable(
+  mytest
+
+  test/mytest.cpp
+)
+
+target_link_libraries(
+  mytest
+  gtest
+  gtest_main)
+
+target_include_directories(
+  mytest PRIVATE
+
+  ${CMAKE_SOURCE_DIR})
+
+
 install(TARGETS pqclean pqclean_s
   PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ GROUP_WRITE WORLD_READ WORLD_WRITE
   LIBRARY DESTINATION lib

src/kem/kyber/kyber1024/clean/reduce.c

@@ -35,10 +35,22 @@ int16_t PQCLEAN_KYBER1024_CLEAN_montgomery_reduce(int32_t a) {
 * Returns:     integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q.
 **************************************************/
 int16_t PQCLEAN_KYBER1024_CLEAN_barrett_reduce(int16_t a) {
-    int16_t t;
-    const int16_t v = ((1U << 26) + KYBER_Q / 2) / KYBER_Q;
+    int16_t p;
+    int32_t t;
+
+// Montgomery constant R=2^16
+#define KYBER_MONT_Re 16U
+// -1/KYBER_Q mod KYBER_MONT_R
+#define KYBER_MONT_qinv 3327U
+
+    // -Q^(-1)*a mod 2^16
+    p = (uint32_t)a*KYBER_MONT_qinv;
+    t = KYBER_Q*p;
+    t += a;
+    // Final result not in a Montgomery domain
+    return t>>KYBER_MONT_Re;
 
-    t  = ((int32_t)v * a + (1 << 25)) >> 26;
-    t *= KYBER_Q;
-    return a - t;
+// only because I include .c file in test
+#undef KYBER_MONT_M
+#undef KYBER_MONT_qinv
 }

src/kem/kyber/kyber768/clean/cbd.c

@@ -21,18 +21,6 @@ static uint32_t load32_littleendian(const uint8_t x[4]) {
     return r;
 }
 
-/*************************************************
-* Name:        load24_littleendian
-*
-* Description: load 3 bytes into a 32-bit integer
-*              in little-endian order.
-*              This function is only needed for Kyber-512
-*
-* Arguments:   - const uint8_t *x: pointer to input byte array
-*
-* Returns 32-bit unsigned integer loaded from x (most significant byte is zero)
-**************************************************/
-
 
 /*************************************************
 * Name:        cbd2

src/kem/kyber/kyber768/clean/reduce.c

@@ -1,6 +1,7 @@
 #include "params.h"
 #include "reduce.h"
 #include <stdint.h>
+#include <stdio.h>
 
 /*************************************************
 * Name:        PQCLEAN_KYBER768_CLEAN_montgomery_reduce
@@ -11,7 +12,7 @@
 * Arguments:   - int32_t a: input integer to be reduced;
 *                           has to be in {-q2^15,...,q2^15-1}
 *
-* Returns:     integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q.
+* Returns:     integer in {-q+1,...,q-1} congruent to a * R^-1 modulo 2*q.
 **************************************************/
 int16_t PQCLEAN_KYBER768_CLEAN_montgomery_reduce(int32_t a) {
     int32_t t;
@@ -35,10 +36,34 @@ int16_t PQCLEAN_KYBER768_CLEAN_montgomery_reduce(int32_t a) {
 * Returns:     integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q.
 **************************************************/
 int16_t PQCLEAN_KYBER768_CLEAN_barrett_reduce(int16_t a) {
-    int16_t t;
-    const int16_t v = ((1U << 26) + KYBER_Q / 2) / KYBER_Q;
 
-    t  = ((int32_t)v * a + (1 << 25)) >> 26;
-    t *= KYBER_Q;
-    return a - t;
+    int32_t t;
+
+/*
+ * Barrett reduction is applied to 16-bit signed
+ * integers. We use q=26 to compute the reprociacal
+ * floor(2^q / KYBER_Q), which is much larger than
+ * any value of 'a'. That way, the final subtraction
+ * can be avoided. (OZAPTF): perform bounds analysis
+ * check if that's true).
+ */
+#define KYBER_BARETT_q 26
+/*
+ * Reprocical used by Barrett reduction
+ *   floor(2^q / KYBER_Q)
+ */
+#define KYBER_BARETT_U 20158
+
+    // Round the reprocical up
+    t = (KYBER_BARETT_U+1)*a;
+    // Add 1/2 * 2^25 to centrize
+    // in {-(q-1)/2,...,(q-1)/2} mod KYBER_Q.
+    t += 1<<25;
+    // Last 4 bytes
+    t >>= 26;
+    // Final multiplication and subtraction
+    return a - ((int16_t)t)*KYBER_Q;
+
+#undef KYBER_BARETT_q
+#undef KYBER_BARETT_U
 }

src/sign/dilithium/dilithium3/clean/rounding.c

@@ -1,6 +1,8 @@
 #include "params.h"
 #include "rounding.h"
 #include <stdint.h>
+#include <stdio.h>
+#include <assert.h>
 
 /*************************************************
 * Name:        PQCLEAN_DILITHIUM3_CLEAN_power2round
@@ -38,10 +40,19 @@ int32_t PQCLEAN_DILITHIUM3_CLEAN_power2round(int32_t *a0, int32_t a)  {
 **************************************************/
 int32_t PQCLEAN_DILITHIUM3_CLEAN_decompose(int32_t *a0, int32_t a) {
     int32_t a1;
-
+    a=8176979;
+    printf("0>%d\n", a);
     a1  = (a + 127) >> 7;
-    a1  = (a1 * 1025 + (1 << 21)) >> 22;
+    printf("1>%d\n", a1);
+    a1  = (a1 * 1025);
+    printf("2>%d\n", a1);
+    a1 += (1 << 21);
+    printf("3>%d\n", a1);
+    a1 >>= 22;
+    printf("4>%d\n", a1);
     a1 &= 15;
+    printf("5>%d\n", a1);
+    assert(0);
 
     *a0  = a - a1 * 2 * GAMMA2;
     *a0 -= (((Q - 1) / 2 - *a0) >> 31) & Q;

test/mytest.cpp

@@ -1,8 +1,10 @@
 #include <gtest/gtest.h>
-#include "crypto_sign/dilithium/dilithium2/clean/ntt.c"
-#include "crypto_sign/dilithium/dilithium2/clean/reduce.c"
-#include "crypto_kem/kyber/kyber768/clean/reduce.c"
+//#include "src/sign/dilithium/dilithium2/clean/ntt.c"
+//#include "src/sign/dilithium/dilithium2/clean/reduce.c"
+#include "src/kem/kyber/kyber768/clean/reduce.h"
+#include "src/kem/kyber/kyber768/clean/reduce.c"
 
+#if 0
 TEST(X,XXX) {
 	uint32_t a_in[] = {
 		8185875, 3328957, 6049449, 4344158, 5817506, 4415885, 4890107, 4537720, 2601260,
@@ -18,7 +20,9 @@ TEST(X,XXX) {
 		printf("%08X, ", a_in[i]);
 	}
 }
+#endif
 
 TEST(Kyber,k) {
-	ASSERT_EQ(PQCLEAN_KYBER768_CLEAN_montgomery_reduce(1<<16), 1);
+	ASSERT_EQ(PQCLEAN_KYBER768_CLEAN_montgomery_reduce(((-KYBER_Q)*(1<<15))), 0);
+	ASSERT_EQ(PQCLEAN_KYBER768_CLEAN_montgomery_reduce(((-KYBER_Q)*(1<<15))+1), -3160);
 }