[crypto] ML-DSA-87: Further improve secret isolation prevention

andrea-caforio · andrea-caforio · commit 19a6c469d0d8 · 2026-05-20T16:50:21.000Z
The previous attempt at doing was not watertight. This commit improves
it by making sure that really all registers are initialized with
randomness.

Signed-off-by: Andrea Caforio &lt;andrea.caforio@lowrisc.org&gt;
diff --git a/sw/otbn/crypto/mldsa87/keygen/mldsa87_keygen_sample.s b/sw/otbn/crypto/mldsa87/keygen/mldsa87_keygen_sample.s
@@ -64,21 +64,20 @@ rej_bounded_poly:
   addi x7, x0, 0
   addi x8, x0, 1
 
+  /* Initialize the WDRs that hold intermediate results with randomness. */
+  bn.wsrr w4, URND
+  bn.wsrr w5, URND
+  bn.wsrr w10, URND
+  bn.wsrr w11, URND
+
   /*
    * The following loop unfolds in two parts. First, rejection sample a
    * Boolean shared vector x consisting of 8 4-bit coefficients in the interval
    * [0, 14]. Second, compute x mod 5 and convert the coefficients to
    * arithmetic shares. Repeat this 32 times until all the coefficients of the
    * polynomial have been sampled.
    */
-  loopi 32, 42
-
-    /* Initialize the WDRs that hold intermediate results with randomness. */
-    bn.wsrr w4, URND
-    bn.wsrr w5, URND
-    bn.wsrr w10, URND
-    bn.wsrr w11, URND
-
+  loopi 32, 38
     loopi 8, 27
      /* If the squeezed buffer is empty re-squeeze a new batch of 64 4-bit
         coefficients. */
diff --git a/sw/otbn/crypto/mldsa87/mldsa87_decoding.s b/sw/otbn/crypto/mldsa87/mldsa87_decoding.s
@@ -99,14 +99,13 @@ _bit_unpack_s:
   bn.not w13, w31
   bn.shv.8s w13, w13 >> 29
 
+  /* Initialize the WDRs that hold intermediate results with randomness. */
+  bn.wsrr w0, URND
+  bn.wsrr w1, URND
+
   /* In each iteration, we decode 8 Boolean-shared coefficients that are
      bit-unpacked and converted to arithmetic shares in w0 and w1. */
-  loopi 8, 21
-
-    /* Initialize the WDRs that hold intermediate results with randomness. */
-    bn.wsrr w0, URND
-    bn.wsrr w1, URND
-
+  loopi 8, 19
     loopi 8, 9
 
       /* Randomness to shift into registers when a coefficient is extracted.
diff --git a/sw/otbn/crypto/mldsa87/sign/mldsa87_sign_sample.s b/sw/otbn/crypto/mldsa87/sign/mldsa87_sign_sample.s
@@ -51,8 +51,28 @@ sample_mask_poly:
   addi x4, x0, 0
   addi x5, x0, 1
 
+  /* Initialize the registers that hold the compressed polynomial shares with
+     randomness. This avoids isolating secrets bits in an all-zero register
+     during the shifting operations. */
+
+  /* Share 0. */
+  bn.wsrr w0, URND
+  bn.wsrr w3, URND
+  bn.wsrr w4, URND
+  bn.wsrr w5, URND
+  bn.wsrr w6, URND
+  bn.wsrr w7, URND
+
+  /* Share 1. */
+  bn.wsrr w1, URND
+  bn.wsrr w8, URND
+  bn.wsrr w9, URND
+  bn.wsrr w10, URND
+  bn.wsrr w11, URND
+  bn.wsrr w12, URND
+
   /* In each iteration, we sample 64 coefficients. */
-  loopi 4, 51
+  loopi 4, 49
 
     /*
      * Each coefficient of the mask polynomial has a size of 20 bits. Since
@@ -87,11 +107,7 @@ sample_mask_poly:
     bn.mov w12, w30
 
     /* Sample 64 coefficients in steps of eight at at time. */
-    loopi 8, 29
-
-      /* Initialize the WDRs that hold intermediate results with randomness. */
-      bn.wsrr w0, URND
-      bn.wsrr w1, URND
+    loopi 8, 27
 
       /* Sample one shared vector of eight coefficients. */
       loopi 8, 17
