Merge pull request #414 from pq-code-package/caddq-asm

mkannwischer · web-flow · commit 17b2c76bcfc2 · 2025-09-27T13:10:51.000+08:00
Add native implementation for `poly_caddq`
diff --git a/mldsa/native/aarch64/meta.h b/mldsa/native/aarch64/meta.h
@@ -15,6 +15,7 @@
 #define MLD_USE_NATIVE_REJ_UNIFORM_ETA4
 #define MLD_USE_NATIVE_POLY_DECOMPOSE_32
 #define MLD_USE_NATIVE_POLY_DECOMPOSE_88
+#define MLD_USE_NATIVE_POLY_CADDQ
 
 /* Identifier for this backend so that source and assembly files
  * in the build can be appropriately guarded. */
@@ -107,6 +108,11 @@ static MLD_INLINE void mld_poly_decompose_88_native(int32_t *a1, int32_t *a0,
   mld_poly_decompose_88_asm(a1, a0, a);
 }
 
+static MLD_INLINE void mld_poly_caddq_native(int32_t a[MLDSA_N])
+{
+  mld_poly_caddq_asm(a);
+}
+
 #endif /* !__ASSEMBLER__ */
 
 #endif /* !MLD_NATIVE_AARCH64_META_H */
diff --git a/mldsa/native/aarch64/src/arith_native_aarch64.h b/mldsa/native/aarch64/src/arith_native_aarch64.h
@@ -68,4 +68,7 @@ void mld_poly_decompose_32_asm(int32_t *a1, int32_t *a0, const int32_t *a);
 #define mld_poly_decompose_88_asm MLD_NAMESPACE(poly_decompose_88_asm)
 void mld_poly_decompose_88_asm(int32_t *a1, int32_t *a0, const int32_t *a);
 
+#define mld_poly_caddq_asm MLD_NAMESPACE(poly_caddq_asm)
+void mld_poly_caddq_asm(int32_t *a);
+
 #endif /* !MLD_NATIVE_AARCH64_SRC_ARITH_NATIVE_AARCH64_H */
diff --git a/mldsa/native/aarch64/src/poly_caddq_asm.S b/mldsa/native/aarch64/src/poly_caddq_asm.S
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+#include "../../../common.h"
+
+#if defined(MLD_ARITH_BACKEND_AARCH64) && !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED)
+
+.macro caddq inout
+        ushr tmp.4s, \inout\().4s, #31
+        mla \inout\().4s, tmp.4s, q_reg.4s
+.endm
+
+.global MLD_ASM_NAMESPACE(poly_caddq_asm)
+.balign 16
+MLD_ASM_FN_SYMBOL(poly_caddq_asm)
+        // Function signature: void mld_poly_caddq_asm(int32_t *a)
+        // x0: pointer to polynomial coefficients
+
+        // Register assignments
+        a_ptr           .req x0
+        count           .req x1
+        q_reg           .req v4
+        tmp             .req v5
+
+        // Load constants
+        // MLDSA_Q = 8380417 = 0x7FE001
+        movz w9, #0xE001
+        movk w9, #0x7F, lsl #16
+        dup q_reg.4s, w9        // Load Q values
+
+        mov count, #64/4
+poly_caddq_loop:
+        ldr q0, [a_ptr, #0*16]
+        ldr q1, [a_ptr, #1*16]
+        ldr q2, [a_ptr, #2*16]
+        ldr q3, [a_ptr, #3*16]
+
+        caddq v0
+        caddq v1
+        caddq v2
+        caddq v3
+
+        str q1, [a_ptr, #1*16]
+        str q2, [a_ptr, #2*16]
+        str q3, [a_ptr, #3*16]
+        str q0, [a_ptr], #4*16
+
+        subs count, count, #1
+        bne poly_caddq_loop
+
+        ret
+
+        .unreq a_ptr
+        .unreq count
+        .unreq q_reg
+        .unreq tmp
+
+#endif /* MLD_ARITH_BACKEND_AARCH64 && !MLD_CONFIG_MULTILEVEL_NO_SHARED */
diff --git a/mldsa/native/api.h b/mldsa/native/api.h
@@ -210,5 +210,16 @@ static MLD_INLINE void mld_poly_decompose_88_native(int32_t *a1, int32_t *a0,
                                                     const int32_t *a);
 #endif /* MLD_USE_NATIVE_POLY_DECOMPOSE_88 */
 
+#if defined(MLD_USE_NATIVE_POLY_CADDQ)
+/*************************************************
+ * Name:        mld_poly_caddq_native
+ *
+ * Description: For all coefficients of in/out polynomial add Q if
+ *              coefficient is negative.
+ *
+ * Arguments:   - int32_t *a: pointer to input/output polynomial
+ **************************************************/
+static MLD_INLINE void mld_poly_caddq_native(int32_t a[MLDSA_N]);
+#endif /* MLD_USE_NATIVE_POLY_CADDQ */
 
