/src/openssl/crypto/ml_dsa/ml_dsa_poly.h

Source
/*
 * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */
#if !defined(OSSL_LIBCRYPTO_ML_DSA_ML_DSA_POLY_H)
#define OSSL_LIBCRYPTO_ML_DSA_ML_DSA_POLY_H

#include <openssl/crypto.h>

#include "ml_dsa_local.h"

#define ML_DSA_NUM_POLY_COEFFICIENTS 256

/* Polynomial object with 256 coefficients. The coefficients are unsigned 32 bits */
struct poly_st {
    uint32_t coeff[ML_DSA_NUM_POLY_COEFFICIENTS];
};

static ossl_inline ossl_unused void
poly_zero(POLY *p)
{
    memset(p->coeff, 0, sizeof(*p));
}

/**
 * @brief Polynomial addition.
 *
 * @param lhs A polynomial with coefficients in the range (0..q-1)
 * @param rhs A polynomial with coefficients in the range (0..q-1) to add
 *            to the 'lhs'.
 * @param out The returned addition result with the coefficients all in the
 *            range 0..q-1
 */
static ossl_inline ossl_unused void
poly_add(const POLY *lhs, const POLY *rhs, POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = reduce_once(lhs->coeff[i] + rhs->coeff[i]);
}

/**
 * @brief Polynomial subtraction.
 *
 * @param lhs A polynomial with coefficients in the range (0..q-1)
 * @param rhs A polynomial with coefficients in the range (0..q-1) to subtract
 *            from the 'lhs'.
 * @param out The returned subtraction result with the coefficients all in the
 *            range 0..q-1
 */
static ossl_inline ossl_unused void
poly_sub(const POLY *lhs, const POLY *rhs, POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = mod_sub(lhs->coeff[i], rhs->coeff[i]);
}

/* @returns 1 if the polynomials are equal, or 0 otherwise */
static ossl_inline ossl_unused int
poly_equal(const POLY *a, const POLY *b)
{
    return CRYPTO_memcmp(a, b, sizeof(*a)) == 0;
}

static ossl_inline ossl_unused void
poly_ntt(POLY *p)
{
    ossl_ml_dsa_poly_ntt(p);
}

static ossl_inline ossl_unused int
poly_sample_in_ball_ntt(POLY *out, const uint8_t *seed, int seed_len,
    EVP_MD_CTX *h_ctx, const EVP_MD *md, uint32_t tau)
{
    if (!ossl_ml_dsa_poly_sample_in_ball(out, seed, seed_len, h_ctx, md, tau))
        return 0;
    poly_ntt(out);
    return 1;
}

static ossl_inline ossl_unused int
poly_expand_mask(POLY *out, const uint8_t *seed, size_t seed_len,
    uint32_t gamma1, EVP_MD_CTX *h_ctx, const EVP_MD *md)
{
    return ossl_ml_dsa_poly_expand_mask(out, seed, seed_len, gamma1, h_ctx, md);
}

/**
 * @brief Decompose the coefficients of a polynomial into (r1, r0) such that
 * coeff[i] == t1[i] * 2^13 + t0[i] mod q
 * See FIPS 204, Algorithm 35, Power2Round()
 *
 * @param t A polynomial containing coefficients in the range 0..q-1
 * @param t1 The returned polynomial containing coefficients that represent
 *           the top 10 MSB of each coefficient in t (i.e each ranging from 0..1023)
 * @param t0 The remainder coefficients of t in the range (0..4096 or q-4095..q-1)
 *           Each t0 coefficient has an effective range of 8192 (i.e. 13 bits).
 */
static ossl_inline ossl_unused void
poly_power2_round(const POLY *t, POLY *t1, POLY *t0)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        ossl_ml_dsa_key_compress_power2_round(t->coeff[i],
            t1->coeff + i, t0->coeff + i);
}

static ossl_inline ossl_unused void
poly_scale_power2_round(POLY *in, POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = (in->coeff[i] << ML_DSA_D_BITS);
}

static ossl_inline ossl_unused void
poly_high_bits(const POLY *in, uint32_t gamma2, POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = ossl_ml_dsa_key_compress_high_bits(in->coeff[i], gamma2);
}

static ossl_inline ossl_unused void
poly_low_bits(const POLY *in, uint32_t gamma2, POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = ossl_ml_dsa_key_compress_low_bits(in->coeff[i], gamma2);
}

static ossl_inline ossl_unused void
poly_make_hint(const POLY *ct0, const POLY *cs2, const POLY *w, uint32_t gamma2,
    POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = ossl_ml_dsa_key_compress_make_hint(ct0->coeff[i],
            cs2->coeff[i],
            gamma2, w->coeff[i]);
}

static ossl_inline ossl_unused void
poly_use_hint(const POLY *h, const POLY *r, uint32_t gamma2, POLY *out)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
        out->coeff[i] = ossl_ml_dsa_key_compress_use_hint(h->coeff[i],
            r->coeff[i], gamma2);
}

static ossl_inline ossl_unused void
poly_max(const POLY *p, uint32_t *mx)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++) {
        uint32_t c = p->coeff[i];
        uint32_t abs = abs_mod_prime(c);

