From d2370c3451b1c1c29e245246e5b4721747c272d3 Mon Sep 17 00:00:00 2001
From: "Tommaso Gagliardoni (Kudelski Security)"
 <80652589+tgkudelski@users.noreply.github.com>
Date: Tue, 16 Jan 2024 17:23:33 +0100
Subject: [PATCH 01/12] Update poly.go

---
 crystals-kyber/poly.go | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go
index 1d19a70..442614f 100644
--- a/crystals-kyber/poly.go
+++ b/crystals-kyber/poly.go
@@ -195,7 +195,7 @@ func (p *Poly) compress(d int) []byte {
 		var t [8]uint16
 		id := 0
 		for i := 0; i < n/8; i++ {
-			for j := 0; j < 8; j++ {
+			for j := 0; j < 8; j++ { //TODO: fix KyberSlash2 here
 				t[j] = uint16(((uint32(p[8*i+j])<<3)+uint32(q)/2)/
 					uint32(q)) & ((1 << 3) - 1)
 			}
@@ -207,11 +207,18 @@ func (p *Poly) compress(d int) []byte {
 
 	case 4:
 		var t [8]uint16
+		var d0 uint32 /* accumulation value for fixing KyberSlash2 */
 		id := 0
 		for i := 0; i < n/8; i++ {
 			for j := 0; j < 8; j++ {
-				t[j] = uint16(((uint32(p[8*i+j])<<4)+uint32(q)/2)/
-					uint32(q)) & ((1 << 4) - 1)
+				/* t[j] = uint16(((uint32(p[8*i+j])<<4)+uint32(q)/2)/
+					uint32(q)) & ((1 << 4) - 1)*/
+				t[j] = uint16(p[8*i+j])
+				d0 = uint32(t << 4)
+				d0 += 1665
+				d0 *= 80635
+				d0 >>= 28
+				t[j] = d0 & 0xf;
 			}
 			c[id] = byte(t[0]) | byte(t[1]<<4)
 			c[id+1] = byte(t[2]) | byte(t[3]<<4)
@@ -240,7 +247,7 @@ func (p *Poly) compress(d int) []byte {
 		var t [4]uint16
 		id := 0
 		for i := 0; i < n/4; i++ {
-			for j := 0; j < 4; j++ {
+			for j := 0; j < 4; j++  {//TODO: fix KyberSlash2 here
 				t[j] = uint16(((uint32(p[4*i+j])<<6)+uint32(q)/2)/
 					uint32(q)) & ((1 << 6) - 1)
 			}

From edd8c6e34e16ef2140a1c8ebad404559e44020f8 Mon Sep 17 00:00:00 2001
From: "Tommaso Gagliardoni (Kudelski Security)"
 <80652589+tgkudelski@users.noreply.github.com>
Date: Tue, 16 Jan 2024 17:25:48 +0100
Subject: [PATCH 02/12] Update poly.go

---
 crystals-kyber/poly.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go
index 442614f..25984db 100644
--- a/crystals-kyber/poly.go
+++ b/crystals-kyber/poly.go
@@ -214,7 +214,7 @@ func (p *Poly) compress(d int) []byte {
 				/* t[j] = uint16(((uint32(p[8*i+j])<<4)+uint32(q)/2)/
 					uint32(q)) & ((1 << 4) - 1)*/
 				t[j] = uint16(p[8*i+j])
-				d0 = uint32(t << 4)
+				d0 = uint32(t[j] << 4)
 				d0 += 1665
 				d0 *= 80635
 				d0 >>= 28

From b1c357381141bffe63b9dae6579dc2e1b4981f7e Mon Sep 17 00:00:00 2001
From: "Tommaso Gagliardoni (Kudelski Security)"
 <80652589+tgkudelski@users.noreply.github.com>
Date: Tue, 16 Jan 2024 17:27:55 +0100
Subject: [PATCH 03/12] Update poly.go

---
 crystals-kyber/poly.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go
index 25984db..15ded9b 100644
--- a/crystals-kyber/poly.go
+++ b/crystals-kyber/poly.go
@@ -218,7 +218,7 @@ func (p *Poly) compress(d int) []byte {
 				d0 += 1665
 				d0 *= 80635
 				d0 >>= 28
-				t[j] = d0 & 0xf;
+				t[j] = uint16(d0 & 0xf)
 			}
 			c[id] = byte(t[0]) | byte(t[1]<<4)
 			c[id+1] = byte(t[2]) | byte(t[3]<<4)

From bffe8563a84549465a38b06724663cfd1bdc1cf9 Mon Sep 17 00:00:00 2001
From: "Tommaso Gagliardoni (Kudelski Security)"
 <80652589+tgkudelski@users.noreply.github.com>
Date: Tue, 16 Jan 2024 17:32:04 +0100
Subject: [PATCH 04/12] bugfix:KyberSlash2 case d=5

