Merge pull request #9575 from SparkiDev/dilithium_16_bit_fixes

dgarske · web-flow · commit dd8d2a2d4d06 · 2026-01-07T08:24:22.000-08:00
MLDSA/Dilithium: fix 16-bit int issues
diff --git a/wolfcrypt/src/dilithium.c b/wolfcrypt/src/dilithium.c
@@ -1884,17 +1884,17 @@ static void dilithium_decode_gamma1_c(const byte* s, int bits, sword32* z)
         #endif
     #else
             z[i+0] = DILITHIUM_GAMMA1_17 -
-                     ( s[ 0]       | ((sword32)(s[ 1] << 8) |
+                     ( (sword32)s[ 0]       | (((sword32)s[ 1] << 8) |
                       (sword32)(s[ 2] & 0x03) << 16));
             z[i+1] = DILITHIUM_GAMMA1_17 -
-                     ((s[ 2] >> 2) | ((sword32)(s[ 3] << 6) |
+                     (((sword32)s[ 2] >> 2) | (((sword32)s[ 3] << 6) |
                       (sword32)(s[ 4] & 0x0f) << 14));
             z[i+2] = DILITHIUM_GAMMA1_17 -
-                     ((s[ 4] >> 4) | ((sword32)(s[ 5] << 4) |
+                     (((sword32)s[ 4] >> 4) | (((sword32)s[ 5] << 4) |
                       (sword32)(s[ 6] & 0x3f) << 12));
             z[i+3] = DILITHIUM_GAMMA1_17 -
-                     ((s[ 6] >> 6) | ((sword32)(s[ 7] << 2) |
-                      (sword32)(s[ 8]       ) << 10));
+                     (((sword32)s[ 6] >> 6) | (((sword32)s[ 7] << 2) |
+                      ((sword32)s[ 8]       ) << 10));
     #endif
             /* Move to next place to decode from. */
             s += DILITHIUM_GAMMA1_17_ENC_BITS / 2;
@@ -1948,29 +1948,29 @@ static void dilithium_decode_gamma1_c(const byte* s, int bits, sword32* z)
         #endif
     #else
             z[i+0] = (sword32)((word32)DILITHIUM_GAMMA1_17 -
-                               ( s[ 0]       | ((sword32)(s[ 1] << 8) |
-                                (sword32)(s[ 2] & 0x03) << 16)));
+                               ( (sword32)s[ 0]       | (((sword32)s[ 1] << 8) |
+                                ((sword32)s[ 2] & 0x03) << 16)));
             z[i+1] = (sword32)((word32)DILITHIUM_GAMMA1_17 -
-                               ((s[ 2] >> 2) | ((sword32)(s[ 3] << 6) |
-                                (sword32)(s[ 4] & 0x0f) << 14)));
+                               (((sword32)s[ 2] >> 2) | (((sword32)s[ 3] << 6) |
+                                ((sword32)s[ 4] & 0x0f) << 14)));
             z[i+2] = (sword32)((word32)DILITHIUM_GAMMA1_17 -
-                               ((s[ 4] >> 4) | ((sword32)(s[ 5] << 4) |
-                                (sword32)(s[ 6] & 0x3f) << 12)));
+                               (((sword32)s[ 4] >> 4) | (((sword32)s[ 5] << 4) |
+                                ((sword32)s[ 6] & 0x3f) << 12)));
             z[i+3] = (sword32)((word32)DILITHIUM_GAMMA1_17 -
-                               ((s[ 6] >> 6) | ((sword32)(s[ 7] << 2) |
-                                (sword32)(s[ 8]       ) << 10)));
+                               (((sword32)s[ 6] >> 6) | (((sword32)s[ 7] << 2) |
+                                ((sword32)s[ 8]       ) << 10)));
             z[i+4] = (sword32)((word32)DILITHIUM_GAMMA1_17 -
-                               ( s[ 9]       | ((sword32)(s[10] << 8) |
-                                (sword32)(s[11] & 0x03) << 16)));
+                               ( (sword32)s[ 9]       | (((sword32)s[10] << 8) |
+                                ((sword32)s[11] & 0x03) << 16)));
