/src/openssl/crypto/ml_dsa/ml_dsa_poly.h

Source (jump to first uncovered line)
/*
 * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */
#include <openssl/crypto.h>

#define ML_DSA_NUM_POLY_COEFFICIENTS 256

/* Polynomial object with 256 coefficients. The coefficients are unsigned 32 bits */
struct poly_st {
    uint32_t coeff[ML_DSA_NUM_POLY_COEFFICIENTS];
};

static ossl_inline ossl_unused void
poly_zero(POLY *p)
{
    memset(p->coeff, 0, sizeof(*p));
}

/**
 * @brief Polynomial addition.
 *
 * @param lhs A polynomial with coefficients in the range (0..q-1)
 * @param rhs A polynomial with coefficients in the range (0..q-1) to add
 *            to the 'lhs'.
 * @param out The returned addition result with the coefficients all in the
 *            range 0..q-1
 */
static ossl_inline ossl_unused void
poly_add(const POLY *lhs, const POLY *rhs, POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = reduce_once(lhs->coeff[i] + rhs->coeff[i]);
}

/**
 * @brief Polynomial subtraction.
 *
 * @param lhs A polynomial with coefficients in the range (0..q-1)
 * @param rhs A polynomial with coefficients in the range (0..q-1) to subtract
 *            from the 'lhs'.
 * @param out The returned subtraction result with the coefficients all in the
 *            range 0..q-1
 */
static ossl_inline ossl_unused void
poly_sub(const POLY *lhs, const POLY *rhs, POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = mod_sub(lhs->coeff[i], rhs->coeff[i]);
}

/* @returns 1 if the polynomials are equal, or 0 otherwise */
static ossl_inline ossl_unused int
poly_equal(const POLY *a, const POLY *b)
{
    return CRYPTO_memcmp(a, b, sizeof(*a)) == 0;
}

static ossl_inline ossl_unused void
poly_ntt(POLY *p)
{
    ossl_ml_dsa_poly_ntt(p);
}

static ossl_inline ossl_unused int
poly_sample_in_ball_ntt(POLY *out, const uint8_t *seed, int seed_len,
                        EVP_MD_CTX *h_ctx, const EVP_MD *md, uint32_t tau)
{
    if (!ossl_ml_dsa_poly_sample_in_ball(out, seed, seed_len, h_ctx, md, tau))
        return 0;
    poly_ntt(out);
    return 1;
}

static ossl_inline ossl_unused int
poly_expand_mask(POLY *out, const uint8_t *seed, size_t seed_len,
                 uint32_t gamma1, EVP_MD_CTX *h_ctx, const EVP_MD *md)
{
    return ossl_ml_dsa_poly_expand_mask(out, seed, seed_len, gamma1, h_ctx, md);
}

/**
 * @brief Decompose the coefficients of a polynomial into (r1, r0) such that
 * coeff[i] == t1[i] * 2^13 + t0[i] mod q
 * See FIPS 204, Algorithm 35, Power2Round()
 *
 * @param t A polynomial containing coefficients in the range 0..q-1
 * @param t1 The returned polynomial containing coefficients that represent
 *           the top 10 MSB of each coefficient in t (i.e each ranging from 0..1023)
 * @param t0 The remainder coefficients of t in the range (0..4096 or q-4095..q-1)
 *           Each t0 coefficient has an effective range of 8192 (i.e. 13 bits).
 */
static ossl_inline ossl_unused void
poly_power2_round(const POLY *t, POLY *t1, POLY *t0)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        ossl_ml_dsa_key_compress_power2_round(t->coeff[i],
                                              t1->coeff + i, t0->coeff + i);
}

static ossl_inline ossl_unused void
poly_scale_power2_round(POLY *in, POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = (in->coeff[i] << ML_DSA_D_BITS);
}

static ossl_inline ossl_unused void
poly_high_bits(const POLY *in, uint32_t gamma2, POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = ossl_ml_dsa_key_compress_high_bits(in->coeff[i], gamma2);
}

static ossl_inline ossl_unused void
poly_low_bits(const POLY *in, uint32_t gamma2, POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = ossl_ml_dsa_key_compress_low_bits(in->coeff[i], gamma2);
}

static ossl_inline ossl_unused void
poly_make_hint(const POLY *ct0, const POLY *cs2, const POLY *w, uint32_t gamma2,
               POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = ossl_ml_dsa_key_compress_make_hint(ct0->coeff[i],
                                                           cs2->coeff[i],
                                                           gamma2, w->coeff[i]);
}

static ossl_inline ossl_unused void
poly_use_hint(const POLY *h, const POLY *r, uint32_t gamma2, POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = ossl_ml_dsa_key_compress_use_hint(h->coeff[i],
                                                          r->coeff[i], gamma2);
}

static ossl_inline ossl_unused void
poly_max(const POLY *p, uint32_t *mx)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++) {
        uint32_t c = p->coeff[i];
        uint32_t abs = abs_mod_prime(c);