        *mx = maximum(*mx, abs);
    }
}

static ossl_inline ossl_unused void
poly_max_signed(const POLY *p, uint32_t *mx)
{
    int i;

    for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++) {
        uint32_t c = p->coeff[i];
        uint32_t abs = abs_signed(c);

        *mx = maximum(*mx, abs);
    }
}

#endif /* !defined(OSSL_LIBCRYPTO_ML_DSA_ML_DSA_POLY_H) */

Line	Count	Source
1		/*
2		* Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9		#if !defined(OSSL_LIBCRYPTO_ML_DSA_ML_DSA_POLY_H)
10		#define OSSL_LIBCRYPTO_ML_DSA_ML_DSA_POLY_H
11
12		#include <openssl/crypto.h>
13
14		#include "ml_dsa_local.h"
15
16	0	#define ML_DSA_NUM_POLY_COEFFICIENTS 256
17
18		/* Polynomial object with 256 coefficients. The coefficients are unsigned 32 bits */
19		struct poly_st {
20		uint32_t coeff[ML_DSA_NUM_POLY_COEFFICIENTS];
21		};
22
23		static ossl_inline ossl_unused void
24		poly_zero(POLY *p)
25	0	{
26	0	memset(p->coeff, 0, sizeof(*p));
27	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_zero Unexecuted instantiation: ml_dsa_key.c:poly_zero Unexecuted instantiation: ml_dsa_matrix.c:poly_zero Unexecuted instantiation: ml_dsa_ntt.c:poly_zero Unexecuted instantiation: ml_dsa_sample.c:poly_zero Unexecuted instantiation: ml_dsa_sign.c:poly_zero
28
29		/**
30		* @brief Polynomial addition.
31		*
32		* @param lhs A polynomial with coefficients in the range (0..q-1)
33		* @param rhs A polynomial with coefficients in the range (0..q-1) to add
34		* to the 'lhs'.
35		* @param out The returned addition result with the coefficients all in the
36		* range 0..q-1
37		*/
38		static ossl_inline ossl_unused void
39		poly_add(const POLY lhs, const POLY rhs, POLY *out)
40	0	{
41	0	int i;
42
43	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
44	0	out->coeff[i] = reduce_once(lhs->coeff[i] + rhs->coeff[i]);
45	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_add Unexecuted instantiation: ml_dsa_key.c:poly_add Unexecuted instantiation: ml_dsa_matrix.c:poly_add Unexecuted instantiation: ml_dsa_ntt.c:poly_add Unexecuted instantiation: ml_dsa_sample.c:poly_add Unexecuted instantiation: ml_dsa_sign.c:poly_add
46
47		/**
48		* @brief Polynomial subtraction.
49		*
50		* @param lhs A polynomial with coefficients in the range (0..q-1)
51		* @param rhs A polynomial with coefficients in the range (0..q-1) to subtract
52		* from the 'lhs'.
53		* @param out The returned subtraction result with the coefficients all in the
54		* range 0..q-1
55		*/
56		static ossl_inline ossl_unused void
57		poly_sub(const POLY lhs, const POLY rhs, POLY *out)
58	0	{
59	0	int i;
60
61	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
62	0	out->coeff[i] = mod_sub(lhs->coeff[i], rhs->coeff[i]);
63	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_sub Unexecuted instantiation: ml_dsa_key.c:poly_sub Unexecuted instantiation: ml_dsa_matrix.c:poly_sub Unexecuted instantiation: ml_dsa_ntt.c:poly_sub Unexecuted instantiation: ml_dsa_sample.c:poly_sub Unexecuted instantiation: ml_dsa_sign.c:poly_sub
64
65		/* @returns 1 if the polynomials are equal, or 0 otherwise */
66		static ossl_inline ossl_unused int
67		poly_equal(const POLY a, const POLY b)
68	0	{
69	0	return CRYPTO_memcmp(a, b, sizeof(*a)) == 0;
70	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_equal Unexecuted instantiation: ml_dsa_key.c:poly_equal Unexecuted instantiation: ml_dsa_matrix.c:poly_equal Unexecuted instantiation: ml_dsa_ntt.c:poly_equal Unexecuted instantiation: ml_dsa_sample.c:poly_equal Unexecuted instantiation: ml_dsa_sign.c:poly_equal
71
72		static ossl_inline ossl_unused void
73		poly_ntt(POLY *p)
74	0	{
75	0	ossl_ml_dsa_poly_ntt(p);
