[PATCH 0/5] dilithium-kyber: Optimized (i)NTT support for

Danny Tsen dtsen at us.ibm.com
Mon Mar 30 14:28:24 CEST 2026 

Hi,

That's seems like a good idea.  Let me know when you have the framework available.  I can follow that.

Thanks.
-Danny

________________________________
From: NIIBE Yutaka <gniibe at fsij.org>
Sent: Friday, March 27, 2026 1:21 AM
To: Danny Tsen <dtsen at us.ibm.com>; gcrypt-devel at gnupg.org <gcrypt-devel at gnupg.org>
Subject: [EXTERNAL] Re: [PATCH 0/5] dilithium-kyber: Optimized (i)NTT support for

Hello,

Sorry for late reply.

Danny Tsen wrote:
> Added optimized (i)NTT algorithm support for ppc64le (Power 8 and
> above).  Defined ENABLE_PPC_DILITHIUM and ENABLE_PPC_KYBER for
> dilithium (ML-DSA) and kyber (ML-KEM) NTT and inverse NTT.

Thank you for your work.

The approach of optimizing NTT functions looks good.

Let me start a discussion about Kyber.  Then, we can apply the
result to Dilithium.


I wonder if we can do a bit more, so that we can avoid the duplication
of the ZETA constant among NTT implementation and kyber-common.c.

I'm considering about factoring following five functions from
kyber-common.c:

    void _gcry_poly_ntt(poly *r);
    void _gcry_poly_invntt_tomont(poly *r);
    void _gcry_poly_reduce(poly *r)
    void _gcry_poly_tomont(poly *r);
    void _gcry_poly_basemul_montgomery(poly *r, const poly *a, const poly *b);

into, say, kyber-common-generic.c.  And provide archtecture specific
kyber-common-<ARCH>-<HWACC>.S for optimized version(s).

This way, NTT functions are covered and ZETA is placed inside
kyber-common-*.

How do you think?

I'll try with the optimized implementation of AVX2 in the reference code.
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pq-2Dcrystals.org_kyber_&d=DwIBAg&c=BSDicqBQBDjDI9RkVyTcHQ&r=zspFcGYEyUrRywX_TdjlLwwrCx0eBFnzcs6XZVVVMh0&m=cyhP1gGDXWh9JCIn4z5NrebvLkC7bN89aMGL_HFl26R2f9h7kqRDsaD6W5C2Q8tQ&s=guKkLMabJUVbm4bjm61GKleAAubKCEyFJJobD1MSghQ&e=
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20260330/15003445/attachment.html>

More information about the Gcrypt-devel mailing list