        *mx = maximum(*mx, abs);
    }
}

static ossl_inline ossl_unused void
poly_max_signed(const POLY *p, uint32_t *mx)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++) {
        uint32_t c = p->coeff[i];
        uint32_t abs = abs_signed(c);

        *mx = maximum(*mx, abs);
    }
}

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9		#include <openssl/crypto.h>
10
11	0	#define ML_DSA_NUM_POLY_COEFFICIENTS 256
12
13		/* Polynomial object with 256 coefficients. The coefficients are unsigned 32 bits */
14		struct poly_st {
15		uint32_t coeff[ML_DSA_NUM_POLY_COEFFICIENTS];
16		};
17
18		static ossl_inline ossl_unused void
19		poly_zero(POLY *p)
20	0	{
21	0	memset(p->coeff, 0, sizeof(*p));
22	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_zero Unexecuted instantiation: ml_dsa_key.c:poly_zero Unexecuted instantiation: ml_dsa_matrix.c:poly_zero Unexecuted instantiation: ml_dsa_ntt.c:poly_zero Unexecuted instantiation: ml_dsa_sample.c:poly_zero Unexecuted instantiation: ml_dsa_sign.c:poly_zero
23
24		/**
25		* @brief Polynomial addition.
26		*
27		* @param lhs A polynomial with coefficients in the range (0..q-1)
28		* @param rhs A polynomial with coefficients in the range (0..q-1) to add
29		* to the 'lhs'.
30		* @param out The returned addition result with the coefficients all in the
31		* range 0..q-1
32		*/
33		static ossl_inline ossl_unused void
34		poly_add(const POLY lhs, const POLY rhs, POLY *out)
35	0	{
36	0	int i;
37
38	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
39	0	out->coeff[i] = reduce_once(lhs->coeff[i] + rhs->coeff[i]);
40	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_add Unexecuted instantiation: ml_dsa_key.c:poly_add Unexecuted instantiation: ml_dsa_matrix.c:poly_add Unexecuted instantiation: ml_dsa_ntt.c:poly_add Unexecuted instantiation: ml_dsa_sample.c:poly_add Unexecuted instantiation: ml_dsa_sign.c:poly_add
41
42		/**
43		* @brief Polynomial subtraction.
44		*
45		* @param lhs A polynomial with coefficients in the range (0..q-1)
46		* @param rhs A polynomial with coefficients in the range (0..q-1) to subtract
47		* from the 'lhs'.
48		* @param out The returned subtraction result with the coefficients all in the
49		* range 0..q-1
50		*/
51		static ossl_inline ossl_unused void
52		poly_sub(const POLY lhs, const POLY rhs, POLY *out)
53	0	{
54	0	int i;
55
56	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
57	0	out->coeff[i] = mod_sub(lhs->coeff[i], rhs->coeff[i]);
58	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_sub Unexecuted instantiation: ml_dsa_key.c:poly_sub Unexecuted instantiation: ml_dsa_matrix.c:poly_sub Unexecuted instantiation: ml_dsa_ntt.c:poly_sub Unexecuted instantiation: ml_dsa_sample.c:poly_sub Unexecuted instantiation: ml_dsa_sign.c:poly_sub
59
60		/* @returns 1 if the polynomials are equal, or 0 otherwise */
61		static ossl_inline ossl_unused int
62		poly_equal(const POLY a, const POLY b)
63	0	{
64	0	return CRYPTO_memcmp(a, b, sizeof(*a)) == 0;
65	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_equal Unexecuted instantiation: ml_dsa_key.c:poly_equal Unexecuted instantiation: ml_dsa_matrix.c:poly_equal Unexecuted instantiation: ml_dsa_ntt.c:poly_equal Unexecuted instantiation: ml_dsa_sample.c:poly_equal Unexecuted instantiation: ml_dsa_sign.c:poly_equal
66
67		static ossl_inline ossl_unused void
68		poly_ntt(POLY *p)
69	0	{
70	0	ossl_ml_dsa_poly_ntt(p);
71	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_ntt Unexecuted instantiation: ml_dsa_key.c:poly_ntt Unexecuted instantiation: ml_dsa_matrix.c:poly_ntt Unexecuted instantiation: ml_dsa_ntt.c:poly_ntt Unexecuted instantiation: ml_dsa_sample.c:poly_ntt Unexecuted instantiation: ml_dsa_sign.c:poly_ntt