             z[i+5] = (sword32)((word32)DILITHIUM_GAMMA1_17 -
-                               ((s[11] >> 2) | ((sword32)(s[12] << 6) |
-                                (sword32)(s[13] & 0x0f) << 14)));
+                               (((sword32)s[11] >> 2) | (((sword32)s[12] << 6) |
+                                ((sword32)s[13] & 0x0f) << 14)));
             z[i+6] = (sword32)((word32)DILITHIUM_GAMMA1_17 -
-                               ((s[13] >> 4) | ((sword32)(s[14] << 4) |
-                                (sword32)(s[15] & 0x3f) << 12)));
+                               (((sword32)s[13] >> 4) | (((sword32)s[14] << 4) |
+                                ((sword32)s[15] & 0x3f) << 12)));
             z[i+7] = (sword32)((word32)DILITHIUM_GAMMA1_17 -
-                               ((s[15] >> 6) | ((sword32)(s[16] << 2) |
-                                (sword32)(s[17]       ) << 10)));
+                               (((sword32)s[15] >> 6) | (((sword32)s[16] << 2) |
+                                ((sword32)s[17]       ) << 10)));
     #endif
             /* Move to next place to decode from. */
             s += DILITHIUM_GAMMA1_17_ENC_BITS;
@@ -2005,14 +2005,18 @@ static void dilithium_decode_gamma1_c(const byte* s, int bits, sword32* z)
                                             ((sword32)s16_0    <<  4));
         #endif
     #else
-            z[i+0] = DILITHIUM_GAMMA1_19 - ( s[0]       | ((sword32)s[1] << 8) |
-                                            ((sword32)(s[2] & 0x0f) << 16));
-            z[i+1] = DILITHIUM_GAMMA1_19 - ((s[2] >> 4) | ((sword32)s[3] << 4) |
-                                            ((sword32)(s[4]       ) << 12));
-            z[i+2] = DILITHIUM_GAMMA1_19 - ( s[5]       | ((sword32)s[6] << 8) |
-                                            ((sword32)(s[7] & 0x0f) << 16));
-            z[i+3] = DILITHIUM_GAMMA1_19 - ((s[7] >> 4) | ((sword32)s[8] << 4) |
-                                            ((sword32)(s[9]       ) << 12));
+            z[i+0] = DILITHIUM_GAMMA1_19 -
+                     ( (sword32)s[0]       | ((sword32)s[1] << 8) |
+                     (((sword32)s[2] & 0x0f) << 16));
+            z[i+1] = DILITHIUM_GAMMA1_19 -
+                     (((sword32)s[2] >> 4) | ((sword32)s[3] << 4) |
+                     (((sword32)s[4]       ) << 12));
+            z[i+2] = DILITHIUM_GAMMA1_19 -
+                     ( (sword32)s[5]       | ((sword32)s[6] << 8) |
+                     (((sword32)s[7] & 0x0f) << 16));
+            z[i+3] = DILITHIUM_GAMMA1_19 -
+                     (((sword32)s[7] >> 4) | ((sword32)s[8] << 4) |
+                     (((sword32)s[9]       ) << 12));
     #endif
             /* Move to next place to decode from. */
             s += DILITHIUM_GAMMA1_19_ENC_BITS / 2;
@@ -2065,30 +2069,38 @@ static void dilithium_decode_gamma1_c(const byte* s, int bits, sword32* z)
                                             ((sword32)s16_1    <<  4));
         #endif
     #else
-            z[i+0] = DILITHIUM_GAMMA1_19 - ( s[ 0]       |
-                                            ((sword32)s[ 1] << 8) |
-                                            ((sword32)(s[ 2] & 0x0f) << 16));
-            z[i+1] = DILITHIUM_GAMMA1_19 - ((s[ 2] >> 4) |
-                                            ((sword32) s[ 3] << 4) |