 #endif /* !MLD_NATIVE_API_H */
diff --git a/mldsa/native/x86_64/meta.h b/mldsa/native/x86_64/meta.h
@@ -19,6 +19,7 @@
 #define MLD_USE_NATIVE_REJ_UNIFORM_ETA4
 #define MLD_USE_NATIVE_POLY_DECOMPOSE_32
 #define MLD_USE_NATIVE_POLY_DECOMPOSE_88
+#define MLD_USE_NATIVE_POLY_CADDQ
 
 #if !defined(__ASSEMBLER__)
 #include <string.h>
@@ -112,6 +113,11 @@ static MLD_INLINE void mld_poly_decompose_88_native(int32_t *a1, int32_t *a0,
   mld_poly_decompose_88_avx2((__m256i *)a1, (__m256i *)a0, (const __m256i *)a);
 }
 
+static MLD_INLINE void mld_poly_caddq_native(int32_t a[MLDSA_N])
+{
+  mld_poly_caddq_avx2(a);
+}
+
 #endif /* !__ASSEMBLER__ */
 
 #endif /* !MLD_NATIVE_X86_64_META_H */
diff --git a/mldsa/native/x86_64/src/arith_native_x86_64.h b/mldsa/native/x86_64/src/arith_native_x86_64.h
@@ -60,4 +60,7 @@ void mld_poly_decompose_32_avx2(__m256i *a1, __m256i *a0, const __m256i *a);
 #define mld_poly_decompose_88_avx2 MLD_NAMESPACE(mld_poly_decompose_88_avx2)
 void mld_poly_decompose_88_avx2(__m256i *a1, __m256i *a0, const __m256i *a);
 
+#define mld_poly_caddq_avx2 MLD_NAMESPACE(poly_caddq_avx2)
+void mld_poly_caddq_avx2(int32_t *r);
+
 #endif /* !MLD_NATIVE_X86_64_SRC_ARITH_NATIVE_X86_64_H */
diff --git a/mldsa/native/x86_64/src/poly_caddq_avx2.c b/mldsa/native/x86_64/src/poly_caddq_avx2.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+/*
+ * This file is derived from the public domain
+ * AVX2 Dilithium implementation @[REF_AVX2].
+ */
+
+#include "../../../common.h"
+
+#if defined(MLD_ARITH_BACKEND_X86_64_DEFAULT) && \
+    !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED)
+
+#include <immintrin.h>
+#include "arith_native_x86_64.h"
+#include "consts.h"
+
+/*************************************************
+ * Name:        mld_poly_caddq_avx2
+ *
+ * Description: For all coefficients of in/out polynomial add Q if
+ *              coefficient is negative.
+ *
+ * Arguments:   - int32_t *r: pointer to input/output polynomial
+ **************************************************/
+void mld_poly_caddq_avx2(int32_t *r)
+{
+  unsigned int i;
+  __m256i f, g;
+  const __m256i q = _mm256_set1_epi32(MLDSA_Q);
+  const __m256i zero = _mm256_setzero_si256();
+  __m256i *rr = (__m256i *)r;
+
+  for (i = 0; i < MLDSA_N / 8; i++)
+  {
+    f = _mm256_load_si256(&rr[i]);
+    g = _mm256_cmpgt_epi32(zero, f);
+    g = _mm256_and_si256(g, q);
+    f = _mm256_add_epi32(f, g);
+    _mm256_store_si256(&rr[i], f);
+  }
+}
+
+#else /* MLD_ARITH_BACKEND_X86_64_DEFAULT && !MLD_CONFIG_MULTILEVEL_NO_SHARED \
+       */
+
+MLD_EMPTY_CU(avx2_reduce)
+
+#endif /* !(MLD_ARITH_BACKEND_X86_64_DEFAULT && \
+          !MLD_CONFIG_MULTILEVEL_NO_SHARED) */
diff --git a/mldsa/poly.c b/mldsa/poly.c
@@ -32,6 +32,8 @@ void mld_poly_reduce(mld_poly *a)
   mld_assert_bound(a->coeffs, MLDSA_N, -REDUCE32_RANGE_MAX, REDUCE32_RANGE_MAX);
 }
 
+
+#if !defined(MLD_USE_NATIVE_POLY_CADDQ)
 MLD_INTERNAL_API
 void mld_poly_caddq(mld_poly *a)
 {
@@ -50,6 +52,15 @@ void mld_poly_caddq(mld_poly *a)
 
   mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q);
 }
+#else  /* !MLD_USE_NATIVE_POLY_CADDQ */
+MLD_INTERNAL_API
+void mld_poly_caddq(mld_poly *a)
+{
+  mld_assert_abs_bound(a->coeffs, MLDSA_N, MLDSA_Q);
+  mld_poly_caddq_native(a->coeffs);
+  mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q);
+}
+#endif /* MLD_USE_NATIVE_POLY_CADDQ */
 
 /* Reference: We use destructive version (output=first input) to avoid
  *            reasoning about aliasing in the CBMC specification */
