mirror of
https://github.com/henrydcase/pqc.git
synced 2024-11-30 11:21:25 +00:00
de5cda4d7b
https://github.com/mupq/pqm4/issues/132 repoorted that the NewHope verify function does not actually return 0 or 1, but 0 or -1, which consequenctly breaks the cmov in the FO transform. This bug was introduced when I integrated this into PQClean.
27 lines
829 B
C
27 lines
829 B
C
#include "reduce.h"
|
|
#include "params.h"
|
|
|
|
static const uint32_t qinv = 12287; // -inverse_mod(p,2^18)
|
|
static const uint32_t rlog = 18;
|
|
|
|
/*************************************************
|
|
* Name: montgomery_reduce
|
|
*
|
|
* Description: Montgomery reduction; given a 32-bit integer a, computes
|
|
* 16-bit integer congruent to a * R^-1 mod q,
|
|
* where R=2^18 (see value of rlog)
|
|
*
|
|
* Arguments: - uint32_t a: input unsigned integer to be reduced; has to be in {0,...,1073491968}
|
|
*
|
|
* Returns: unsigned integer in {0,...,2^14-1} congruent to a * R^-1 modulo q.
|
|
**************************************************/
|
|
uint16_t PQCLEAN_NEWHOPE1024CCA_CLEAN_montgomery_reduce(uint32_t a) {
|
|
uint32_t u;
|
|
|
|
u = (a * qinv);
|
|
u &= ((1 << rlog) - 1);
|
|
u *= NEWHOPE_Q;
|
|
a = a + u;
|
|
return a >> 18;
|
|
}
|