poly1305: Fix reduction step in Unreduced130::reduce

Fixes all remaining fuzzer crashes and test vectors.

Author: str4d

poly1305/src/avx2/helpers.rs

@@ -501,7 +501,7 @@ impl Unreduced130 {
                 // t = [0, 0, 0, t_4 >> 26]
                 let t = _mm256_srlv_epi64(v1, _mm256_set_epi64x(64, 64, 64, 26));
                 // v0 + 5·t = [t_3, t_2, t_1, t_0 + 5·(t_4 >> 26)]
-                let red_0 = _mm256_add_epi64(_mm256_add_epi64(v0, t), _mm256_slli_epi32(t, 2));
+                let red_0 = _mm256_add_epi64(_mm256_add_epi64(v0, t), _mm256_slli_epi64(t, 2));
                 // [0, 0, 0, t_4 % 2^26]
                 let red_1 = _mm256_and_si256(v1, _mm256_set_epi64x(0, 0, 0, 0x3ffffff));
                 (red_1, red_0)

poly1305/src/fuzz.rs

@@ -48,7 +48,17 @@ fn crash_3() {
     //                 difference = 0x0100000000
     //
     // This discrepancy was due to Unreduced130::reduce (as called during finalization)
-    // not correctly reducing. TODO: Figure out what about it was wrong.
+    // not correctly reducing. During the reduction step, the upper limb's upper bits
+    // (beyond 2^130) are added into the lower limb multiplied by 5 (for reduction modulo
+    // 2^130 - 5). This is computed like so:
+    //
+    //     b = t_4 >> 26
+    //     t_0 += b + (b << 2)
+    //
+    // It is possible for the upper limb to be 57+ bits; thus b << 2 can be 33+ bits.
+    // However, the original reduction code was using _mm256_slli_epi32, which shifts
+    // packed 32-bit integers; this was causing the upper bits of b to be lost. Switching
+    // to _mm256_slli_epi64 (correctly treating b as a 64-bit field) solves the problem.
     avx2_fuzzer_test_case(include_bytes!(
         "fuzz/id:000003,sig:06,src:000003,op:havoc,rep:64"
     ));