-                                            ((sword32)(s[ 4]       ) << 12));
-            z[i+2] = DILITHIUM_GAMMA1_19 - ( s[ 5]       |
-                                            ((sword32) s[ 6] << 8) |
-                                            ((sword32)(s[ 7] & 0x0f) << 16));
-            z[i+3] = DILITHIUM_GAMMA1_19 - ((s[ 7] >> 4) |
-                                            ((sword32) s[ 8] << 4) |
-                                            ((sword32)(s[ 9]       ) << 12));
-            z[i+4] = DILITHIUM_GAMMA1_19 - ( s[10]       |
-                                            ((sword32) s[11] << 8) |
-                                            ((sword32)(s[12] & 0x0f) << 16));
-            z[i+5] = DILITHIUM_GAMMA1_19 - ((s[12] >> 4) |
-                                            ((sword32) s[13] << 4) |
-                                            ((sword32)(s[14]       ) << 12));
-            z[i+6] = DILITHIUM_GAMMA1_19 - ( s[15]       |
-                                            ((sword32) s[16] << 8) |
-                                            ((sword32)(s[17] & 0x0f) << 16));
-            z[i+7] = DILITHIUM_GAMMA1_19 - ((s[17] >> 4) |
-                                            ((sword32) s[18] << 4) |
-                                            ((sword32)(s[19]       ) << 12));
+            z[i+0] = DILITHIUM_GAMMA1_19 -
+                     (  (sword32)s[ 0]       |
+                      ( (sword32)s[ 1] << 8) |
+                      (((sword32)s[ 2] & 0x0f) << 16));
+            z[i+1] = DILITHIUM_GAMMA1_19 -
+                     (((sword32)s[ 2] >> 4) |
+                      ( (sword32)s[ 3] << 4) |
+                      (((sword32)s[ 4]       ) << 12));
+            z[i+2] = DILITHIUM_GAMMA1_19 -
+                     (  (sword32)s[ 5]       |
+                      ( (sword32)s[ 6] << 8) |
+                      (((sword32)s[ 7] & 0x0f) << 16));
+            z[i+3] = DILITHIUM_GAMMA1_19 -
+                     ( ((sword32)s[ 7] >> 4) |
+                      ( (sword32)s[ 8] << 4) |
+                      (((sword32)s[ 9]       ) << 12));
+            z[i+4] = DILITHIUM_GAMMA1_19 -
+                     (  (sword32)s[10]       |
+                      ( (sword32)s[11] << 8) |
+                      (((sword32)s[12] & 0x0f) << 16));
+            z[i+5] = DILITHIUM_GAMMA1_19 -
+                     ( ((sword32)s[12] >> 4) |
+                      ( (sword32)s[13] << 4) |
+                      (((sword32)s[14]       ) << 12));
+            z[i+6] = DILITHIUM_GAMMA1_19 -
+                     (  (sword32)s[15]       |
+                      ( (sword32)s[16] << 8) |
+                      (((sword32)s[17] & 0x0f) << 16));
+            z[i+7] = DILITHIUM_GAMMA1_19 -
+                     ( ((sword32)s[17] >> 4) |
+                      ( (sword32)s[18] << 4) |
+                      (((sword32)s[19]       ) << 12));
     #endif
             /* Move to next place to decode from. */
             s += DILITHIUM_GAMMA1_19_ENC_BITS;
@@ -2868,7 +2880,7 @@ static int wc_mldsa_gen_matrix_6x5_avx2(sword32* a, byte* seed)
     }
 
     for (l = 0; l < 2; l++) {
-        state[4*4 + l] = 0x1f0000 + (5 << 8) + (l + 3);
+        state[4*4 + l] = 0x1f0000 + ((word32)5 << 8) + (l + 3);
     }
 
     sha3_128_blocksx4_seed_avx2(state, seed);
