Move bounds check for poly mulcache computation

In the default backend, mulcaches are subject to the coefficient-wise bound by q, and this bound is currently checked for in poly_mulcache_compute(), including the case of a native backend implementation. Native backends, however, are free to not use the mulcache (as is the case for AVX2, for example), in which case the bounds check would force them to zeroize the mulcache structure for no benefit. This commit moves the bounds check on the poly mulcache from the time of compute to the time of use, in poly_basemul_montgomery_cached(). That is, if a native implementation merely replaces the mulcache computation, but not the base multiplication (unlikely as it may be), the bounds will still be checked. If a native backend to use a custom base multiplication not requiring a mulcache, it can just return immediately from poly_mulcache_compute_native(). Signed-off-by: Hanno Becker <[email protected]>
pq-code-package · Dec 3, 2024 · 2d0c904 · 2d0c904
1 parent cb1941f
commit 2d0c904
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 9 deletions.
diff --git a/mlkem/native/x86_64/profiles/default.h b/mlkem/native/x86_64/profiles/default.h
@@ -74,13 +74,7 @@ static INLINE void poly_mulcache_compute_native(poly_mulcache *x, const poly *y)
 {
   /* AVX2 backend does not use mulcache */
   ((void)y);
-
-  /*
-   * TODO! The mulcache is subject to the absolute bound < q
-   * This needs to be dropped if the mulcache is not present.
-   * Until that's done, memset to 0 to avoid failure.
-   */
-  memset(x, 0, sizeof(poly_mulcache));
+  ((void)x);
 }
 
 static INLINE void polyvec_basemul_acc_montgomery_cached_native(

diff --git a/mlkem/poly.c b/mlkem/poly.c
@@ -456,6 +456,8 @@ void poly_basemul_montgomery_cached(poly *r, const poly *a, const poly *b,
                                     const poly_mulcache *b_cache)
 {
   int i;
+  POLY_BOUND(b_cache, MLKEM_Q);
+
   for (i = 0; i < MLKEM_N / 4; i++)
   __loop__(
     assigns(i, object_whole(r))
@@ -559,6 +561,8 @@ void poly_mulcache_compute(poly_mulcache *x, const poly *a)
 void poly_mulcache_compute(poly_mulcache *x, const poly *a)
 {
   poly_mulcache_compute_native(x, a);
-  POLY_BOUND(x, MLKEM_Q);
+  /* Omitting POLY_BOUND(x, MLKEM_Q) since native implementations may
+   * decide not to use a mulcache. Note that the C backend implementation
+   * of poly_basemul_montgomery_cached() does still include the check. */
 }
 #endif /* MLKEM_USE_NATIVE_POLY_MULCACHE_COMPUTE */
diff --git a/mlkem/polyvec.c b/mlkem/polyvec.c
@@ -128,7 +128,9 @@ void polyvec_basemul_acc_montgomery_cached(poly *r, const polyvec *a,
 {
   POLYVEC_BOUND(a, MLKEM_Q);
   POLYVEC_BOUND(b, NTT_BOUND);
-  POLYVEC_BOUND(b_cache, MLKEM_Q);
+  /* Omitting POLYVEC_BOUND(b_cache, MLKEM_Q) since native implementations may
+   * decide not to use a mulcache. Note that the C backend implementation
+   * of poly_basemul_montgomery_cached() does still include the check. */
   polyvec_basemul_acc_montgomery_cached_native(r, a, b, b_cache);
 }
 #endif /* MLKEM_USE_NATIVE_POLYVEC_BASEMUL_ACC_MONTGOMERY_CACHED */