#include <dilithium_polynomials.h>

Public Member Functions
void	cadd_q ()

void	invntt_tomont ()

int32_t	montgomery_reduce (int64_t a) const

void	ntt ()

Polynomial &	operator+= (const Polynomial &other)

Polynomial &	operator-= (const Polynomial &other)

void	poly_decompose (Polynomial &a1, Polynomial &a0, const DilithiumModeConstants &mode) const

void	poly_invntt_tomont ()

void	poly_pointwise_montgomery (Polynomial &output, const Polynomial &second) const

void	poly_reduce ()

void	poly_shiftl ()

void	poly_uniform_gamma1 (const secure_vector< uint8_t > &seed, uint16_t nonce, const DilithiumModeConstants &mode)

void	polyeta_pack (uint8_t *r, const DilithiumModeConstants &mode) const

	Polynomial ()=default

void	polyt0_pack (uint8_t *r) const

void	polyt1_pack (uint8_t *r) const

void	polyw1_pack (uint8_t *r, const DilithiumModeConstants &mode)

void	polyz_pack (uint8_t *r, const DilithiumModeConstants &mode) const

Static Public Member Functions
static int32_t	decompose (int32_t *a0, int32_t a, const DilithiumModeConstants &mode)

static void	fill_poly_uniform_eta (Polynomial &a, const secure_vector< uint8_t > &seed, uint16_t nonce, const DilithiumModeConstants &mode)

static void	fill_polys_power2round (Polynomial &a1, Polynomial &a0, const Polynomial &a)

static size_t	generate_hint_polynomial (Polynomial &h, const Polynomial &a0, const Polynomial &a1, const DilithiumModeConstants &mode)

static int32_t	make_hint (size_t a0, size_t a1, const DilithiumModeConstants &mode)

static Polynomial	poly_challenge (const uint8_t *seed, const DilithiumModeConstants &mode)

static bool	poly_chknorm (const Polynomial &a, size_t B)

static void	poly_use_hint (Polynomial &b, const Polynomial &a, const Polynomial &h, const DilithiumModeConstants &mode)

static Polynomial	polyeta_unpack (std::span< const uint8_t > a, const DilithiumModeConstants &mode)

static Polynomial	polyt0_unpack (std::span< const uint8_t > a)

static void	polyt1_unpack (Polynomial &r, const uint8_t *a)

static void	polyz_unpack (Polynomial &r, const uint8_t *a, const DilithiumModeConstants &mode)

static int32_t	power2round (int32_t &a0, int32_t a)

static size_t	rej_eta (Polynomial &a, size_t offset, size_t len, const secure_vector< uint8_t > &buf, size_t buflen, const DilithiumModeConstants &mode)

static size_t	rej_uniform (Polynomial &p, size_t position, size_t len, const uint8_t *buf, size_t buflen)

static int32_t	use_hint (int32_t a, size_t hint, const DilithiumModeConstants &mode)

Public Attributes
std::array< int32_t, Botan::DilithiumModeConstants::N >	m_coeffs

Detailed Description

Definition at line 28 of file dilithium_polynomials.h.

Constructor & Destructor Documentation

◆ Polynomial()

Botan::Dilithium::Polynomial::Polynomial ( )

default

Member Function Documentation

◆ cadd_q()

void Botan::Dilithium::Polynomial::cadd_q ( )

inline

Definition at line 533 of file dilithium_polynomials.h.

                    {
         for(auto& i : m_coeffs) {
            i += (i >> 31) & DilithiumModeConstants::Q;
         }
      }

References m_coeffs, and Botan::DilithiumModeConstants::Q.

◆ decompose()

static int32_t Botan::Dilithium::Polynomial::decompose	(	int32_t *	a0,
		int32_t	a,
		const DilithiumModeConstants &	mode )

inlinestatic

Definition at line 338 of file dilithium_polynomials.h.

                                                                                           {
         int32_t a1 = (a + 127) >> 7;
         if(mode.gamma2() == (DilithiumModeConstants::Q - 1) / 32) {
            a1 = (a1 * 1025 + (1 << 21)) >> 22;
            a1 &= 15;
         } else {
            BOTAN_ASSERT_NOMSG(mode.gamma2() == (DilithiumModeConstants::Q - 1) / 88);
            a1 = (a1 * 11275 + (1 << 23)) >> 24;
            a1 ^= ((43 - a1) >> 31) & a1;
         }
 
         *a0 = a - a1 * 2 * static_cast<int32_t>(mode.gamma2());
         *a0 -= (((DilithiumModeConstants::Q - 1) / 2 - *a0) >> 31) & DilithiumModeConstants::Q;
         return a1;
      }

References BOTAN_ASSERT_NOMSG, Botan::DilithiumModeConstants::gamma2(), and Botan::DilithiumModeConstants::Q.

Referenced by poly_decompose(), and use_hint().

◆ fill_poly_uniform_eta()

static void Botan::Dilithium::Polynomial::fill_poly_uniform_eta	(	Polynomial &	a,
		const secure_vector< uint8_t > &	seed,
		uint16_t	nonce,
		const DilithiumModeConstants &	mode )

inlinestatic

Definition at line 148 of file dilithium_polynomials.h.

                                                                            {
         BOTAN_ASSERT_NOMSG(seed.size() == DilithiumModeConstants::CRHBYTES);
 
         auto xof = mode.XOF_256(seed, nonce);
 
         secure_vector<uint8_t> buf(mode.poly_uniform_eta_nblocks() * mode.stream256_blockbytes());
         xof->output(buf);
         size_t ctr = Polynomial::rej_eta(a, 0, DilithiumModeConstants::N, buf, buf.size(), mode);
 
         while(ctr < DilithiumModeConstants::N) {
            xof->output(std::span(buf).first(mode.stream256_blockbytes()));
            ctr += Polynomial::rej_eta(a, ctr, DilithiumModeConstants::N - ctr, buf, mode.stream256_blockbytes(), mode);
         }
      }

References BOTAN_ASSERT_NOMSG, Botan::DilithiumModeConstants::CRHBYTES, Botan::DilithiumModeConstants::N, Botan::DilithiumModeConstants::poly_uniform_eta_nblocks(), rej_eta(), Botan::DilithiumModeConstants::stream256_blockbytes(), and Botan::DilithiumModeConstants::XOF_256().

