Merge pull request #9421 from SparkiDev/mlkem_to_bytes_fix

dgarske · web-flow · commit 4f3586fe580b · 2025-11-13T08:57:31.000-08:00
ML-KEM to bytes C: not reducing all values
diff --git a/wolfcrypt/src/wc_mlkem_poly.c b/wolfcrypt/src/wc_mlkem_poly.c
@@ -4775,7 +4775,7 @@ static MLKEM_NOINLINE void mlkem_csubq_c(sword16* p)
     for (i = 0; i < MLKEM_N; ++i) {
         sword16 t = p[i] - MLKEM_Q;
         /* When top bit set, -ve number - need to add q back. */
-        p[i] = ((t >> 15) & MLKEM_Q) + t;
+        p[i] = (sword16)((word16)(-((word16)t >> 15)) & MLKEM_Q) + t;
     }
 }
 
@@ -6021,11 +6021,11 @@ static void mlkem_to_bytes_c(byte* b, sword16* p, int k)
     int i;
     int j;
 
-    /* Reduce each coefficient to mod q. */
-    mlkem_csubq_c(p);
-    /* All values are now positive. */
-
     for (j = 0; j < k; j++) {
+        /* Reduce each coefficient to mod q. */
+        mlkem_csubq_c(p);
+        /* All values are now positive. */
+
         for (i = 0; i < MLKEM_N / 2; i++) {
             word16 t0 = p[2 * i];
             word16 t1 = p[2 * i + 1];