---
 crystals-kyber/poly.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go
index 15ded9b..56ed0ab 100644
--- a/crystals-kyber/poly.go
+++ b/crystals-kyber/poly.go
@@ -229,11 +229,18 @@ func (p *Poly) compress(d int) []byte {
 
 	case 5:
 		var t [8]uint16
+		var d0 uint32 /* accumulation value for fixing KyberSlash2 */
 		id := 0
 		for i := 0; i < n/8; i++ {
 			for j := 0; j < 8; j++ {
-				t[j] = uint16(((uint32(p[8*i+j])<<5)+uint32(q)/2)/
-					uint32(q)) & ((1 << 5) - 1)
+				/* t[j] = uint16(((uint32(p[8*i+j])<<5)+uint32(q)/2)/
+					uint32(q)) & ((1 << 5) - 1) */
+				t[j] = uint16(p[8*i+j])
+				d0 = uint32(t[j] << 5)
+				d0 += 1664
+				d0 *= 40318
+				d0 >>= 27
+				t[j] = uint16(d0 & 0x1f)
 			}
 			c[id] = byte(t[0]) | byte(t[1]<<5)
 			c[id+1] = byte(t[1]>>3) | byte(t[2]<<2) | byte(t[3]<<7)

From d0631a8e55f8db044be38ed9de46f4a382f03613 Mon Sep 17 00:00:00 2001
From: "Tommaso Gagliardoni (Kudelski Security)"
 <80652589+tgkudelski@users.noreply.github.com>
Date: Tue, 16 Jan 2024 17:37:31 +0100
Subject: [PATCH 05/12] Update poly.go

---
 crystals-kyber/poly.go | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go
index 56ed0ab..5502e25 100644
--- a/crystals-kyber/poly.go
+++ b/crystals-kyber/poly.go
@@ -186,7 +186,7 @@ func polyToMsg(p Poly) []byte {
 	return msg
 }
 
-//compress packs a polynomial into a byte array using d bits per coefficient
+//compress packs a polynomial into a byte array using d bits per coefficient - fixed against https://kyberslash.cr.yp.to/faq.html (cases d=4,5 only for now)
 func (p *Poly) compress(d int) []byte {
 	c := make([]byte, n*d/8)
 	switch d {
@@ -229,18 +229,17 @@ func (p *Poly) compress(d int) []byte {
 
 	case 5:
 		var t [8]uint16
-		var d0 uint32 /* accumulation value for fixing KyberSlash2 */
+		var d5 uint32 /* accumulation value for fixing KyberSlash2 */
 		id := 0
 		for i := 0; i < n/8; i++ {
 			for j := 0; j < 8; j++ {
 				/* t[j] = uint16(((uint32(p[8*i+j])<<5)+uint32(q)/2)/
 					uint32(q)) & ((1 << 5) - 1) */
-				t[j] = uint16(p[8*i+j])
-				d0 = uint32(t[j] << 5)
-				d0 += 1664
-				d0 *= 40318
-				d0 >>= 27
-				t[j] = uint16(d0 & 0x1f)
+				d5 = uint32(p[8*i+j] << 5)
+				d5 += 1664
+				d5 *= 40318
+				d5 >>= 27
+				t[j] = uint16(d5 & 0x1f)
 			}
 			c[id] = byte(t[0]) | byte(t[1]<<5)
 			c[id+1] = byte(t[1]>>3) | byte(t[2]<<2) | byte(t[3]<<7)

From ea1b61200d435a3d5a445339a0d4010fce38e375 Mon Sep 17 00:00:00 2001
From: "Tommaso Gagliardoni (Kudelski Security)"
 <80652589+tgkudelski@users.noreply.github.com>
Date: Tue, 16 Jan 2024 17:41:45 +0100
Subject: [PATCH 06/12] Update poly.go

---
 crystals-kyber/poly.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go
index 5502e25..6e4f44c 100644
--- a/crystals-kyber/poly.go
+++ b/crystals-kyber/poly.go
@@ -229,17 +229,17 @@ func (p *Poly) compress(d int) []byte {
 
 	case 5:
 		var t [8]uint16
-		var d5 uint32 /* accumulation value for fixing KyberSlash2 */
+		var d0 uint32 /* accumulation value for fixing KyberSlash2 */
 		id := 0
 		for i := 0; i < n/8; i++ {
 			for j := 0; j < 8; j++ {
 				/* t[j] = uint16(((uint32(p[8*i+j])<<5)+uint32(q)/2)/
 					uint32(q)) & ((1 << 5) - 1) */
-				d5 = uint32(p[8*i+j] << 5)
-				d5 += 1664
-				d5 *= 40318
-				d5 >>= 27
-				t[j] = uint16(d5 & 0x1f)
+				d0 = uint32(p[8*i+j]) << 5
+				d0 += 1664
+				d0 *= 40318
+				d0 >>= 27
+				t[j] = uint16(d0 & 0x1f)
 			}
 			c[id] = byte(t[0]) | byte(t[1]<<5)
 			c[id+1] = byte(t[1]>>3) | byte(t[2]<<2) | byte(t[3]<<7)