Referenced by Botan::Dilithium::PolynomialVector::fill_polyvec_uniform_eta().

◆ fill_polys_power2round()

static void Botan::Dilithium::Polynomial::fill_polys_power2round	(	Polynomial &	a1,
		Polynomial &	a0,
		const Polynomial &	a )

inlinestatic

Definition at line 196 of file dilithium_polynomials.h.

                                                                                              {
         for(size_t i = 0; i < DilithiumModeConstants::N; ++i) {
            a1.m_coeffs[i] = Polynomial::power2round(a0.m_coeffs[i], a.m_coeffs[i]);
         }
      }

References m_coeffs, Botan::DilithiumModeConstants::N, and power2round().

Referenced by Botan::Dilithium::PolynomialVector::fill_polyvecs_power2round().

◆ generate_hint_polynomial()

static size_t Botan::Dilithium::Polynomial::generate_hint_polynomial	(	Polynomial &	h,
		const Polynomial &	a0,
		const Polynomial &	a1,
		const DilithiumModeConstants &	mode )

inlinestatic

Definition at line 309 of file dilithium_polynomials.h.

                                                                                 {
         size_t s = 0;
 
         for(size_t i = 0; i < DilithiumModeConstants::N; ++i) {
            h.m_coeffs[i] = Polynomial::make_hint(a0.m_coeffs[i], a1.m_coeffs[i], mode);
            s += h.m_coeffs[i];
         }
 
         return s;
      }

References m_coeffs, make_hint(), and Botan::DilithiumModeConstants::N.

Referenced by Botan::Dilithium::PolynomialVector::generate_hint_polyvec().

◆ invntt_tomont()

void Botan::Dilithium::Polynomial::invntt_tomont ( )

inline

Definition at line 494 of file dilithium_polynomials.h.

                           {
         size_t j;
         int32_t f = 41978;  // mont^2/256
         size_t k = 256;
         for(size_t len = 1; len < DilithiumModeConstants::N; len <<= 1) {
            for(size_t start = 0; start < DilithiumModeConstants::N; start = j + len) {
               int32_t zeta = -DilithiumModeConstants::ZETAS[--k];
               for(j = start; j < start + len; ++j) {
                  int32_t t = m_coeffs[j];
                  m_coeffs[j] = t + m_coeffs[j + len];
                  m_coeffs[j + len] = t - m_coeffs[j + len];
                  m_coeffs[j + len] = montgomery_reduce(static_cast<int64_t>(zeta) * m_coeffs[j + len]);
               }
            }
         }
 
         for(j = 0; j < DilithiumModeConstants::N; ++j) {
            m_coeffs[j] = montgomery_reduce(static_cast<int64_t>(f) * m_coeffs[j]);
         }
      }

References m_coeffs, montgomery_reduce(), Botan::DilithiumModeConstants::N, and Botan::DilithiumModeConstants::ZETAS.

Referenced by poly_invntt_tomont().

◆ make_hint()

static int32_t Botan::Dilithium::Polynomial::make_hint	(	size_t	a0,
		size_t	a1,
		const DilithiumModeConstants &	mode )

inlinestatic

Definition at line 286 of file dilithium_polynomials.h.

                                                                                         {
         const auto gamma2 = mode.gamma2();
         const auto Q_gamma2 = DilithiumModeConstants::Q - gamma2;
         if(a0 <= gamma2 || a0 > Q_gamma2 || (a0 == Q_gamma2 && a1 == 0)) {
            return 0;
         }
         return 1;
      }

References Botan::DilithiumModeConstants::gamma2(), and Botan::DilithiumModeConstants::Q.

Referenced by generate_hint_polynomial().

◆ montgomery_reduce()

int32_t Botan::Dilithium::Polynomial::montgomery_reduce ( int64_t a ) const

inline

Definition at line 418 of file dilithium_polynomials.h.

                                                 {
         int32_t t = static_cast<int32_t>(static_cast<int64_t>(static_cast<int32_t>(a)) * DilithiumModeConstants::QINV);
         t = (a - static_cast<int64_t>(t) * DilithiumModeConstants::Q) >> 32;
         return t;
      }

References Botan::DilithiumModeConstants::Q, and Botan::DilithiumModeConstants::QINV.

Referenced by invntt_tomont(), ntt(), and poly_pointwise_montgomery().

◆ ntt()

void Botan::Dilithium::Polynomial::ntt ( )

inline

Definition at line 451 of file dilithium_polynomials.h.

                 {
         size_t j;
         size_t k = 0;
 
         for(size_t len = 128; len > 0; len >>= 1) {
            for(size_t start = 0; start < DilithiumModeConstants::N; start = j + len) {
               int32_t zeta = DilithiumModeConstants::ZETAS[++k];
               for(j = start; j < start + len; ++j) {
                  int32_t t = montgomery_reduce(static_cast<int64_t>(zeta) * m_coeffs[j + len]);
                  m_coeffs[j + len] = m_coeffs[j] - t;
                  m_coeffs[j] = m_coeffs[j] + t;
               }
            }
         }
      }

References m_coeffs, montgomery_reduce(), Botan::DilithiumModeConstants::N, and Botan::DilithiumModeConstants::ZETAS.

◆ operator+=()

Polynomial & Botan::Dilithium::Polynomial::operator+= ( const Polynomial & other )

inline

Adds two polynomials element-wise. Does not perform a reduction after the addition. Therefore this operation might cause an integer overflow.

Definition at line 37 of file dilithium_polynomials.h.

                                                      {
         for(size_t i = 0; i < this->m_coeffs.size(); ++i) {
            this->m_coeffs[i] = this->m_coeffs[i] + other.m_coeffs[i];
         }
         return *this;
      }

References m_coeffs.

◆ operator-=()

Polynomial & Botan::Dilithium::Polynomial::operator-= ( const Polynomial & other )

inline

Subtracts two polynomials element-wise. Does not perform a reduction after the subtraction. Therefore this operation might cause an integer underflow.

