diff --git a/CMakeLists.txt b/CMakeLists.txt index e85bfa28..57310c84 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -555,6 +555,23 @@ target_link_libraries( pqclean_dilithium5_clean ) +add_executable( + mytest + + test/mytest.cpp +) + +target_link_libraries( + mytest + gtest + gtest_main) + +target_include_directories( + mytest PRIVATE + + ${CMAKE_SOURCE_DIR}) + + install(TARGETS pqclean pqclean_s PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ GROUP_WRITE WORLD_READ WORLD_WRITE LIBRARY DESTINATION lib diff --git a/src/kem/kyber/kyber1024/clean/reduce.c b/src/kem/kyber/kyber1024/clean/reduce.c index 6ddb6a52..fb146a48 100644 --- a/src/kem/kyber/kyber1024/clean/reduce.c +++ b/src/kem/kyber/kyber1024/clean/reduce.c @@ -35,10 +35,22 @@ int16_t PQCLEAN_KYBER1024_CLEAN_montgomery_reduce(int32_t a) { * Returns: integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q. **************************************************/ int16_t PQCLEAN_KYBER1024_CLEAN_barrett_reduce(int16_t a) { - int16_t t; - const int16_t v = ((1U << 26) + KYBER_Q / 2) / KYBER_Q; + int16_t p; + int32_t t; + +// Montgomery constant R=2^16 +#define KYBER_MONT_Re 16U +// -1/KYBER_Q mod KYBER_MONT_R +#define KYBER_MONT_qinv 3327U + + // -Q^(-1)*a mod 2^16 + p = (uint32_t)a*KYBER_MONT_qinv; + t = KYBER_Q*p; + t += a; + // Final result not in a Montgomery domain + return t>>KYBER_MONT_Re; - t = ((int32_t)v * a + (1 << 25)) >> 26; - t *= KYBER_Q; - return a - t; +// only because I include .c file in test +#undef KYBER_MONT_M +#undef KYBER_MONT_qinv } diff --git a/src/kem/kyber/kyber768/clean/cbd.c b/src/kem/kyber/kyber768/clean/cbd.c index bd9bf87b..69f49201 100644 --- a/src/kem/kyber/kyber768/clean/cbd.c +++ b/src/kem/kyber/kyber768/clean/cbd.c @@ -21,18 +21,6 @@ static uint32_t load32_littleendian(const uint8_t x[4]) { return r; } -/************************************************* -* Name: load24_littleendian -* -* Description: load 3 bytes into a 32-bit integer -* in little-endian order. -* This function is only needed for Kyber-512 -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x (most significant byte is zero) -**************************************************/ - /************************************************* * Name: cbd2 diff --git a/src/kem/kyber/kyber768/clean/reduce.c b/src/kem/kyber/kyber768/clean/reduce.c index 0fc06411..65273456 100644 --- a/src/kem/kyber/kyber768/clean/reduce.c +++ b/src/kem/kyber/kyber768/clean/reduce.c @@ -1,6 +1,7 @@ #include "params.h" #include "reduce.h" #include +#include /************************************************* * Name: PQCLEAN_KYBER768_CLEAN_montgomery_reduce @@ -11,7 +12,7 @@ * Arguments: - int32_t a: input integer to be reduced; * has to be in {-q2^15,...,q2^15-1} * -* Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. +* Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo 2*q. **************************************************/ int16_t PQCLEAN_KYBER768_CLEAN_montgomery_reduce(int32_t a) { int32_t t; @@ -35,10 +36,34 @@ int16_t PQCLEAN_KYBER768_CLEAN_montgomery_reduce(int32_t a) { * Returns: integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q. **************************************************/ int16_t PQCLEAN_KYBER768_CLEAN_barrett_reduce(int16_t a) { - int16_t t; - const int16_t v = ((1U << 26) + KYBER_Q / 2) / KYBER_Q; - t = ((int32_t)v * a + (1 << 25)) >> 26; - t *= KYBER_Q; - return a - t; + int32_t t; + +/* + * Barrett reduction is applied to 16-bit signed + * integers. We use q=26 to compute the reprociacal + * floor(2^q / KYBER_Q), which is much larger than + * any value of 'a'. That way, the final subtraction + * can be avoided. (OZAPTF): perform bounds analysis + * check if that's true). + */ +#define KYBER_BARETT_q 26 +/* + * Reprocical used by Barrett reduction + * floor(2^q / KYBER_Q) + */ +#define KYBER_BARETT_U 20158 + + // Round the reprocical up + t = (KYBER_BARETT_U+1)*a; + // Add 1/2 * 2^25 to centrize + // in {-(q-1)/2,...,(q-1)/2} mod KYBER_Q. + t += 1<<25; + // Last 4 bytes + t >>= 26; + // Final multiplication and subtraction + return a - ((int16_t)t)*KYBER_Q; + +#undef KYBER_BARETT_q +#undef KYBER_BARETT_U } diff --git a/src/sign/dilithium/dilithium3/clean/rounding.c b/src/sign/dilithium/dilithium3/clean/rounding.c index f0181477..91ca4148 100644 --- a/src/sign/dilithium/dilithium3/clean/rounding.c +++ b/src/sign/dilithium/dilithium3/clean/rounding.c @@ -1,6 +1,8 @@ #include "params.h" #include "rounding.h" #include +#include +#include /************************************************* * Name: PQCLEAN_DILITHIUM3_CLEAN_power2round @@ -38,10 +40,19 @@ int32_t PQCLEAN_DILITHIUM3_CLEAN_power2round(int32_t *a0, int32_t a) { **************************************************/ int32_t PQCLEAN_DILITHIUM3_CLEAN_decompose(int32_t *a0, int32_t a) { int32_t a1; - + a=8176979; + printf("0>%d\n", a); a1 = (a + 127) >> 7; - a1 = (a1 * 1025 + (1 << 21)) >> 22; + printf("1>%d\n", a1); + a1 = (a1 * 1025); + printf("2>%d\n", a1); + a1 += (1 << 21); + printf("3>%d\n", a1); + a1 >>= 22; + printf("4>%d\n", a1); a1 &= 15; + printf("5>%d\n", a1); + assert(0); *a0 = a - a1 * 2 * GAMMA2; *a0 -= (((Q - 1) / 2 - *a0) >> 31) & Q; diff --git a/test/mytest.cpp b/test/mytest.cpp index ab91ff0b..8ca3c1ee 100644 --- a/test/mytest.cpp +++ b/test/mytest.cpp @@ -1,8 +1,10 @@ #include -#include "crypto_sign/dilithium/dilithium2/clean/ntt.c" -#include "crypto_sign/dilithium/dilithium2/clean/reduce.c" -#include "crypto_kem/kyber/kyber768/clean/reduce.c" +//#include "src/sign/dilithium/dilithium2/clean/ntt.c" +//#include "src/sign/dilithium/dilithium2/clean/reduce.c" +#include "src/kem/kyber/kyber768/clean/reduce.h" +#include "src/kem/kyber/kyber768/clean/reduce.c" +#if 0 TEST(X,XXX) { uint32_t a_in[] = { 8185875, 3328957, 6049449, 4344158, 5817506, 4415885, 4890107, 4537720, 2601260, @@ -18,7 +20,9 @@ TEST(X,XXX) { printf("%08X, ", a_in[i]); } } +#endif TEST(Kyber,k) { - ASSERT_EQ(PQCLEAN_KYBER768_CLEAN_montgomery_reduce(1<<16), 1); + ASSERT_EQ(PQCLEAN_KYBER768_CLEAN_montgomery_reduce(((-KYBER_Q)*(1<<15))), 0); + ASSERT_EQ(PQCLEAN_KYBER768_CLEAN_montgomery_reduce(((-KYBER_Q)*(1<<15))+1), -3160); } \ No newline at end of file