76	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_ntt Unexecuted instantiation: ml_dsa_key.c:poly_ntt Unexecuted instantiation: ml_dsa_matrix.c:poly_ntt Unexecuted instantiation: ml_dsa_ntt.c:poly_ntt Unexecuted instantiation: ml_dsa_sample.c:poly_ntt Unexecuted instantiation: ml_dsa_sign.c:poly_ntt
77
78		static ossl_inline ossl_unused int
79		poly_sample_in_ball_ntt(POLY out, const uint8_t seed, int seed_len,
80		EVP_MD_CTX h_ctx, const EVP_MD md, uint32_t tau)
81	0	{
82	0	if (!ossl_ml_dsa_poly_sample_in_ball(out, seed, seed_len, h_ctx, md, tau))
83	0	return 0;
84	0	poly_ntt(out);
85	0	return 1;
86	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_sample_in_ball_ntt Unexecuted instantiation: ml_dsa_key.c:poly_sample_in_ball_ntt Unexecuted instantiation: ml_dsa_matrix.c:poly_sample_in_ball_ntt Unexecuted instantiation: ml_dsa_ntt.c:poly_sample_in_ball_ntt Unexecuted instantiation: ml_dsa_sample.c:poly_sample_in_ball_ntt Unexecuted instantiation: ml_dsa_sign.c:poly_sample_in_ball_ntt
87
88		static ossl_inline ossl_unused int
89		poly_expand_mask(POLY out, const uint8_t seed, size_t seed_len,
90		uint32_t gamma1, EVP_MD_CTX h_ctx, const EVP_MD md)
91	0	{
92	0	return ossl_ml_dsa_poly_expand_mask(out, seed, seed_len, gamma1, h_ctx, md);
93	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_expand_mask Unexecuted instantiation: ml_dsa_key.c:poly_expand_mask Unexecuted instantiation: ml_dsa_matrix.c:poly_expand_mask Unexecuted instantiation: ml_dsa_ntt.c:poly_expand_mask Unexecuted instantiation: ml_dsa_sample.c:poly_expand_mask Unexecuted instantiation: ml_dsa_sign.c:poly_expand_mask
94
95		/**
96		* @brief Decompose the coefficients of a polynomial into (r1, r0) such that
97		* coeff[i] == t1[i] * 2^13 + t0[i] mod q
98		* See FIPS 204, Algorithm 35, Power2Round()
99		*
100		* @param t A polynomial containing coefficients in the range 0..q-1
101		* @param t1 The returned polynomial containing coefficients that represent
102		* the top 10 MSB of each coefficient in t (i.e each ranging from 0..1023)
103		* @param t0 The remainder coefficients of t in the range (0..4096 or q-4095..q-1)
104		* Each t0 coefficient has an effective range of 8192 (i.e. 13 bits).
105		*/
106		static ossl_inline ossl_unused void
107		poly_power2_round(const POLY t, POLY t1, POLY *t0)
108	0	{
109	0	int i;
110
111	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
112	0	ossl_ml_dsa_key_compress_power2_round(t->coeff[i],
113	0	t1->coeff + i, t0->coeff + i);
114	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_power2_round Unexecuted instantiation: ml_dsa_key.c:poly_power2_round Unexecuted instantiation: ml_dsa_matrix.c:poly_power2_round Unexecuted instantiation: ml_dsa_ntt.c:poly_power2_round Unexecuted instantiation: ml_dsa_sample.c:poly_power2_round Unexecuted instantiation: ml_dsa_sign.c:poly_power2_round
115
116		static ossl_inline ossl_unused void
117		poly_scale_power2_round(POLY in, POLY out)
118	0	{
119	0	int i;
120
121	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
122	0	out->coeff[i] = (in->coeff[i] << ML_DSA_D_BITS);
123	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_scale_power2_round Unexecuted instantiation: ml_dsa_key.c:poly_scale_power2_round Unexecuted instantiation: ml_dsa_matrix.c:poly_scale_power2_round Unexecuted instantiation: ml_dsa_ntt.c:poly_scale_power2_round Unexecuted instantiation: ml_dsa_sample.c:poly_scale_power2_round Unexecuted instantiation: ml_dsa_sign.c:poly_scale_power2_round
124
125		static ossl_inline ossl_unused void
126		poly_high_bits(const POLY in, uint32_t gamma2, POLY out)
127	0	{
128	0	int i;
129
130	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