Definition at line 48 of file dilithium_polynomials.h.

                                                      {
         for(size_t i = 0; i < this->m_coeffs.size(); ++i) {
            this->m_coeffs[i] = this->m_coeffs[i] - other.m_coeffs[i];
         }
         return *this;
      }

References m_coeffs.

◆ poly_challenge()

static Polynomial Botan::Dilithium::Polynomial::poly_challenge	(	const uint8_t *	seed,
		const DilithiumModeConstants &	mode )

inlinestatic

Definition at line 213 of file dilithium_polynomials.h.

                                                                                                {
         Polynomial c;
 
         SHAKE_256 shake256_hasher(DilithiumModeConstants::SHAKE256_RATE * 8);
         shake256_hasher.update(seed, DilithiumModeConstants::SEEDBYTES);
         auto buf = shake256_hasher.final();
 
         uint64_t signs = 0;
         for(size_t i = 0; i < 8; ++i) {
            signs |= static_cast<uint64_t>(buf[i]) << 8 * i;
         }
         size_t pos = 8;
 
         for(size_t i = 0; i < DilithiumModeConstants::N; ++i) {
            c.m_coeffs[i] = 0;
         }
         for(size_t i = DilithiumModeConstants::N - mode.tau(); i < DilithiumModeConstants::N; ++i) {
            size_t b;
            do {
               b = buf[pos++];
            } while(b > i);
 
            c.m_coeffs[i] = c.m_coeffs[b];
            c.m_coeffs[b] = 1 - 2 * (signs & 1);
            signs >>= 1;
         }
         return c;
      }

References Botan::Buffered_Computation::final(), m_coeffs, Botan::DilithiumModeConstants::N, Botan::DilithiumModeConstants::SEEDBYTES, Botan::DilithiumModeConstants::SHAKE256_RATE, Botan::DilithiumModeConstants::tau(), and Botan::Buffered_Computation::update().

◆ poly_chknorm()

static bool Botan::Dilithium::Polynomial::poly_chknorm	(	const Polynomial &	a,
		size_t	B )

inlinestatic

Definition at line 253 of file dilithium_polynomials.h.

                                                              {
         if(B > (DilithiumModeConstants::Q - 1) / 8) {
            return true;
         }
 
         /* It is ok to leak which coefficient violates the bound since
         the probability for each coefficient is independent of secret
         data but we must not leak the sign of the centralized representative. */
         for(const auto& coeff : a.m_coeffs) {
            /* Absolute value */
            size_t t = coeff >> 31;
            t = coeff - (t & 2 * coeff);
 
            if(t >= B) {
               return true;
            }
         }
         return false;
      }

References m_coeffs, and Botan::DilithiumModeConstants::Q.

Referenced by Botan::Dilithium::PolynomialVector::polyvec_chknorm().

◆ poly_decompose()

void Botan::Dilithium::Polynomial::poly_decompose	(	Polynomial &	a1,
		Polynomial &	a0,
		const DilithiumModeConstants &	mode ) const

inline

Definition at line 569 of file dilithium_polynomials.h.

                                                                                                    {
         for(size_t i = 0; i < DilithiumModeConstants::N; ++i) {
            a1.m_coeffs[i] = Polynomial::decompose(&a0.m_coeffs[i], m_coeffs[i], mode);
         }
      }

References decompose(), m_coeffs, and Botan::DilithiumModeConstants::N.

◆ poly_invntt_tomont()

void Botan::Dilithium::Polynomial::poly_invntt_tomont ( )

inline

Definition at line 524 of file dilithium_polynomials.h.

524{ invntt_tomont(); }

Botan::Dilithium::Polynomial::invntt_tomont

void invntt_tomont()

Definition dilithium_polynomials.h:494

References invntt_tomont().

◆ poly_pointwise_montgomery()

void Botan::Dilithium::Polynomial::poly_pointwise_montgomery	(	Polynomial &	output,
		const Polynomial &	second ) const

inline

Definition at line 437 of file dilithium_polynomials.h.

                                                                                         {
         for(size_t i = 0; i < DilithiumModeConstants::N; ++i) {
            output.m_coeffs[i] = montgomery_reduce(static_cast<int64_t>(m_coeffs[i]) * second.m_coeffs[i]);
         }
      }

References m_coeffs, montgomery_reduce(), and Botan::DilithiumModeConstants::N.

◆ poly_reduce()

void Botan::Dilithium::Polynomial::poly_reduce ( )

inline

Definition at line 477 of file dilithium_polynomials.h.

                         {
         for(auto& i : m_coeffs) {
            int32_t t = (i + (1 << 22)) >> 23;
            t = i - t * DilithiumModeConstants::Q;
            i = t;
         }
      }

References m_coeffs, and Botan::DilithiumModeConstants::Q.

◆ poly_shiftl()

void Botan::Dilithium::Polynomial::poly_shiftl ( )

inline

Definition at line 583 of file dilithium_polynomials.h.

                         {
         for(size_t i = 0; i < m_coeffs.size(); ++i) {
            m_coeffs[i] <<= DilithiumModeConstants::D;
         }
      }

References Botan::DilithiumModeConstants::D, and m_coeffs.

◆ poly_uniform_gamma1()

void Botan::Dilithium::Polynomial::poly_uniform_gamma1	(	const secure_vector< uint8_t > &	seed,
		uint16_t	nonce,
		const DilithiumModeConstants &	mode )

inline

Definition at line 550 of file dilithium_polynomials.h.

                                                                                                                       {
         auto buf = mode.ExpandMask(seed, nonce);
 
         Polynomial::polyz_unpack(*this, buf.data(), mode);
      }

References Botan::DilithiumModeConstants::ExpandMask(), and polyz_unpack().

◆ poly_use_hint()

static void Botan::Dilithium::Polynomial::poly_use_hint	(	Polynomial &	b,
		const Polynomial &	a,
		const Polynomial &	h,
		const DilithiumModeConstants &	mode )

inlinestatic

Definition at line 399 of file dilithium_polynomials.h.