@@ -5451,7 +5463,7 @@ static sword32 dilithium_mont_red(sword64 a)
  */
 static sword32 dilithium_red(sword32 a)
 {
-    sword32 t = (sword32)((a + (1 << 22)) >> 23);
+    sword32 t = (sword32)((a + ((sword32)1 << 22)) >> 23);
 #ifndef DILITHIUM_MUL_Q_SLOW
     return (sword32)(a - (t * DILITHIUM_Q));
 #else
@@ -8252,7 +8264,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key,
                 params->gamma1_bits, y, params->l);
         #ifdef WOLFSSL_DILITHIUM_SIGN_CHECK_Y
             valid = dilithium_vec_check_low(y, params->l,
-                (1 << params->gamma1_bits) - params->beta);
+                ((sword32)1 << params->gamma1_bits) - params->beta);
             if (valid)
         #endif
             {
@@ -8306,7 +8318,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key,
                         valid = dilithium_vec_check_low(w0 + i * DILITHIUM_N, 1,
                             hi);
                     }
-                    hi = (1 << params->gamma1_bits) - params->beta;
+                    hi = ((sword32)1 << params->gamma1_bits) - params->beta;
                     for (i = 0; valid && i < params->l; i++) {
                         /* Step 19: cs1 = NTT-1(c o s1) */
                         dilithium_mul(z + i * DILITHIUM_N, c,
@@ -8515,7 +8527,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key,
                 params->gamma1_bits, y, params->l);
         #ifdef WOLFSSL_DILITHIUM_SIGN_CHECK_Y
             valid = dilithium_vec_check_low(y, params->l,
-                (1 << params->gamma1_bits) - params->beta);
+                ((sword32)1 << params->gamma1_bits) - params->beta);
         #endif
 
         #ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A
@@ -8743,7 +8755,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key,
                     dilithium_add(z, yt);
                     dilithium_poly_red(z);
                     /* Step 23: Check z has low enough values. */
-                    hi = (1 << params->gamma1_bits) - params->beta;
+                    hi = ((sword32)1 << params->gamma1_bits) - params->beta;
                     valid = dilithium_check_low(z, hi);
                     if (valid) {
                         /* Step 32: Encode z into signature.
@@ -9385,7 +9397,7 @@ static int dilithium_verify_mu(dilithium_key* key, const byte* mu,
         /* Step 2: Decode z from signature. */
         dilithium_vec_decode_gamma1(ze, params->l, params->gamma1_bits, z);
         /* Step 13: Check z is valid - values are low enough. */
-        hi = (1 << params->gamma1_bits) - params->beta;
+        hi = ((sword32)1 << params->gamma1_bits) - params->beta;
         valid = dilithium_vec_check_low(z, params->l, hi);
     }
     if ((ret == 0) && valid) {
@@ -9524,7 +9536,7 @@ static int dilithium_verify_mu(dilithium_key* key, const byte* mu,
         /* Step 2: Decode z from signature. */
         dilithium_vec_decode_gamma1(ze, params->l, params->gamma1_bits, z);
         /* Step 13: Check z is valid - values are low enough. */
-        hi = (1 << params->gamma1_bits) - params->beta;
+        hi = ((sword32)1 << params->gamma1_bits) - params->beta;
         valid = dilithium_vec_check_low(z, params->l, hi);
     }
     if ((ret == 0) && valid) {
diff --git a/wolfssl/wolfcrypt/dilithium.h b/wolfssl/wolfcrypt/dilithium.h
@@ -200,23 +200,23 @@
