From bffe8563a84549465a38b06724663cfd1bdc1cf9 Mon Sep 17 00:00:00 2001
From: "Tommaso Gagliardoni (Kudelski Security)"
 <80652589+tgkudelski@users.noreply.github.com>
Date: Tue, 16 Jan 2024 17:32:04 +0100
Subject: [PATCH] bugfix:KyberSlash2 case d=5

---
 crystals-kyber/poly.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go
index 15ded9b..56ed0ab 100644
--- a/crystals-kyber/poly.go
+++ b/crystals-kyber/poly.go
@@ -229,11 +229,18 @@ func (p *Poly) compress(d int) []byte {
 
 	case 5:
 		var t [8]uint16
+		var d0 uint32 /* accumulation value for fixing KyberSlash2 */
 		id := 0
 		for i := 0; i < n/8; i++ {
 			for j := 0; j < 8; j++ {
-				t[j] = uint16(((uint32(p[8*i+j])<<5)+uint32(q)/2)/
-					uint32(q)) & ((1 << 5) - 1)
+				/* t[j] = uint16(((uint32(p[8*i+j])<<5)+uint32(q)/2)/
+					uint32(q)) & ((1 << 5) - 1) */
+				t[j] = uint16(p[8*i+j])
+				d0 = uint32(t[j] << 5)
+				d0 += 1664
+				d0 *= 40318
+				d0 >>= 27
+				t[j] = uint16(d0 & 0x1f)
 			}
 			c[id] = byte(t[0]) | byte(t[1]<<5)
 			c[id+1] = byte(t[1]>>3) | byte(t[2]<<2) | byte(t[3]<<7)