                                                                    {
         for(size_t i = 0; i < DilithiumModeConstants::N; ++i) {
            b.m_coeffs[i] = Polynomial::use_hint(a.m_coeffs[i], h.m_coeffs[i], mode);
         }
      }

References m_coeffs, Botan::DilithiumModeConstants::N, and use_hint().

Referenced by Botan::Dilithium::PolynomialVector::polyvec_use_hint().

◆ polyeta_pack()

void Botan::Dilithium::Polynomial::polyeta_pack	(	uint8_t *	r,
		const DilithiumModeConstants &	mode ) const

inline

Definition at line 674 of file dilithium_polynomials.h.

                                                                              {
         uint8_t t[8];
 
         switch(mode.eta()) {
            case DilithiumEta::Eta2: {
               for(size_t i = 0; i < DilithiumModeConstants::N / 8; ++i) {
                  t[0] = static_cast<uint8_t>(mode.eta() - m_coeffs[8 * i + 0]);
                  t[1] = static_cast<uint8_t>(mode.eta() - m_coeffs[8 * i + 1]);
                  t[2] = static_cast<uint8_t>(mode.eta() - m_coeffs[8 * i + 2]);
                  t[3] = static_cast<uint8_t>(mode.eta() - m_coeffs[8 * i + 3]);
                  t[4] = static_cast<uint8_t>(mode.eta() - m_coeffs[8 * i + 4]);
                  t[5] = static_cast<uint8_t>(mode.eta() - m_coeffs[8 * i + 5]);
                  t[6] = static_cast<uint8_t>(mode.eta() - m_coeffs[8 * i + 6]);
                  t[7] = static_cast<uint8_t>(mode.eta() - m_coeffs[8 * i + 7]);
 
                  r[3 * i + 0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6);
                  r[3 * i + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
                  r[3 * i + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
               }
            } break;
            case DilithiumEta::Eta4: {
               for(size_t i = 0; i < DilithiumModeConstants::N / 2; ++i) {
                  t[0] = static_cast<uint8_t>(mode.eta() - m_coeffs[2 * i + 0]);
                  t[1] = static_cast<uint8_t>(mode.eta() - m_coeffs[2 * i + 1]);
                  r[i] = static_cast<uint8_t>(t[0] | (t[1] << 4));
               }
            } break;
         }
      }

References Botan::DilithiumModeConstants::eta(), Botan::Eta2, Botan::Eta4, m_coeffs, and Botan::DilithiumModeConstants::N.

◆ polyeta_unpack()

static Polynomial Botan::Dilithium::Polynomial::polyeta_unpack	(	std::span< const uint8_t >	a,
		const DilithiumModeConstants &	mode )

inlinestatic

Definition at line 626 of file dilithium_polynomials.h.

                                                                                                     {
         Polynomial r;
 
         switch(mode.eta()) {
            case DilithiumEta::Eta2: {
               for(size_t i = 0; i < DilithiumModeConstants::N / 8; ++i) {
                  r.m_coeffs[8 * i + 0] = (a[3 * i + 0] >> 0) & 7;
                  r.m_coeffs[8 * i + 1] = (a[3 * i + 0] >> 3) & 7;
                  r.m_coeffs[8 * i + 2] = ((a[3 * i + 0] >> 6) | (a[3 * i + 1] << 2)) & 7;
                  r.m_coeffs[8 * i + 3] = (a[3 * i + 1] >> 1) & 7;
                  r.m_coeffs[8 * i + 4] = (a[3 * i + 1] >> 4) & 7;
                  r.m_coeffs[8 * i + 5] = ((a[3 * i + 1] >> 7) | (a[3 * i + 2] << 1)) & 7;
                  r.m_coeffs[8 * i + 6] = (a[3 * i + 2] >> 2) & 7;
                  r.m_coeffs[8 * i + 7] = (a[3 * i + 2] >> 5) & 7;
 
                  r.m_coeffs[8 * i + 0] = static_cast<uint8_t>(mode.eta()) - r.m_coeffs[8 * i + 0];
                  r.m_coeffs[8 * i + 1] = static_cast<uint8_t>(mode.eta()) - r.m_coeffs[8 * i + 1];
                  r.m_coeffs[8 * i + 2] = static_cast<uint8_t>(mode.eta()) - r.m_coeffs[8 * i + 2];
                  r.m_coeffs[8 * i + 3] = static_cast<uint8_t>(mode.eta()) - r.m_coeffs[8 * i + 3];
                  r.m_coeffs[8 * i + 4] = static_cast<uint8_t>(mode.eta()) - r.m_coeffs[8 * i + 4];
                  r.m_coeffs[8 * i + 5] = static_cast<uint8_t>(mode.eta()) - r.m_coeffs[8 * i + 5];
                  r.m_coeffs[8 * i + 6] = static_cast<uint8_t>(mode.eta()) - r.m_coeffs[8 * i + 6];
                  r.m_coeffs[8 * i + 7] = static_cast<uint8_t>(mode.eta()) - r.m_coeffs[8 * i + 7];
               }
            } break;
            case DilithiumEta::Eta4: {
               for(size_t i = 0; i < DilithiumModeConstants::N / 2; ++i) {
                  r.m_coeffs[2 * i + 0] = a[i] & 0x0F;
                  r.m_coeffs[2 * i + 1] = a[i] >> 4;
                  r.m_coeffs[2 * i + 0] = static_cast<uint8_t>(mode.eta()) - r.m_coeffs[2 * i + 0];
                  r.m_coeffs[2 * i + 1] = static_cast<uint8_t>(mode.eta()) - r.m_coeffs[2 * i + 1];
               }
            } break;
         }
 
         return r;
      }

References Botan::DilithiumModeConstants::eta(), Botan::Eta2, Botan::Eta4, m_coeffs, and Botan::DilithiumModeConstants::N.

Referenced by Botan::Dilithium::PolynomialVector::unpack_eta().

◆ polyt0_pack()

void Botan::Dilithium::Polynomial::polyt0_pack ( uint8_t * r ) const

inline

Definition at line 774 of file dilithium_polynomials.h.