 /* Number of dropped bits. */
 #define DILITHIUM_D                     13
 /* Maximum value of dropped bits. */
-#define DILITHIUM_D_MAX                 (1 << DILITHIUM_D)
+#define DILITHIUM_D_MAX                 ((sword32)1 << DILITHIUM_D)
 /* Half maximum value. */
-#define DILITHIUM_D_MAX_HALF            (1 << (DILITHIUM_D - 1))
+#define DILITHIUM_D_MAX_HALF            ((sword32)1 << (DILITHIUM_D - 1))
 /* Number of undropped bits. */
 #define DILITHIUM_U                     (DILITHIUM_Q_BITS - DILITHIUM_D)
 
 /* Bits in coefficient range of y, GAMMA1, of 2^17 is 17. */
 #define DILITHIUM_GAMMA1_BITS_17        17
 /* Coefficient range of y, GAMMA1, of 2^17. */
-#define DILITHIUM_GAMMA1_17             (1 << 17)
+#define DILITHIUM_GAMMA1_17             ((sword32)1 << 17)
 /* # encoding bits of y is GAMMA1 + 1. */
 #define DILITHIUM_GAMMA1_17_ENC_BITS    18
 /* Coefficient range of y, GAMMA1, of 2^17. */
 /* Bits in coefficient range of y, GAMMA1, of 2^19 is 19. */
 #define DILITHIUM_GAMMA1_BITS_19        19
 /* Coefficient range of y, GAMMA1, of 2^19. */
-#define DILITHIUM_GAMMA1_19             (1 << 19)
+#define DILITHIUM_GAMMA1_19             ((sword32)1 << 19)
 /* # encoding bits of y is GAMMA1 + 1. */
 #define DILITHIUM_GAMMA1_19_ENC_BITS    20
 
@@ -265,13 +265,14 @@
 #define PARAMS_ML_DSA_44_TAU            39
 /* BETA = TAU * ETA for ML-DSA-44. */
 #define PARAMS_ML_DSA_44_BETA           \
-    (PARAMS_ML_DSA_44_TAU * PARAMS_ML_DSA_44_ETA)
+(PARAMS_ML_DSA_44_TAU * PARAMS_ML_DSA_44_ETA)
 /* Max # 1's in the hint h, OMEGA, for ML-DSA-44. */
 #define PARAMS_ML_DSA_44_OMEGA          80
 /* Bits in coefficient range of y, GAMMA1, for ML-DSA-44. */
 #define PARAMS_ML_DSA_44_GAMMA1_BITS    DILITHIUM_GAMMA1_BITS_17
 /* Ccoefficient range of y, GAMMA1, for ML-DSA-44. */
-#define PARAMS_ML_DSA_44_GAMMA1         (1 << PARAMS_ML_DSA_44_GAMMA1_BITS)
+#define PARAMS_ML_DSA_44_GAMMA1         \
+    ((sword32)1 << PARAMS_ML_DSA_44_GAMMA1_BITS)
 /* Low-order rounding range, GAMMA2, for ML-DSA-44. */
 #define PARAMS_ML_DSA_44_GAMMA2         DILITHIUM_Q_LOW_88
 /* Bits in high-order rounding range, GAMMA2, for ML-DSA-44. */
@@ -331,8 +332,9 @@
 #define PARAMS_ML_DSA_65_OMEGA          55
 /* Bits in coefficient range of y, GAMMA1, for ML-DSA-65. */
 #define PARAMS_ML_DSA_65_GAMMA1_BITS    DILITHIUM_GAMMA1_BITS_19
-/* Ccoefficient range of y, GAMMA1, for ML-DSA-65. */
-#define PARAMS_ML_DSA_65_GAMMA1         (1 << PARAMS_ML_DSA_65_GAMMA1_BITS)
+/* Coefficient range of y, GAMMA1, for ML-DSA-65. */
+#define PARAMS_ML_DSA_65_GAMMA1         \
+    ((sword32)1 << PARAMS_ML_DSA_65_GAMMA1_BITS)
 /* Low-order rounding range, GAMMA2, for ML-DSA-65. */
 #define PARAMS_ML_DSA_65_GAMMA2         DILITHIUM_Q_LOW_32
 /* Bits in high-order rounding range, GAMMA2, for ML-DSA-65. */
@@ -393,7 +395,8 @@
 /* Bits in coefficient range of y, GAMMA1, for ML-DSA-87. */
 #define PARAMS_ML_DSA_87_GAMMA1_BITS    DILITHIUM_GAMMA1_BITS_19
 /* Ccoefficient range of y, GAMMA1, for ML-DSA-87. */
-#define PARAMS_ML_DSA_87_GAMMA1         (1 << PARAMS_ML_DSA_87_GAMMA1_BITS)
+#define PARAMS_ML_DSA_87_GAMMA1         \
+    ((sword32)1 << PARAMS_ML_DSA_87_GAMMA1_BITS)
 /* Low-order rounding range, GAMMA2, for ML-DSA-87. */
 #define PARAMS_ML_DSA_87_GAMMA2         DILITHIUM_Q_LOW_32
 /* Bits in high-order rounding range, GAMMA2, for ML-DSA-87. */
