b5dab8de93
Oussama Danba caught a bug in how we were handing a test related to
ciphertext encoding. Not a security issue as far as we can tell, but
certainly not the correct behavior.
More detail here: e0ab9525f1
This commit also switches ntruhrss701/avx2/poly_S3_inv to the
Bernstein--Yang code, also slightly simplifies the poly_Rq_to_S3
routine.
54 lines
1.5 KiB
C
54 lines
1.5 KiB
C
#include "poly.h"
|
|
|
|
static uint16_t mod3(uint16_t a) {
|
|
uint16_t r;
|
|
int16_t t, c;
|
|
|
|
r = (a >> 8) + (a & 0xff); // r mod 255 == a mod 255
|
|
r = (r >> 4) + (r & 0xf); // r' mod 15 == r mod 15
|
|
r = (r >> 2) + (r & 0x3); // r' mod 3 == r mod 3
|
|
r = (r >> 2) + (r & 0x3); // r' mod 3 == r mod 3
|
|
|
|
t = r - 3;
|
|
c = t >> 15;
|
|
|
|
return (c & r) ^ (~c & t);
|
|
}
|
|
|
|
void PQCLEAN_NTRUHRSS701_CLEAN_poly_mod_3_Phi_n(poly *r) {
|
|
int i;
|
|
for (i = 0; i < NTRU_N; i++) {
|
|
r->coeffs[i] = mod3(r->coeffs[i] + 2 * r->coeffs[NTRU_N - 1]);
|
|
}
|
|
}
|
|
|
|
void PQCLEAN_NTRUHRSS701_CLEAN_poly_mod_q_Phi_n(poly *r) {
|
|
int i;
|
|
for (i = 0; i < NTRU_N; i++) {
|
|
r->coeffs[i] = r->coeffs[i] - r->coeffs[NTRU_N - 1];
|
|
}
|
|
}
|
|
|
|
void PQCLEAN_NTRUHRSS701_CLEAN_poly_Rq_to_S3(poly *r, const poly *a) {
|
|
int i;
|
|
uint16_t flag;
|
|
|
|
/* The coefficients of a are stored as non-negative integers. */
|
|
/* We must translate to representatives in [-q/2, q/2) before */
|
|
/* reduction mod 3. */
|
|
for (i = 0; i < NTRU_N; i++) {
|
|
/* Need an explicit reduction mod q here */
|
|
r->coeffs[i] = MODQ(a->coeffs[i]);
|
|
|
|
/* flag = 1 if r[i] >= q/2 else 0 */
|
|
flag = r->coeffs[i] >> (NTRU_LOGQ - 1);
|
|
|
|
/* Now we will add (-q) mod 3 if r[i] >= q/2 */
|
|
/* Note (-q) mod 3=(-2^k) mod 3=1<<(1-(k&1)) */
|
|
r->coeffs[i] += flag << (1 - (NTRU_LOGQ & 1));
|
|
}
|
|
|
|
PQCLEAN_NTRUHRSS701_CLEAN_poly_mod_3_Phi_n(r);
|
|
}
|
|
|