72
73		static ossl_inline ossl_unused int
74		poly_sample_in_ball_ntt(POLY out, const uint8_t seed, int seed_len,
75		EVP_MD_CTX h_ctx, const EVP_MD md, uint32_t tau)
76	0	{
77	0	if (!ossl_ml_dsa_poly_sample_in_ball(out, seed, seed_len, h_ctx, md, tau))
78	0	return 0;
79	0	poly_ntt(out);
80	0	return 1;
81	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_sample_in_ball_ntt Unexecuted instantiation: ml_dsa_key.c:poly_sample_in_ball_ntt Unexecuted instantiation: ml_dsa_matrix.c:poly_sample_in_ball_ntt Unexecuted instantiation: ml_dsa_ntt.c:poly_sample_in_ball_ntt Unexecuted instantiation: ml_dsa_sample.c:poly_sample_in_ball_ntt Unexecuted instantiation: ml_dsa_sign.c:poly_sample_in_ball_ntt
82
83		static ossl_inline ossl_unused int
84		poly_expand_mask(POLY out, const uint8_t seed, size_t seed_len,
85		uint32_t gamma1, EVP_MD_CTX h_ctx, const EVP_MD md)
86	0	{
87	0	return ossl_ml_dsa_poly_expand_mask(out, seed, seed_len, gamma1, h_ctx, md);
88	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_expand_mask Unexecuted instantiation: ml_dsa_key.c:poly_expand_mask Unexecuted instantiation: ml_dsa_matrix.c:poly_expand_mask Unexecuted instantiation: ml_dsa_ntt.c:poly_expand_mask Unexecuted instantiation: ml_dsa_sample.c:poly_expand_mask Unexecuted instantiation: ml_dsa_sign.c:poly_expand_mask
89
90		/**
91		* @brief Decompose the coefficients of a polynomial into (r1, r0) such that
92		* coeff[i] == t1[i] * 2^13 + t0[i] mod q
93		* See FIPS 204, Algorithm 35, Power2Round()
94		*
95		* @param t A polynomial containing coefficients in the range 0..q-1
96		* @param t1 The returned polynomial containing coefficients that represent
97		* the top 10 MSB of each coefficient in t (i.e each ranging from 0..1023)
98		* @param t0 The remainder coefficients of t in the range (0..4096 or q-4095..q-1)
99		* Each t0 coefficient has an effective range of 8192 (i.e. 13 bits).
100		*/
101		static ossl_inline ossl_unused void
102		poly_power2_round(const POLY t, POLY t1, POLY *t0)
103	0	{
104	0	int i;
105
106	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
107	0	ossl_ml_dsa_key_compress_power2_round(t->coeff[i],
108	0	t1->coeff + i, t0->coeff + i);
109	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_power2_round Unexecuted instantiation: ml_dsa_key.c:poly_power2_round Unexecuted instantiation: ml_dsa_matrix.c:poly_power2_round Unexecuted instantiation: ml_dsa_ntt.c:poly_power2_round Unexecuted instantiation: ml_dsa_sample.c:poly_power2_round Unexecuted instantiation: ml_dsa_sign.c:poly_power2_round
110
111		static ossl_inline ossl_unused void
112		poly_scale_power2_round(POLY in, POLY out)
113	0	{
114	0	int i;
115
116	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
117	0	out->coeff[i] = (in->coeff[i] << ML_DSA_D_BITS);
118	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_scale_power2_round Unexecuted instantiation: ml_dsa_key.c:poly_scale_power2_round Unexecuted instantiation: ml_dsa_matrix.c:poly_scale_power2_round Unexecuted instantiation: ml_dsa_ntt.c:poly_scale_power2_round Unexecuted instantiation: ml_dsa_sample.c:poly_scale_power2_round Unexecuted instantiation: ml_dsa_sign.c:poly_scale_power2_round
119
120		static ossl_inline ossl_unused void
121		poly_high_bits(const POLY in, uint32_t gamma2, POLY out)
122	0	{
123	0	int i;
124
125	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
126	0	out->coeff[i] = ossl_ml_dsa_key_compress_high_bits(in->coeff[i], gamma2);
