@@ -319,24 +319,25 @@ __contract__(
319319 uint8_t challenge_bytes [MLDSA_CTILDEBYTES ];
320320 unsigned int n ;
321321 mld_polyvecl y , z ;
322- mld_polyveck w2 , w1 , w0 , h ;
322+ mld_polyveck w , w1 , w0 , h ;
323323 mld_poly cp ;
324324 uint32_t z_invalid , w0_invalid , h_invalid ;
325+ int res ;
325326
326327 /* Sample intermediate vector y */
327328 mld_polyvecl_uniform_gamma1 (& y , rhoprime , nonce );
328329
329330 /* Matrix-vector multiplication */
330331 z = y ;
331332 mld_polyvecl_ntt (& z );
332- mld_polyvec_matrix_pointwise_montgomery (& w1 , mat , & z );
333- mld_polyveck_reduce (& w1 );
334- mld_polyveck_invntt_tomont (& w1 );
333+ mld_polyvec_matrix_pointwise_montgomery (& w , mat , & z );
334+ mld_polyveck_reduce (& w );
335+ mld_polyveck_invntt_tomont (& w );
335336
336337 /* Decompose w and call the random oracle */
337- mld_polyveck_caddq (& w1 );
338- mld_polyveck_decompose (& w2 , & w0 , & w1 );
339- mld_polyveck_pack_w1 (sig , & w2 );
338+ mld_polyveck_caddq (& w );
339+ mld_polyveck_decompose (& w1 , & w0 , & w );
340+ mld_polyveck_pack_w1 (sig , & w1 );
340341
341342 mld_H (challenge_bytes , MLDSA_CTILDEBYTES , mu , MLDSA_CRHBYTES , sig ,
342343 MLDSA_K * MLDSA_POLYW1_PACKEDBYTES , NULL , 0 );
@@ -363,16 +364,8 @@ __contract__(
363364 MLD_CT_TESTING_DECLASSIFY (& z_invalid , sizeof (uint32_t ));
364365 if (z_invalid )
365366 {
366- /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
367- mld_zeroize (challenge_bytes , MLDSA_CTILDEBYTES );
368- mld_zeroize (& y , sizeof (y ));
369- mld_zeroize (& z , sizeof (z ));
370- mld_zeroize (& w2 , sizeof (w2 ));
371- mld_zeroize (& w1 , sizeof (w1 ));
372- mld_zeroize (& w0 , sizeof (w0 ));
373- mld_zeroize (& h , sizeof (h ));
374- mld_zeroize (& cp , sizeof (cp ));
375- return -1 ; /* reject */
367+ res = -1 ; /* reject */
368+ goto cleanup ;
376369 }
377370
378371 /* If z is valid, then its coefficients are bounded by */
@@ -394,16 +387,8 @@ __contract__(
394387 MLD_CT_TESTING_DECLASSIFY (& w0_invalid , sizeof (uint32_t ));
395388 if (w0_invalid )
396389 {
397- /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
398- mld_zeroize (challenge_bytes , sizeof (challenge_bytes ));
399- mld_zeroize (& y , sizeof (y ));
400- mld_zeroize (& z , sizeof (z ));
401- mld_zeroize (& w2 , sizeof (w2 ));
402- mld_zeroize (& w1 , sizeof (w1 ));
403- mld_zeroize (& w0 , sizeof (w0 ));
404- mld_zeroize (& h , sizeof (h ));
405- mld_zeroize (& cp , sizeof (cp ));
406- return -1 ; /* reject */
390+ res = -1 ; /* reject */
391+ goto cleanup ;
407392 }
408393
409394 /* Compute hints for w1 */
@@ -416,16 +401,8 @@ __contract__(
416401 MLD_CT_TESTING_DECLASSIFY (& h_invalid , sizeof (uint32_t ));
417402 if (h_invalid )
418403 {
419- /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
420- mld_zeroize (challenge_bytes , MLDSA_CTILDEBYTES );
421- mld_zeroize (& y , sizeof (y ));
422- mld_zeroize (& z , sizeof (z ));
423- mld_zeroize (& w2 , sizeof (w2 ));
424- mld_zeroize (& w1 , sizeof (w1 ));
425- mld_zeroize (& w0 , sizeof (w0 ));
426- mld_zeroize (& h , sizeof (h ));
427- mld_zeroize (& cp , sizeof (cp ));
428- return -1 ; /* reject */
404+ res = -1 ; /* reject */
405+ goto cleanup ;
429406 }
430407
431408 mld_polyveck_add (& w0 , & h );
@@ -439,20 +416,12 @@ __contract__(
439416 * For a more detailed discussion, refer to https://eprint.iacr.org/2022/1406.
440417 */
441418 MLD_CT_TESTING_DECLASSIFY (& w0 , sizeof (w0 ));
442- MLD_CT_TESTING_DECLASSIFY (& w2 , sizeof (w2 ));
443- n = mld_polyveck_make_hint (& h , & w0 , & w2 );
419+ MLD_CT_TESTING_DECLASSIFY (& w1 , sizeof (w1 ));
420+ n = mld_polyveck_make_hint (& h , & w0 , & w1 );
444421 if (n > MLDSA_OMEGA )
445422 {
446- /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
447- mld_zeroize (challenge_bytes , MLDSA_CTILDEBYTES );
448- mld_zeroize (& y , sizeof (y ));
449- mld_zeroize (& z , sizeof (z ));
450- mld_zeroize (& w2 , sizeof (w2 ));
451- mld_zeroize (& w1 , sizeof (w1 ));
452- mld_zeroize (& w0 , sizeof (w0 ));
453- mld_zeroize (& h , sizeof (h ));
454- mld_zeroize (& cp , sizeof (cp ));
455- return -1 ; /* reject */
423+ res = -1 ; /* reject */
424+ goto cleanup ;
456425 }
457426
458427 /* All is well - write signature */
@@ -462,17 +431,20 @@ __contract__(
462431 MLD_CT_TESTING_DECLASSIFY (& z , sizeof (z ));
463432 mld_pack_sig (sig , challenge_bytes , & z , & h , n );
464433
434+ res = 0 ; /* success */
435+
436+ cleanup :
465437 /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
466438 mld_zeroize (challenge_bytes , MLDSA_CTILDEBYTES );
467439 mld_zeroize (& y , sizeof (y ));
468440 mld_zeroize (& z , sizeof (z ));
469- mld_zeroize (& w2 , sizeof (w2 ));
441+ mld_zeroize (& w , sizeof (w ));
470442 mld_zeroize (& w1 , sizeof (w1 ));
471443 mld_zeroize (& w0 , sizeof (w0 ));
472444 mld_zeroize (& h , sizeof (h ));
473445 mld_zeroize (& cp , sizeof (cp ));
474446
475- return 0 ; /* success */
447+ return res ;
476448}
477449MLD_MUST_CHECK_RETURN_VALUE
478450int crypto_sign_signature_internal (uint8_t * sig , size_t * siglen ,
0 commit comments