ML-KEM: simplify mod Q calculation

smuellerDD · smuellerDD · commit 9521ff7173a8 · 2025-03-16T11:27:36.000+01:00
Use poly_reduce to perform reduction and modulo Q

Signed-off-by: Stephan Mueller &lt;smueller@chronox.de&gt;
diff --git a/ml-kem/src/armv8/kyber_poly_armv8.h b/ml-kem/src/armv8/kyber_poly_armv8.h
@@ -182,13 +182,10 @@ static inline void poly_tobytes(uint8_t r[LC_KYBER_POLYBYTES], const poly *a)
  */
 static inline void poly_frombytes(poly *r, const uint8_t a[LC_KYBER_POLYBYTES])
 {
-	unsigned int i;
-
 	kyber_poly_frombytes_armv8(r, a);
 
-	//TODO move it to assembler code?
-	for (i = 0; i < LC_KYBER_N; i++)
-		r->coeffs[i] %= LC_KYBER_Q;
+	/* Reduce to ensure loaded data is within interval [0, q - 1] */
+	poly_reduce(r);
 }
 
 /**
diff --git a/ml-kem/src/armv8/kyber_poly_armv8_asm.S b/ml-kem/src/armv8/kyber_poly_armv8_asm.S
@@ -40,29 +40,13 @@
 	zip2  v\f\().16b, v\a\().16b, v\b\().16b
 	zip1  v\e\().16b, v\b\().16b, v\c\().16b	// r[2i+1] = c|b
 	zip2  v\g\().16b, v\b\().16b, v\c\().16b
-	ushr  v\e\().8h, v\e\().8h, #4		// r[2i+1]c|b >> 4
+	ushr  v\e\().8h, v\e\().8h, #4			// r[2i+1]c|b >> 4
 	ushr  v\g\().8h, v\g\().8h, #4
 
-	and  v\d\().16b, v\d\().16b, v0.16b	// & FFF
+	and  v\d\().16b, v\d\().16b, v0.16b		// & FFF
 	and  v\e\().16b, v\e\().16b, v0.16b
 	and  v\f\().16b, v\f\().16b, v0.16b
 	and  v\g\().16b, v\g\().16b, v0.16b
-
-	//and  v\c\().16b, v\d\().16b, v0.16b		// & FFF
-	//udiv v\d\().16b, v\c\().16b, #3329		// division by 3329
-	//mls  v\d\().16b, v\d\().16b, #3329, v\c\().16b	// udiv and mls form modulo operation
-
-	//and  v\c\().16b, v\e\().16b, v0.16b
-	//udiv v\e\().16b, v\c\().16b, #3329
-	//mls  v\e\().16b, v\e\().16b, #3329, v\c\().16b
-
-	//and  v\c\().16b, v\f\().16b, v0.16b
-	//udiv v\f\().16b, v\c\().16b, #3329
-	//mls  v\f\().16b, v\f\().16b, #3329, v\c\().16b
-
-	//and  v\c\().16b, v\g\().16b, v0.16b
-	//udiv v\g\().16b, v\c\().16b, #3329
-	//mls  v\g\().16b, v\g\().16b, #3329, v\c\().16b
 .endm
 
 SYM_FUNC_START(kyber_poly_tobytes_armv8)
diff --git a/ml-kem/src/common/kyber_poly_frombytes.h b/ml-kem/src/common/kyber_poly_frombytes.h
@@ -39,12 +39,13 @@ static inline void poly_frombytes(poly *r, const uint8_t a[LC_KYBER_POLYBYTES])
 		r->coeffs[2 * i] =
 			((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) &
 			0xFFF;
-		r->coeffs[2 * i] %= LC_KYBER_Q;
 		r->coeffs[2 * i + 1] =
 			((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) &
 			0xFFF;
-		r->coeffs[2 * i + 1] %= LC_KYBER_Q;
 	}
+
+	/* Reduce to ensure loaded data is within interval [0, q - 1] */
+	poly_reduce(r);
 }
 
 #ifdef __cplusplus
diff --git a/ml-kem/src/riscv64/kyber_poly_rvv.h b/ml-kem/src/riscv64/kyber_poly_rvv.h
@@ -101,14 +101,16 @@ static inline void poly_frombytes(poly *r, const uint8_t a[LC_KYBER_POLYBYTES])
 		r->coeffs[2 * i] =
 			((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) &
 			0xFFF;
-		r->coeffs[2 * i] %= LC_KYBER_Q;
 		r->coeffs[2 * i + 1] =
 			((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) &
 			0xFFF;
-		r->coeffs[2 * i + 1] %= LC_KYBER_Q;
 	}
 
 	LC_VECTOR_ENABLE;
+
+	/* Reduce to ensure loaded data is within interval [0, q - 1] */
+	LC_KYBER_RVV_TYPE(kyber_poly_reduce_rvv)(r->coeffs);
+
 	LC_KYBER_RVV_TYPE(kyber_normal2ntt_order_rvv)(
 		r->coeffs, LC_KYBER_RVV_TYPE(kyber_qdata_rvv));
 	LC_VECTOR_DISABLE;

Original file line number	Diff line number	Diff line change
`@@ -182,13 +182,10 @@ static inline void poly_tobytes(uint8_t r[LC_KYBER_POLYBYTES], const poly *a)`
`182`	`182`	`*/`
`183`	`183`	`static inline void poly_frombytes(poly *r, const uint8_t a[LC_KYBER_POLYBYTES])`
`184`	`184`	`{`
`185`		`- unsigned int i;`
`186`		`-`
`187`	`185`	`kyber_poly_frombytes_armv8(r, a);`
`188`	`186`
`189`		`- //TODO move it to assembler code?`
`190`		`- for (i = 0; i < LC_KYBER_N; i++)`
`191`		`- r->coeffs[i] %= LC_KYBER_Q;`
	`187`	`+ /* Reduce to ensure loaded data is within interval [0, q - 1] */`
	`188`	`+ poly_reduce(r);`
`192`	`189`	`}`
`193`	`190`
`194`	`191`	`/**`