                                         {
         uint32_t t[8];
         for(size_t i = 0; i < DilithiumModeConstants::N / 8; ++i) {
            t[0] = (1 << (DilithiumModeConstants::D - 1)) - m_coeffs[8 * i + 0];
            t[1] = (1 << (DilithiumModeConstants::D - 1)) - m_coeffs[8 * i + 1];
            t[2] = (1 << (DilithiumModeConstants::D - 1)) - m_coeffs[8 * i + 2];
            t[3] = (1 << (DilithiumModeConstants::D - 1)) - m_coeffs[8 * i + 3];
            t[4] = (1 << (DilithiumModeConstants::D - 1)) - m_coeffs[8 * i + 4];
            t[5] = (1 << (DilithiumModeConstants::D - 1)) - m_coeffs[8 * i + 5];
            t[6] = (1 << (DilithiumModeConstants::D - 1)) - m_coeffs[8 * i + 6];
            t[7] = (1 << (DilithiumModeConstants::D - 1)) - m_coeffs[8 * i + 7];
 
            r[13 * i + 0] = static_cast<uint8_t>(t[0]);
            r[13 * i + 1] = static_cast<uint8_t>(t[0] >> 8);
            r[13 * i + 1] |= static_cast<uint8_t>(t[1] << 5);
            r[13 * i + 2] = static_cast<uint8_t>(t[1] >> 3);
            r[13 * i + 3] = static_cast<uint8_t>(t[1] >> 11);
            r[13 * i + 3] |= static_cast<uint8_t>(t[2] << 2);
            r[13 * i + 4] = static_cast<uint8_t>(t[2] >> 6);
            r[13 * i + 4] |= static_cast<uint8_t>(t[3] << 7);
            r[13 * i + 5] = static_cast<uint8_t>(t[3] >> 1);
            r[13 * i + 6] = static_cast<uint8_t>(t[3] >> 9);
            r[13 * i + 6] |= static_cast<uint8_t>(t[4] << 4);
            r[13 * i + 7] = static_cast<uint8_t>(t[4] >> 4);
            r[13 * i + 8] = static_cast<uint8_t>(t[4] >> 12);
            r[13 * i + 8] |= static_cast<uint8_t>(t[5] << 1);
            r[13 * i + 9] = static_cast<uint8_t>(t[5] >> 7);
            r[13 * i + 9] |= static_cast<uint8_t>(t[6] << 6);
            r[13 * i + 10] = static_cast<uint8_t>(t[6] >> 2);
            r[13 * i + 11] = static_cast<uint8_t>(t[6] >> 10);
            r[13 * i + 11] |= static_cast<uint8_t>(t[7] << 3);
            r[13 * i + 12] = static_cast<uint8_t>(t[7] >> 5);
         }
      }

References Botan::DilithiumModeConstants::D, m_coeffs, and Botan::DilithiumModeConstants::N.

◆ polyt0_unpack()

static Polynomial Botan::Dilithium::Polynomial::polyt0_unpack ( std::span< const uint8_t > a )

inlinestatic

Definition at line 712 of file dilithium_polynomials.h.

                                                                {
         Polynomial r;
 
         for(size_t i = 0; i < DilithiumModeConstants::N / 8; ++i) {
            r.m_coeffs[8 * i + 0] = a[13 * i + 0];
            r.m_coeffs[8 * i + 0] |= static_cast<uint32_t>(a[13 * i + 1]) << 8;
            r.m_coeffs[8 * i + 0] &= 0x1FFF;
 
            r.m_coeffs[8 * i + 1] = a[13 * i + 1] >> 5;
            r.m_coeffs[8 * i + 1] |= static_cast<uint32_t>(a[13 * i + 2]) << 3;
            r.m_coeffs[8 * i + 1] |= static_cast<uint32_t>(a[13 * i + 3]) << 11;
            r.m_coeffs[8 * i + 1] &= 0x1FFF;
 
            r.m_coeffs[8 * i + 2] = a[13 * i + 3] >> 2;
            r.m_coeffs[8 * i + 2] |= static_cast<uint32_t>(a[13 * i + 4]) << 6;
            r.m_coeffs[8 * i + 2] &= 0x1FFF;
 
            r.m_coeffs[8 * i + 3] = a[13 * i + 4] >> 7;
            r.m_coeffs[8 * i + 3] |= static_cast<uint32_t>(a[13 * i + 5]) << 1;
            r.m_coeffs[8 * i + 3] |= static_cast<uint32_t>(a[13 * i + 6]) << 9;
            r.m_coeffs[8 * i + 3] &= 0x1FFF;
 
            r.m_coeffs[8 * i + 4] = a[13 * i + 6] >> 4;
            r.m_coeffs[8 * i + 4] |= static_cast<uint32_t>(a[13 * i + 7]) << 4;
            r.m_coeffs[8 * i + 4] |= static_cast<uint32_t>(a[13 * i + 8]) << 12;
            r.m_coeffs[8 * i + 4] &= 0x1FFF;
 
            r.m_coeffs[8 * i + 5] = a[13 * i + 8] >> 1;
            r.m_coeffs[8 * i + 5] |= static_cast<uint32_t>(a[13 * i + 9]) << 7;
            r.m_coeffs[8 * i + 5] &= 0x1FFF;
 
            r.m_coeffs[8 * i + 6] = a[13 * i + 9] >> 6;
            r.m_coeffs[8 * i + 6] |= static_cast<uint32_t>(a[13 * i + 10]) << 2;
            r.m_coeffs[8 * i + 6] |= static_cast<uint32_t>(a[13 * i + 11]) << 10;
            r.m_coeffs[8 * i + 6] &= 0x1FFF;
 
            r.m_coeffs[8 * i + 7] = a[13 * i + 11] >> 3;
            r.m_coeffs[8 * i + 7] |= static_cast<uint32_t>(a[13 * i + 12]) << 5;
            r.m_coeffs[8 * i + 7] &= 0x1FFF;
 
