latticearc 0.5.0

Production-ready post-quantum cryptography. Hybrid ML-KEM+X25519 by default, all 4 NIST standards (FIPS 203–206), post-quantum TLS, and FIPS 140-3 backend — one crate, zero unsafe.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204

//! Number Theoretic Transform (NTT) operations
//!
//! Implements forward and inverse NTT for efficient polynomial multiplication
//! in the ring R_q = Z_q[X]/(X^256 + 1).

// NTT uses mathematically bounded indices: ZETAS[k] where k ∈ [0,127]
// for ZETAS: [i32; 128], and fixed-size array access [0]/[1] on [i32; 2].
#![allow(clippy::indexing_slicing)]

use super::constants::{MLKEM_N, MONT_SQ_INV, ZETAS};
use super::reduction::{barrett_reduce, montgomery_reduce};

/// Forward Number Theoretic Transform (NTT)
/// Transforms polynomial from coefficient domain to NTT domain
pub fn ntt(r: &mut [i32; MLKEM_N]) {
    let mut len = 128;
    let mut k = 1;

    while len >= 2 {
        let mut start = 0;
        while start < MLKEM_N {
            let zeta = ZETAS[k - 1];
            k += 1;

            let mut j = start;
            while j < start + len {
                if let (Some(&r_j), Some(r_j_len)) = (r.get(j), r.get(j + len)) {
                    let t = montgomery_reduce(zeta as i64 * (*r_j_len) as i64);
                    if let Some(r_len_pos) = r.get_mut(j + len) {
                        *r_len_pos = *r_j - t;
                    }
                    if let Some(r_pos) = r.get_mut(j) {
                        *r_pos += t;
                    }
                }
                j += 1;
            }
            start += 2 * len;
        }
        len >>= 1;
    }
}

/// Inverse Number Theoretic Transform (INTT)
/// Transforms polynomial from NTT domain back to coefficient domain
pub fn invntt(r: &mut [i32; MLKEM_N]) {
    let mut len = 2;
    let mut k = 127;

    while len <= 128 {
        let mut start = 0;
        while start < MLKEM_N {
            let zeta = ZETAS[k];
            k -= 1;

            let mut j = start;
            while j < start + len {
                if let (Some(&r_j), Some(&r_j_len)) = (r.get(j), r.get(j + len)) {
                    // Compute new values before mutating to avoid borrow conflicts
                    let new_r_j = barrett_reduce(r_j + r_j_len);
                    let diff = r_j_len - r_j;
                    let new_r_j_len = montgomery_reduce(zeta as i64 * diff as i64);

                    if let Some(r_pos) = r.get_mut(j) {
                        *r_pos = new_r_j;
                    }
                    if let Some(r_len_pos) = r.get_mut(j + len) {
                        *r_len_pos = new_r_j_len;
                    }
                }
                j += 1;
            }
            start += 2 * len;
        }
        len <<= 1;
    }

    // Final scaling by 1/128
    for i in 0..MLKEM_N {
        if let Some(&r_val) = r.get(i) {
            if let Some(r_pos) = r.get_mut(i) {
                *r_pos = montgomery_reduce(r_val as i64 * MONT_SQ_INV as i64);
            }
        }
    }
}

/// Base multiplication in NTT domain
/// Multiplies two polynomials modulo X^2 - zeta
pub fn basemul(r: &mut [i32; 2], a: &[i32; 2], b: &[i32; 2], zeta: i32) {
    let zeta_a1_b1 = montgomery_reduce(montgomery_reduce(a[1] as i64 * b[1] as i64) as i64 * zeta as i64);
    r[0] = montgomery_reduce(a[0] as i64 * b[0] as i64) + zeta_a1_b1;
    r[1] = montgomery_reduce(a[0] as i64 * b[1] as i64) + montgomery_reduce(a[1] as i64 * b[0] as i64);
}

#[cfg(test)]
mod tests {
    use super::*;
    use super::super::test_utils::measure_timing_variance;

    #[test]
    fn test_basemul_constant_time_succeeds() {
        let test_pairs = [
            ([0, 0], [0, 0]),
            ([1, 1], [1, 1]),
            ([42, 100], [200, 300]),
            ([1000, 2000], [3000, 4000]),
            ([3328, 3328], [3328, 3328]),
            ([-1, -1], [-1, -1]),
        ];

        let zeta_values = [1, -1, 100, -100, 1044, -1044];

        for (a, b) in &test_pairs {
            for &zeta in &zeta_values {
                let variance = measure_timing_variance(
                    || {
                        let mut result = [0i32; 2];
                        basemul(&mut result, a, b, zeta);
                    },
                    1000
                );

                assert!(
                    variance < 10.0,
                    "Base multiplication shows high timing variance ({:.2}%)",
                    variance
                );
            }
        }
    }

    #[test]
    fn test_ntt_constant_time_succeeds() {
        let test_polynomials = [
            [0i32; MLKEM_N],
            core::array::from_fn(|i| (i % 10) as i32),
            core::array::from_fn(|i| (i * i % 3329) as i32),
        ];

        for poly in &test_polynomials {
            let variance = measure_timing_variance(
                || {
                    let mut poly_copy = *poly;
                    ntt(&mut poly_copy);
                },
                500
            );

            assert!(
                variance < 10.0,
                "NTT shows high timing variance ({:.2}%)",
                variance
            );
        }
    }

    #[test]
    fn test_invntt_constant_time_succeeds() {
        let test_polynomials = [
            [0i32; MLKEM_N],
            core::array::from_fn(|i| (i % 10) as i32),
            core::array::from_fn(|i| (i * i % 3329) as i32),
        ];

        for poly in &test_polynomials {
            let variance = measure_timing_variance(
                || {
                    let mut poly_copy = *poly;
                    invntt(&mut poly_copy);
                },
                500
            );

            assert!(
                variance < 10.0,
                "Inverse NTT shows high timing variance ({:.2}%)",
                variance
            );
        }
    }

    #[test]
    fn test_basemul_deterministic() {
        let test_vectors = [
            ([0, 0], [0, 0]),
            ([1, 1], [1, 1]),
            ([42, 100], [200, 300]),
        ];

        for (a, b) in &test_vectors {
            for &zeta in &[1, -1, 100, -100] {
                let mut result1 = [0i32; 2];
                let mut result2 = [0i32; 2];

                basemul(&mut result1, a, b, zeta);
                basemul(&mut result2, a, b, zeta);

                assert_eq!(result1, result2,
                    "Base multiplication produces non-deterministic results");
            }
        }
    }
}