Skip to content

ML-DSA constant-time hardening for caddq, poly_chknorm, decompose #2602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ML-DSA constant-time hardening for caddq, poly_chknorm, decompose #2602

wants to merge 1 commit into from
+13 −9

Conversation

dkostic
Copy link
Contributor

@dkostic dkostic commented Aug 5, 2025

Issues:

N/A

Description of changes:

ML-DSA constant-time hardening for caddq, poly_chknorm, decompose

Based on pq-code-package/mldsa-native#371.

Call-outs:

Point out areas that need special attention or support during the review process. Discuss architecture or design changes.

Testing:

How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@dkostic dkostic requested a review from a team as a code owner August 5, 2025 20:42
github-actions[bot]
github-actions bot reviewed Aug 5, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clang-tidy made some suggestions

crypto/fipsmodule/ml_dsa/ml_dsa_ref/reduce.c
@@ -52,7 +52,8 @@ int32_t ml_dsa_reduce32(int32_t a) {
* Returns r.
**************************************************/
int32_t ml_dsa_caddq(int32_t a) {
a += (a >> 31) & ML_DSA_Q;
// a = a < 0 ? a + Q : a;
a = constant_time_select_int(constant_time_msb_w(a), a + ML_DSA_Q, a);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

warning: call to undeclared function 'constant_time_msb_w'; ISO C99 and later do not support implicit function declarations [clang-diagnostic-implicit-function-declaration]

  a = constant_time_select_int(constant_time_msb_w(a), a + ML_DSA_Q, a);
                               ^

crypto/fipsmodule/ml_dsa/ml_dsa_ref/reduce.c
@@ -52,7 +52,8 @@
* Returns r.
**************************************************/
int32_t ml_dsa_caddq(int32_t a) {
a += (a >> 31) & ML_DSA_Q;
// a = a < 0 ? a + Q : a;
a = constant_time_select_int(constant_time_msb_w(a), a + ML_DSA_Q, a);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

warning: call to undeclared function 'constant_time_select_int'; ISO C99 and later do not support implicit function declarations [clang-diagnostic-implicit-function-declaration]

  a = constant_time_select_int(constant_time_msb_w(a), a + ML_DSA_Q, a);
      ^

crypto/fipsmodule/ml_dsa/ml_dsa_ref/rounding.c
a1 = (a1*11275 + (1 << 23)) >> 24;
a1 ^= ((43 - a1) >> 31) & a1;
// a1 = 43 < a1 ? 0 : a1;
a1 = constant_time_select_int(constant_time_msb_w(43 - a1), 0, a1);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

warning: call to undeclared function 'constant_time_msb_w'; ISO C99 and later do not support implicit function declarations [clang-diagnostic-implicit-function-declaration]

    a1 = constant_time_select_int(constant_time_msb_w(43 - a1), 0, a1);
                                  ^

crypto/fipsmodule/ml_dsa/ml_dsa_ref/rounding.c
a1 = (a1*11275 + (1 << 23)) >> 24;
a1 ^= ((43 - a1) >> 31) & a1;
// a1 = 43 < a1 ? 0 : a1;
a1 = constant_time_select_int(constant_time_msb_w(43 - a1), 0, a1);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

warning: call to undeclared function 'constant_time_select_int'; ISO C99 and later do not support implicit function declarations [clang-diagnostic-implicit-function-declaration]

    a1 = constant_time_select_int(constant_time_msb_w(43 - a1), 0, a1);
         ^

@codecov-commenter
Copy link

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.68%. Comparing base (d966806) to head (579a7a5).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2602   +/-   ##
=======================================
  Coverage   78.68%   78.68%           
=======================================
  Files         645      645           
  Lines      110738   110744    +6     
  Branches    15656    15661    +5     
=======================================
+ Hits        87132    87144   +12     
+ Misses      22915    22910    -5     
+ Partials      691      690    -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@nebeid nebeid nebeid approved these changes

@jakemas jakemas jakemas approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dkostic @codecov-commenter @nebeid @jakemas