ML-DSA: Add reduction step

smuellerDD · smuellerDD · commit 594164d19d09 · 2025-11-16T11:17:58.000+01:00
If the invntt implementation cannot guarantee to provide small enough results, a reduction step is needed. For now, C, AVX2 and ARMv8 invntt implementations provide the guarantee of small integers. The other implementations need to be analyzed. The change is obtained from https://github.com/pq-code-package/mldsa-native Reported-by: Hanno Becker <beckphan@amazon.co.uk> Signed-off-by: Stephan Mueller <smueller@chronox.de>
diff --git a/ml-dsa/src/armv8/dilithium_signature_armv8.c b/ml-dsa/src/armv8/dilithium_signature_armv8.c
@@ -25,6 +25,9 @@
 /* We need twice the buffer size as we have a 2 lane SHAKE SIMD implemenation */
 #define LC_POLY_UNIFOR_BUF_SIZE_MULTIPLIER 2
 
+/* The C implementation of invntt produces small enough integers */
+#define LC_DILITHIUM_INVNTT_SMALL
+
 #include "dilithium_poly.h"
 #include "dilithium_poly_common.h"
 #include "dilithium_poly_armv8.h"
diff --git a/ml-dsa/src/dilithium_signature_c.c b/ml-dsa/src/dilithium_signature_c.c
@@ -31,6 +31,9 @@
 /* We need once the buffer size to handle the hashing */
 #define LC_POLY_UNIFOR_BUF_SIZE_MULTIPLIER 1
 
+/* The C implementation of invntt produces small enough integers */
+#define LC_DILITHIUM_INVNTT_SMALL
+
 #include "dilithium_poly.h"
 #include "dilithium_poly_common.h"
 #include "dilithium_poly_c.h"
diff --git a/ml-dsa/src/dilithium_signature_impl.h b/ml-dsa/src/dilithium_signature_impl.h
@@ -190,6 +190,21 @@ static int lc_dilithium_keypair_impl(struct lc_dilithium_pk *pk,
 	dilithium_print_polyveck(&ws->t1,
 				 "Keygen - T K x N matrix after add S2:");
 
+	/*
+	 * Reference: The following reduction is not present in the reference
+	 * implementation. Omitting this reduction requires the output of
+	 * the invntt to be small enough such that the addition of s2 does
+	 * not result in absolute values >= LC_DILITHIUM_Q. While the C, x86_64,
+	 * and AArch64 invntt implementations produce small enough
+	 * values for this to work out, it complicates the bounds
+	 * reasoning. Therefore, add an additional reduction, allowing to
+	 * relax the bounds requirements for the invntt, especially when adding
+	 * new invntt assembler implementations.
+	 */
+#ifndef LC_DILITHIUM_INVNTT_SMALL
+	polyveck_reduce(&ws->t1);
+#endif
+
 	/* Extract t1 and write public key */
 	polyveck_caddq(&ws->t1);
 	dilithium_print_polyveck(&ws->t1, "Keygen - T K x N matrix caddq:");