127	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_high_bits Unexecuted instantiation: ml_dsa_key.c:poly_high_bits Unexecuted instantiation: ml_dsa_matrix.c:poly_high_bits Unexecuted instantiation: ml_dsa_ntt.c:poly_high_bits Unexecuted instantiation: ml_dsa_sample.c:poly_high_bits Unexecuted instantiation: ml_dsa_sign.c:poly_high_bits
128
129		static ossl_inline ossl_unused void
130		poly_low_bits(const POLY in, uint32_t gamma2, POLY out)
131	0	{
132	0	int i;
133
134	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
135	0	out->coeff[i] = ossl_ml_dsa_key_compress_low_bits(in->coeff[i], gamma2);
136	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_low_bits Unexecuted instantiation: ml_dsa_key.c:poly_low_bits Unexecuted instantiation: ml_dsa_matrix.c:poly_low_bits Unexecuted instantiation: ml_dsa_ntt.c:poly_low_bits Unexecuted instantiation: ml_dsa_sample.c:poly_low_bits Unexecuted instantiation: ml_dsa_sign.c:poly_low_bits
137
138		static ossl_inline ossl_unused void
139		poly_make_hint(const POLY ct0, const POLY cs2, const POLY *w, uint32_t gamma2,
140		POLY *out)
141	0	{
142	0	int i;
143
144	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
145	0	out->coeff[i] = ossl_ml_dsa_key_compress_make_hint(ct0->coeff[i],
146	0	cs2->coeff[i],
147	0	gamma2, w->coeff[i]);
148	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_make_hint Unexecuted instantiation: ml_dsa_key.c:poly_make_hint Unexecuted instantiation: ml_dsa_matrix.c:poly_make_hint Unexecuted instantiation: ml_dsa_ntt.c:poly_make_hint Unexecuted instantiation: ml_dsa_sample.c:poly_make_hint Unexecuted instantiation: ml_dsa_sign.c:poly_make_hint
149
150		static ossl_inline ossl_unused void
151		poly_use_hint(const POLY h, const POLY r, uint32_t gamma2, POLY *out)
152	0	{
153	0	int i;
154
155	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
156	0	out->coeff[i] = ossl_ml_dsa_key_compress_use_hint(h->coeff[i],
157	0	r->coeff[i], gamma2);
158	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_use_hint Unexecuted instantiation: ml_dsa_key.c:poly_use_hint Unexecuted instantiation: ml_dsa_matrix.c:poly_use_hint Unexecuted instantiation: ml_dsa_ntt.c:poly_use_hint Unexecuted instantiation: ml_dsa_sample.c:poly_use_hint Unexecuted instantiation: ml_dsa_sign.c:poly_use_hint
159
160		static ossl_inline ossl_unused void
161		poly_max(const POLY p, uint32_t mx)
162	0	{
163	0	int i;
164
165	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++) {
166	0	uint32_t c = p->coeff[i];
167	0	uint32_t abs = abs_mod_prime(c);
168
169	0	mx = maximum(mx, abs);
170	0	}
171	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_max Unexecuted instantiation: ml_dsa_key.c:poly_max Unexecuted instantiation: ml_dsa_matrix.c:poly_max Unexecuted instantiation: ml_dsa_ntt.c:poly_max Unexecuted instantiation: ml_dsa_sample.c:poly_max Unexecuted instantiation: ml_dsa_sign.c:poly_max
172
173		static ossl_inline ossl_unused void
174		poly_max_signed(const POLY p, uint32_t mx)
175	0	{
176	0	int i;
177
178	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++) {
179	0	uint32_t c = p->coeff[i];
180	0	uint32_t abs = abs_signed(c);
181
182	0	mx = maximum(mx, abs);
183	0	}
184	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_max_signed Unexecuted instantiation: ml_dsa_key.c:poly_max_signed Unexecuted instantiation: ml_dsa_matrix.c:poly_max_signed Unexecuted instantiation: ml_dsa_ntt.c:poly_max_signed Unexecuted instantiation: ml_dsa_sample.c:poly_max_signed Unexecuted instantiation: ml_dsa_sign.c:poly_max_signed

Coverage Report

Created: 2025-06-13 06:36