From a7cf5ef51b8d1ba78684704581a1fcc122ebfea0 Mon Sep 17 00:00:00 2001
From: "Tommaso Gagliardoni (Kudelski Security)"
 <80652589+tgkudelski@users.noreply.github.com>
Date: Tue, 16 Jan 2024 17:44:08 +0100
Subject: [PATCH 07/12] Update poly.go

---
 crystals-kyber/poly.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go
index 6e4f44c..eebf5be 100644
--- a/crystals-kyber/poly.go
+++ b/crystals-kyber/poly.go
@@ -213,8 +213,7 @@ func (p *Poly) compress(d int) []byte {
 			for j := 0; j < 8; j++ {
 				/* t[j] = uint16(((uint32(p[8*i+j])<<4)+uint32(q)/2)/
 					uint32(q)) & ((1 << 4) - 1)*/
-				t[j] = uint16(p[8*i+j])
-				d0 = uint32(t[j] << 4)
+				d0 = uint32(p[8*i+j]) << 4
 				d0 += 1665
 				d0 *= 80635
 				d0 >>= 28

From 8380db837e95751591fe423971eec842281e136f Mon Sep 17 00:00:00 2001
From: "Tommaso Gagliardoni (Kudelski Security)"
 <80652589+tgkudelski@users.noreply.github.com>
Date: Tue, 16 Jan 2024 17:52:14 +0100
Subject: [PATCH 08/12] bugfix:KyberSlash2 case d=3

---
 crystals-kyber/poly.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go
index eebf5be..13aa770 100644
--- a/crystals-kyber/poly.go
+++ b/crystals-kyber/poly.go
@@ -193,11 +193,17 @@ func (p *Poly) compress(d int) []byte {
 
 	case 3:
 		var t [8]uint16
+		var d0 uint32 /* accumulation value for fixing KyberSlash2 */
 		id := 0
 		for i := 0; i < n/8; i++ {
-			for j := 0; j < 8; j++ { //TODO: fix KyberSlash2 here
-				t[j] = uint16(((uint32(p[8*i+j])<<3)+uint32(q)/2)/
-					uint32(q)) & ((1 << 3) - 1)
+			for j := 0; j < 8; j++ {
+				/* t[j] = uint16(((uint32(p[8*i+j])<<3)+uint32(q)/2)/
+					uint32(q)) & ((1 << 3) - 1) */
+				d0 = uint32(p[8*i+j]) << 3
+				d0 += 1664
+				d0 *= 161271
+				d0 >>= 29
+				t[j] = uint16(d0 & 0x7)
 			}
 			c[id] = byte(t[0]) | byte(t[1]<<3) | byte(t[2]<<6)
 			c[id+1] = byte(t[2]>>2) | byte(t[3]<<1) | byte(t[4]<<4) | byte(t[5]<<7)

From 18058ddfc4f835509e246b3c1605f9a5feb1207a Mon Sep 17 00:00:00 2001
From: "Tommaso Gagliardoni (Kudelski Security)"
 <80652589+tgkudelski@users.noreply.github.com>
Date: Tue, 16 Jan 2024 18:02:01 +0100
Subject: [PATCH 09/12] bugfix:KyberSlash2 case d=6

---
 crystals-kyber/poly.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go
index 13aa770..b7f94f2 100644
--- a/crystals-kyber/poly.go
+++ b/crystals-kyber/poly.go
@@ -256,11 +256,17 @@ func (p *Poly) compress(d int) []byte {
 
 	case 6:
 		var t [4]uint16
+		var d0 uint32 /* accumulation value for fixing KyberSlash2 */
 		id := 0
 		for i := 0; i < n/4; i++ {
-			for j := 0; j < 4; j++  {//TODO: fix KyberSlash2 here
-				t[j] = uint16(((uint32(p[4*i+j])<<6)+uint32(q)/2)/
-					uint32(q)) & ((1 << 6) - 1)
+			for j := 0; j < 4; j++  {
+				/* t[j] = uint16(((uint32(p[4*i+j])<<6)+uint32(q)/2)/
+					uint32(q)) & ((1 << 6) - 1) */
+				d0 = uint32(p[8*i+j]) << 6
+				d0 += 1664
+				d0 *= 20159
+				d0 >>= 26
+				t[j] = uint16(d0 & 0x3f)
 			}
 			c[id] = byte(t[0]) | byte(t[1]<<6)
 			c[id+1] = byte(t[1]>>2) | byte(t[2]<<4)