            r.m_coeffs[8 * i + 0] = (1 << (DilithiumModeConstants::D - 1)) - r.m_coeffs[8 * i + 0];
            r.m_coeffs[8 * i + 1] = (1 << (DilithiumModeConstants::D - 1)) - r.m_coeffs[8 * i + 1];
            r.m_coeffs[8 * i + 2] = (1 << (DilithiumModeConstants::D - 1)) - r.m_coeffs[8 * i + 2];
            r.m_coeffs[8 * i + 3] = (1 << (DilithiumModeConstants::D - 1)) - r.m_coeffs[8 * i + 3];
            r.m_coeffs[8 * i + 4] = (1 << (DilithiumModeConstants::D - 1)) - r.m_coeffs[8 * i + 4];
            r.m_coeffs[8 * i + 5] = (1 << (DilithiumModeConstants::D - 1)) - r.m_coeffs[8 * i + 5];
            r.m_coeffs[8 * i + 6] = (1 << (DilithiumModeConstants::D - 1)) - r.m_coeffs[8 * i + 6];
            r.m_coeffs[8 * i + 7] = (1 << (DilithiumModeConstants::D - 1)) - r.m_coeffs[8 * i + 7];
         }
 
         return r;
      }

References Botan::DilithiumModeConstants::D, m_coeffs, and Botan::DilithiumModeConstants::N.

Referenced by Botan::Dilithium::PolynomialVector::unpack_t0().

◆ polyt1_pack()

void Botan::Dilithium::Polynomial::polyt1_pack ( uint8_t * r ) const

inline

Definition at line 939 of file dilithium_polynomials.h.

                                         {
         for(size_t i = 0; i < DilithiumModeConstants::N / 4; ++i) {
            r[5 * i + 0] = static_cast<uint8_t>((m_coeffs[4 * i + 0] >> 0));
            r[5 * i + 1] = static_cast<uint8_t>((m_coeffs[4 * i + 0] >> 8) | (m_coeffs[4 * i + 1] << 2));
            r[5 * i + 2] = static_cast<uint8_t>((m_coeffs[4 * i + 1] >> 6) | (m_coeffs[4 * i + 2] << 4));
            r[5 * i + 3] = static_cast<uint8_t>((m_coeffs[4 * i + 2] >> 4) | (m_coeffs[4 * i + 3] << 6));
            r[5 * i + 4] = static_cast<uint8_t>((m_coeffs[4 * i + 3] >> 2));
         }
      }

References m_coeffs, and Botan::DilithiumModeConstants::N.

◆ polyt1_unpack()

static void Botan::Dilithium::Polynomial::polyt1_unpack	(	Polynomial &	r,
		const uint8_t *	a )

inlinestatic

Definition at line 921 of file dilithium_polynomials.h.

                                                                 {
         for(size_t i = 0; i < DilithiumModeConstants::N / 4; ++i) {
            r.m_coeffs[4 * i + 0] = ((a[5 * i + 0] >> 0) | (static_cast<uint32_t>(a[5 * i + 1]) << 8)) & 0x3FF;
            r.m_coeffs[4 * i + 1] = ((a[5 * i + 1] >> 2) | (static_cast<uint32_t>(a[5 * i + 2]) << 6)) & 0x3FF;
            r.m_coeffs[4 * i + 2] = ((a[5 * i + 2] >> 4) | (static_cast<uint32_t>(a[5 * i + 3]) << 4)) & 0x3FF;
            r.m_coeffs[4 * i + 3] = ((a[5 * i + 3] >> 6) | (static_cast<uint32_t>(a[5 * i + 4]) << 2)) & 0x3FF;
         }
      }

References m_coeffs, and Botan::DilithiumModeConstants::N.

Referenced by Botan::Dilithium::PolynomialVector::unpack_t1().

◆ polyw1_pack()

void Botan::Dilithium::Polynomial::polyw1_pack	(	uint8_t *	r,
		const DilithiumModeConstants &	mode )

inline

Definition at line 599 of file dilithium_polynomials.h.

                                                                       {
         if(mode.gamma2() == (DilithiumModeConstants::Q - 1) / 88) {
            for(size_t i = 0; i < DilithiumModeConstants::N / 4; ++i) {
               r[3 * i + 0] = static_cast<uint8_t>(m_coeffs[4 * i + 0]);
               r[3 * i + 0] |= static_cast<uint8_t>(m_coeffs[4 * i + 1] << 6);
               r[3 * i + 1] = static_cast<uint8_t>(m_coeffs[4 * i + 1] >> 2);
               r[3 * i + 1] |= static_cast<uint8_t>(m_coeffs[4 * i + 2] << 4);
               r[3 * i + 2] = static_cast<uint8_t>(m_coeffs[4 * i + 2] >> 4);
               r[3 * i + 2] |= static_cast<uint8_t>(m_coeffs[4 * i + 3] << 2);
            }
         } else {
            BOTAN_ASSERT_NOMSG(mode.gamma2() == (DilithiumModeConstants::Q - 1) / 32);
            for(size_t i = 0; i < DilithiumModeConstants::N / 2; ++i) {
               r[i] = static_cast<uint8_t>(m_coeffs[2 * i + 0] | (m_coeffs[2 * i + 1] << 4));
            }
         }
      }

References BOTAN_ASSERT_NOMSG, Botan::DilithiumModeConstants::gamma2(), m_coeffs, Botan::DilithiumModeConstants::N, and Botan::DilithiumModeConstants::Q.

◆ polyz_pack()

void Botan::Dilithium::Polynomial::polyz_pack	(	uint8_t *	r,
		const DilithiumModeConstants &	mode ) const

inline

Definition at line 875 of file dilithium_polynomials.h.