131	0	out->coeff[i] = ossl_ml_dsa_key_compress_high_bits(in->coeff[i], gamma2);
132	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_high_bits Unexecuted instantiation: ml_dsa_key.c:poly_high_bits Unexecuted instantiation: ml_dsa_matrix.c:poly_high_bits Unexecuted instantiation: ml_dsa_ntt.c:poly_high_bits Unexecuted instantiation: ml_dsa_sample.c:poly_high_bits Unexecuted instantiation: ml_dsa_sign.c:poly_high_bits
133
134		static ossl_inline ossl_unused void
135		poly_low_bits(const POLY in, uint32_t gamma2, POLY out)
136	0	{
137	0	int i;
138
139	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
140	0	out->coeff[i] = ossl_ml_dsa_key_compress_low_bits(in->coeff[i], gamma2);
141	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_low_bits Unexecuted instantiation: ml_dsa_key.c:poly_low_bits Unexecuted instantiation: ml_dsa_matrix.c:poly_low_bits Unexecuted instantiation: ml_dsa_ntt.c:poly_low_bits Unexecuted instantiation: ml_dsa_sample.c:poly_low_bits Unexecuted instantiation: ml_dsa_sign.c:poly_low_bits
142
143		static ossl_inline ossl_unused void
144		poly_make_hint(const POLY ct0, const POLY cs2, const POLY *w, uint32_t gamma2,
145		POLY *out)
146	0	{
147	0	int i;
148
149	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
150	0	out->coeff[i] = ossl_ml_dsa_key_compress_make_hint(ct0->coeff[i],
151	0	cs2->coeff[i],
152	0	gamma2, w->coeff[i]);
153	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_make_hint Unexecuted instantiation: ml_dsa_key.c:poly_make_hint Unexecuted instantiation: ml_dsa_matrix.c:poly_make_hint Unexecuted instantiation: ml_dsa_ntt.c:poly_make_hint Unexecuted instantiation: ml_dsa_sample.c:poly_make_hint Unexecuted instantiation: ml_dsa_sign.c:poly_make_hint
154
155		static ossl_inline ossl_unused void
156		poly_use_hint(const POLY h, const POLY r, uint32_t gamma2, POLY *out)
157	0	{
158	0	int i;
159
160	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++)
161	0	out->coeff[i] = ossl_ml_dsa_key_compress_use_hint(h->coeff[i],
162	0	r->coeff[i], gamma2);
163	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_use_hint Unexecuted instantiation: ml_dsa_key.c:poly_use_hint Unexecuted instantiation: ml_dsa_matrix.c:poly_use_hint Unexecuted instantiation: ml_dsa_ntt.c:poly_use_hint Unexecuted instantiation: ml_dsa_sample.c:poly_use_hint Unexecuted instantiation: ml_dsa_sign.c:poly_use_hint
164
165		static ossl_inline ossl_unused void
166		poly_max(const POLY p, uint32_t mx)
167	0	{
168	0	int i;
169
170	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++) {
171	0	uint32_t c = p->coeff[i];
172	0	uint32_t abs = abs_mod_prime(c);
173
174	0	mx = maximum(mx, abs);
175	0	}
176	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_max Unexecuted instantiation: ml_dsa_key.c:poly_max Unexecuted instantiation: ml_dsa_matrix.c:poly_max Unexecuted instantiation: ml_dsa_ntt.c:poly_max Unexecuted instantiation: ml_dsa_sample.c:poly_max Unexecuted instantiation: ml_dsa_sign.c:poly_max
177
178		static ossl_inline ossl_unused void
179		poly_max_signed(const POLY p, uint32_t mx)
180	0	{
181	0	int i;
182
183	0	for (i = 0; i < ML_DSA_NUM_POLY_COEFFICIENTS; i++) {
184	0	uint32_t c = p->coeff[i];
185	0	uint32_t abs = abs_signed(c);
186
187	0	mx = maximum(mx, abs);
188	0	}
189	0	} Unexecuted instantiation: ml_dsa_encoders.c:poly_max_signed Unexecuted instantiation: ml_dsa_key.c:poly_max_signed Unexecuted instantiation: ml_dsa_matrix.c:poly_max_signed Unexecuted instantiation: ml_dsa_ntt.c:poly_max_signed Unexecuted instantiation: ml_dsa_sample.c:poly_max_signed Unexecuted instantiation: ml_dsa_sign.c:poly_max_signed
190
191		#endif /* !defined(OSSL_LIBCRYPTO_ML_DSA_ML_DSA_POLY_H) */

Coverage Report

Created: 2026-05-30 06:06