Dilithium code refactor to add fqmul as a separate function(#1748)

This PR addresses the multiplication and Montgomery reduction functionality within Dilithium. This refactor makes it simpler to re-implement the multiplication on targets where non-constant time behaviour is known, and has consistency with the code organisation of Kyber.
aws · Aug 7, 2024 · bf1556b · bf1556b
1 parent 5fd0f08
commit bf1556b
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 12 deletions.
diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/ntt.c
@@ -55,7 +55,7 @@ void ntt(int32_t a[N]) {
     for(start = 0; start < N; start = j + len) {
       zeta = zetas[++k];
       for(j = start; j < start + len; ++j) {
-        t = montgomery_reduce((int64_t)zeta * a[j + len]);
+        t = fqmul(zeta, a[j + len]);
         a[j + len] = a[j] - t;
         a[j] = a[j] + t;
       }
@@ -87,12 +87,12 @@ void invntt_tomont(int32_t a[N]) {
         t = a[j];
         a[j] = t + a[j + len];
         a[j + len] = t - a[j + len];
-        a[j + len] = montgomery_reduce((int64_t)zeta * a[j + len]);
+        a[j + len] = fqmul(zeta, a[j + len]);
       }
     }
   }
 
   for(j = 0; j < N; ++j) {
-    a[j] = montgomery_reduce((int64_t)f * a[j]);
+    a[j] = fqmul(f, a[j]);
   }
 }
diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c
@@ -160,7 +160,7 @@ void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) {
   DBENCH_START();
 
   for(i = 0; i < N; ++i)
-    c->coeffs[i] = montgomery_reduce((int64_t)a->coeffs[i] * b->coeffs[i]);
+    c->coeffs[i] = fqmul(a->coeffs[i], b->coeffs[i]);
 
   DBENCH_STOP(*tmul);
 }

diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.c
@@ -3,20 +3,24 @@
 #include "reduce.h"
 
 /*************************************************
-* Name:        montgomery_reduce
+* Name:        fqmul
 *
-* Description: For finite field element a with -2^{31}Q <= a <= Q*2^31,
+* Description: Multiplication followed by Montgomery reduction
+*              For finite field element a with -2^{31}Q <= a <= Q*2^31,
 *              compute r \equiv a*2^{-32} (mod Q) such that -Q < r < Q.
 *
-* Arguments:   - int64_t: finite field element a
+* Arguments:   - int32_t a: first factor
+*              - int32_t b: second factor
 *
 * Returns r.
 **************************************************/
-int32_t montgomery_reduce(int64_t a) {
+int64_t fqmul(int32_t a, int32_t b) {
+  int64_t s;
   int32_t t;
 
-  t = (int64_t)(int32_t)a*QINV;
-  t = (a - (int64_t)t*Q) >> 32;
+  s = (int64_t)a*b;
+  t = (int64_t)(int32_t)s*QINV;
+  t = (s - (int64_t)t*Q) >> 32;
   return t;
 }
 

diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h b/crypto/dilithium/pqcrystals_dilithium_ref_common/reduce.h
@@ -7,8 +7,8 @@
 #define MONT -4186625 // 2^32 % Q
 #define QINV 58728449 // q^(-1) mod 2^32
 
-#define montgomery_reduce DILITHIUM_NAMESPACE(montgomery_reduce)
-int32_t montgomery_reduce(int64_t a);
+#define fqmul DILITHIUM_NAMESPACE(fqmul)
+int64_t fqmul(int32_t a, int32_t b);
 
 #define reduce32 DILITHIUM_NAMESPACE(reduce32)
 int32_t reduce32(int32_t a);