                                                                            {
         uint32_t t[4];
         if(mode.gamma1() == (1 << 17)) {
            for(size_t i = 0; i < DilithiumModeConstants::N / 4; ++i) {
               t[0] = static_cast<uint32_t>(mode.gamma1()) - m_coeffs[4 * i + 0];
               t[1] = static_cast<uint32_t>(mode.gamma1()) - m_coeffs[4 * i + 1];
               t[2] = static_cast<uint32_t>(mode.gamma1()) - m_coeffs[4 * i + 2];
               t[3] = static_cast<uint32_t>(mode.gamma1()) - m_coeffs[4 * i + 3];
 
               r[9 * i + 0] = static_cast<uint8_t>(t[0]);
               r[9 * i + 1] = static_cast<uint8_t>(t[0] >> 8);
               r[9 * i + 2] = static_cast<uint8_t>(t[0] >> 16);
               r[9 * i + 2] |= static_cast<uint8_t>(t[1] << 2);
               r[9 * i + 3] = static_cast<uint8_t>(t[1] >> 6);
               r[9 * i + 4] = static_cast<uint8_t>(t[1] >> 14);
               r[9 * i + 4] |= static_cast<uint8_t>(t[2] << 4);
               r[9 * i + 5] = static_cast<uint8_t>(t[2] >> 4);
               r[9 * i + 6] = static_cast<uint8_t>(t[2] >> 12);
               r[9 * i + 6] |= static_cast<uint8_t>(t[3] << 6);
               r[9 * i + 7] = static_cast<uint8_t>(t[3] >> 2);
               r[9 * i + 8] = static_cast<uint8_t>(t[3] >> 10);
            }
         } else if(mode.gamma1() == (1 << 19)) {
            for(size_t i = 0; i < DilithiumModeConstants::N / 2; ++i) {
               t[0] = static_cast<uint32_t>(mode.gamma1()) - m_coeffs[2 * i + 0];
               t[1] = static_cast<uint32_t>(mode.gamma1()) - m_coeffs[2 * i + 1];
 
               r[5 * i + 0] = static_cast<uint8_t>(t[0]);
               r[5 * i + 1] = static_cast<uint8_t>(t[0] >> 8);
               r[5 * i + 2] = static_cast<uint8_t>(t[0] >> 16);
               r[5 * i + 2] |= static_cast<uint8_t>(t[1] << 4);
               r[5 * i + 3] = static_cast<uint8_t>(t[1] >> 4);
               r[5 * i + 4] = static_cast<uint8_t>(t[1] >> 12);
            }
         }
      }

References Botan::DilithiumModeConstants::gamma1(), m_coeffs, and Botan::DilithiumModeConstants::N.

◆ polyz_unpack()

static void Botan::Dilithium::Polynomial::polyz_unpack	(	Polynomial &	r,
		const uint8_t *	a,
		const DilithiumModeConstants &	mode )

inlinestatic

Definition at line 819 of file dilithium_polynomials.h.

                                                                                                    {
         if(mode.gamma1() == (1 << 17)) {
            for(size_t i = 0; i < DilithiumModeConstants::N / 4; ++i) {
               r.m_coeffs[4 * i + 0] = a[9 * i + 0];
               r.m_coeffs[4 * i + 0] |= static_cast<uint32_t>(a[9 * i + 1]) << 8;
               r.m_coeffs[4 * i + 0] |= static_cast<uint32_t>(a[9 * i + 2]) << 16;
               r.m_coeffs[4 * i + 0] &= 0x3FFFF;
 
               r.m_coeffs[4 * i + 1] = a[9 * i + 2] >> 2;
               r.m_coeffs[4 * i + 1] |= static_cast<uint32_t>(a[9 * i + 3]) << 6;
               r.m_coeffs[4 * i + 1] |= static_cast<uint32_t>(a[9 * i + 4]) << 14;
               r.m_coeffs[4 * i + 1] &= 0x3FFFF;
 
               r.m_coeffs[4 * i + 2] = a[9 * i + 4] >> 4;
               r.m_coeffs[4 * i + 2] |= static_cast<uint32_t>(a[9 * i + 5]) << 4;
               r.m_coeffs[4 * i + 2] |= static_cast<uint32_t>(a[9 * i + 6]) << 12;
               r.m_coeffs[4 * i + 2] &= 0x3FFFF;
 
               r.m_coeffs[4 * i + 3] = a[9 * i + 6] >> 6;
               r.m_coeffs[4 * i + 3] |= static_cast<uint32_t>(a[9 * i + 7]) << 2;
               r.m_coeffs[4 * i + 3] |= static_cast<uint32_t>(a[9 * i + 8]) << 10;
               r.m_coeffs[4 * i + 3] &= 0x3FFFF;
 
               r.m_coeffs[4 * i + 0] = static_cast<uint32_t>(mode.gamma1()) - r.m_coeffs[4 * i + 0];
               r.m_coeffs[4 * i + 1] = static_cast<uint32_t>(mode.gamma1()) - r.m_coeffs[4 * i + 1];
               r.m_coeffs[4 * i + 2] = static_cast<uint32_t>(mode.gamma1()) - r.m_coeffs[4 * i + 2];
               r.m_coeffs[4 * i + 3] = static_cast<uint32_t>(mode.gamma1()) - r.m_coeffs[4 * i + 3];
            }
         } else if(mode.gamma1() == (1 << 19)) {
            for(size_t i = 0; i < DilithiumModeConstants::N / 2; ++i) {
               r.m_coeffs[2 * i + 0] = a[5 * i + 0];
               r.m_coeffs[2 * i + 0] |= static_cast<uint32_t>(a[5 * i + 1]) << 8;
               r.m_coeffs[2 * i + 0] |= static_cast<uint32_t>(a[5 * i + 2]) << 16;
               r.m_coeffs[2 * i + 0] &= 0xFFFFF;
 
               r.m_coeffs[2 * i + 1] = a[5 * i + 2] >> 4;
               r.m_coeffs[2 * i + 1] |= static_cast<uint32_t>(a[5 * i + 3]) << 4;
               r.m_coeffs[2 * i + 1] |= static_cast<uint32_t>(a[5 * i + 4]) << 12;
               r.m_coeffs[2 * i + 0] &= 0xFFFFF;
 
               r.m_coeffs[2 * i + 0] = static_cast<uint32_t>(mode.gamma1()) - r.m_coeffs[2 * i + 0];
               r.m_coeffs[2 * i + 1] = static_cast<uint32_t>(mode.gamma1()) - r.m_coeffs[2 * i + 1];
            }
         }
      }

References Botan::DilithiumModeConstants::gamma1(), m_coeffs, and Botan::DilithiumModeConstants::N.

Referenced by poly_uniform_gamma1(), Botan::Dilithium::PolynomialVector::polyvec_unpack_z(), and Botan::Dilithium::PolynomialVector::unpack_sig().