From 1ac280896f8b03e4a7ac515ed544b3f4f51d42ad Mon Sep 17 00:00:00 2001
From: "Tommaso Gagliardoni (Kudelski Security)"
 <80652589+tgkudelski@users.noreply.github.com>
Date: Tue, 16 Jan 2024 18:08:42 +0100
Subject: [PATCH 10/12] bugfix:KyberSlash2 case d=10

---
 crystals-kyber/poly.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go
index b7f94f2..1126415 100644
--- a/crystals-kyber/poly.go
+++ b/crystals-kyber/poly.go
@@ -262,7 +262,7 @@ func (p *Poly) compress(d int) []byte {
 			for j := 0; j < 4; j++  {
 				/* t[j] = uint16(((uint32(p[4*i+j])<<6)+uint32(q)/2)/
 					uint32(q)) & ((1 << 6) - 1) */
-				d0 = uint32(p[8*i+j]) << 6
+				d0 = uint32(p[4*i+j]) << 6
 				d0 += 1664
 				d0 *= 20159
 				d0 >>= 26
@@ -276,11 +276,17 @@ func (p *Poly) compress(d int) []byte {
 
 	case 10:
 		var t [4]uint16
+		var d0 uint64 /* accumulation value for fixing KyberSlash2 */
 		id := 0
 		for i := 0; i < n/4; i++ {
 			for j := 0; j < 4; j++ {
-				t[j] = uint16(((uint32(p[4*i+j])<<10)+uint32(q)/2)/
-					uint32(q)) & ((1 << 10) - 1)
+				/* t[j] = uint16(((uint32(p[4*i+j])<<10)+uint32(q)/2)/
+					uint32(q)) & ((1 << 10) - 1) */
+				d0 = uint64(p[4*i+j]) << 10
+				d0 += 1665
+				d0 *= 1290167
+				d0 >>= 32
+				t[j] = uint16(d0 & 0x3ff)
 			}
 			c[id] = byte(t[0])
 			c[id+1] = byte(t[0]>>8) | byte(t[1]<<2)

From d457a8c24fe4be91983bee2094d1368529209480 Mon Sep 17 00:00:00 2001
From: "Tommaso Gagliardoni (Kudelski Security)"
 <80652589+tgkudelski@users.noreply.github.com>
Date: Tue, 16 Jan 2024 18:12:06 +0100
Subject: [PATCH 11/12] bugfix:KyberSlash2 case d=11

---
 crystals-kyber/poly.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go
index 1126415..ec3ee4c 100644
--- a/crystals-kyber/poly.go
+++ b/crystals-kyber/poly.go
@@ -297,11 +297,17 @@ func (p *Poly) compress(d int) []byte {
 		}
 	case 11:
 		var t [8]uint16
+		var d0 uint64 /* accumulation value for fixing KyberSlash2 */
 		id := 0
 		for i := 0; i < n/8; i++ {
 			for j := 0; j < 8; j++ {
-				t[j] = uint16(((uint32(p[8*i+j])<<11)+uint32(q)/2)/
-					uint32(q)) & ((1 << 11) - 1)
+				/* t[j] = uint16(((uint32(p[8*i+j])<<11)+uint32(q)/2)/
+					uint32(q)) & ((1 << 11) - 1) */
+				d0 = uint64(p[4*i+j]) << 11
+				d0 += 1664
+				d0 *= 645084
+				d0 >>= 31
+				t[j] = uint16(d0 & 0x7ff)
 			}
 			c[id] = byte(t[0])
 			c[id+1] = byte(t[0]>>8) | byte(t[1]<<3)

From 5d875a1f686d9b9e4c2c75d33584460135700e06 Mon Sep 17 00:00:00 2001
From: "Tommaso Gagliardoni (Kudelski Security)"
 <80652589+tgkudelski@users.noreply.github.com>
Date: Tue, 16 Jan 2024 18:13:58 +0100
Subject: [PATCH 12/12] Update poly.go

---
 crystals-kyber/poly.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go
index ec3ee4c..5c74780 100644
--- a/crystals-kyber/poly.go
+++ b/crystals-kyber/poly.go
@@ -303,7 +303,7 @@ func (p *Poly) compress(d int) []byte {
 			for j := 0; j < 8; j++ {
 				/* t[j] = uint16(((uint32(p[8*i+j])<<11)+uint32(q)/2)/
 					uint32(q)) & ((1 << 11) - 1) */
-				d0 = uint64(p[4*i+j]) << 11
+				d0 = uint64(p[8*i+j]) << 11
 				d0 += 1664
 				d0 *= 645084
 				d0 >>= 31