◆ power2round()

static int32_t Botan::Dilithium::Polynomial::power2round	(	int32_t &	a0,
		int32_t	a )

inlinestatic

Definition at line 178 of file dilithium_polynomials.h.

                                                         {
         int32_t a1 = (a + (1 << (DilithiumModeConstants::D - 1)) - 1) >> DilithiumModeConstants::D;
         a0 = a - (a1 << DilithiumModeConstants::D);
         return a1;
      }

References Botan::DilithiumModeConstants::D.

Referenced by fill_polys_power2round().

◆ rej_eta()

static size_t Botan::Dilithium::Polynomial::rej_eta	(	Polynomial &	a,
		size_t	offset,
		size_t	len,
		const secure_vector< uint8_t > &	buf,
		size_t	buflen,
		const DilithiumModeConstants &	mode )

inlinestatic

Definition at line 101 of file dilithium_polynomials.h.

                                                                {
         size_t ctr = 0, pos = 0;
         while(ctr < len && pos < buflen) {
            uint32_t t0 = buf[pos] & 0x0F;
            uint32_t t1 = buf[pos++] >> 4;
 
            switch(mode.eta()) {
               case DilithiumEta::Eta2: {
                  if(t0 < 15) {
                     t0 = t0 - (205 * t0 >> 10) * 5;
                     a.m_coeffs[offset + ctr++] = 2 - t0;
                  }
                  if(t1 < 15 && ctr < len) {
                     t1 = t1 - (205 * t1 >> 10) * 5;
                     a.m_coeffs[offset + ctr++] = 2 - t1;
                  }
               } break;
               case DilithiumEta::Eta4: {
                  if(t0 < 9) {
                     a.m_coeffs[offset + ctr++] = 4 - t0;
                  }
                  if(t1 < 9 && ctr < len) {
                     a.m_coeffs[offset + ctr++] = 4 - t1;
                  }
               } break;
            }
         }
         return ctr;
      }

References Botan::DilithiumModeConstants::eta(), Botan::Eta2, Botan::Eta4, and m_coeffs.

Referenced by fill_poly_uniform_eta().

◆ rej_uniform()

static size_t Botan::Dilithium::Polynomial::rej_uniform	(	Polynomial &	p,
		size_t	position,
		size_t	len,
		const uint8_t *	buf,
		size_t	buflen )

inlinestatic

Definition at line 70 of file dilithium_polynomials.h.

                                                                                                               {
         size_t ctr = 0, pos = 0;
         while(ctr < len && pos + 3 <= buflen) {
            uint32_t t = buf[pos++];
            t |= static_cast<uint32_t>(buf[pos++]) << 8;
            t |= static_cast<uint32_t>(buf[pos++]) << 16;
            t &= 0x7FFFFF;
 
            if(t < DilithiumModeConstants::Q) {
               p.m_coeffs[position + ctr++] = static_cast<int32_t>(t);
            }
         }
         return ctr;
      }

References m_coeffs, and Botan::DilithiumModeConstants::Q.

Referenced by Botan::Dilithium::PolynomialVector::poly_uniform().

◆ use_hint()

static int32_t Botan::Dilithium::Polynomial::use_hint	(	int32_t	a,
		size_t	hint,
		const DilithiumModeConstants &	mode )

inlinestatic

Definition at line 365 of file dilithium_polynomials.h.

                                                                                          {
         int32_t a0;
 
         int32_t a1 = Polynomial::decompose(&a0, a, mode);
         if(hint == 0) {
            return a1;
         }
 
         if(mode.gamma2() == ((DilithiumModeConstants::Q - 1) / 32)) {
            if(a0 > 0) {
               return (a1 + 1) & 15;
            } else {
               return (a1 - 1) & 15;
            }
         } else {
            if(a0 > 0) {
               return (a1 == 43) ? 0 : a1 + 1;
            } else {
               return (a1 == 0) ? 43 : a1 - 1;
            }
         }
      }

References decompose(), Botan::DilithiumModeConstants::gamma2(), and Botan::DilithiumModeConstants::Q.

Referenced by poly_use_hint().

Member Data Documentation

◆ m_coeffs

std::array<int32_t, Botan::DilithiumModeConstants::N> Botan::Dilithium::Polynomial::m_coeffs

Definition at line 31 of file dilithium_polynomials.h.

Referenced by cadd_q(), fill_polys_power2round(), generate_hint_polynomial(), invntt_tomont(), ntt(), operator+=(), operator-=(), poly_challenge(), poly_chknorm(), poly_decompose(), poly_pointwise_montgomery(), poly_reduce(), poly_shiftl(), poly_use_hint(), polyeta_pack(), polyeta_unpack(), polyt0_pack(), polyt0_unpack(), polyt1_pack(), polyt1_unpack(), polyw1_pack(), polyz_pack(), polyz_unpack(), rej_eta(), and rej_uniform().

The documentation for this class was generated from the following file:

src/lib/pubkey/dilithium/dilithium_common/dilithium_polynomials.h

Public Member Functions

Static Public Member Functions

Public Attributes

Detailed Description

Constructor & Destructor Documentation

◆ Polynomial()

Member Function Documentation

◆ cadd_q()

◆ decompose()

◆ fill_poly_uniform_eta()

◆ fill_polys_power2round()

◆ generate_hint_polynomial()

◆ invntt_tomont()

◆ make_hint()

◆ montgomery_reduce()

◆ ntt()

◆ operator+=()

◆ operator-=()

◆ poly_challenge()

◆ poly_chknorm()

◆ poly_decompose()

◆ poly_invntt_tomont()

◆ poly_pointwise_montgomery()

◆ poly_reduce()

◆ poly_shiftl()

◆ poly_uniform_gamma1()

◆ poly_use_hint()

◆ polyeta_pack()

◆ polyeta_unpack()

◆ polyt0_pack()

◆ polyt0_unpack()

◆ polyt1_pack()

◆ polyt1_unpack()

◆ polyw1_pack()

◆ polyz_pack()

◆ polyz_unpack()

◆ power2round()

◆ rej_eta()

◆ rej_uniform()

◆ use_hint()

Member Data Documentation

◆ m_coeffs