From 467c83c8119558351c062ad5b8dabc4e9bcbf6c6 Mon Sep 17 00:00:00 2001 From: Patrick Longa Date: Sun, 6 Jun 2021 19:27:26 -0700 Subject: [PATCH 1/9] Add constant-time test using valgrind, undefined address sanitizer test --- .github/workflows/c.yml | 97 +++++++++++++++++++++++++++++++++++++++++ Makefile | 43 ++++++++++++++++-- src/sike.c | 24 +++++++++- tests/test_sike.c | 49 ++++++++++++++++----- 4 files changed, 199 insertions(+), 14 deletions(-) create mode 100644 .github/workflows/c.yml diff --git a/.github/workflows/c.yml b/.github/workflows/c.yml new file mode 100644 index 0000000..8f1cb59 --- /dev/null +++ b/.github/workflows/c.yml @@ -0,0 +1,97 @@ +name: Test C implementation + +on: + push: + paths: + - '.github/workflows/c.yml' + - Makefile + - 'KAT/**' + - 'src/**' + - 'tests/**' + pull_request: + paths: + - '.github/workflows/c.yml' + - Makefile + - 'KAT/**' + - 'src/**' + - 'tests/**' + +jobs: + test-basic: + runs-on: ubuntu-latest + strategy: + implementation: + opt_level: ['GENERIC', 'FAST'] + steps: + - uses: actions/checkout@v2 + - name: Build + env: + OPT_LEVEL: ${{ implementation.opt_level }} + run: make + - name: SIKEp434 + run: make test434 + - name: SIKEp503 + run: make test503 + - name: SIKEp610 + run: make test610 + - name: SIKEp751 + run: make test751 + - name: SIKEp434 KATs + run: sike434/PQCtestKAT_kem + - name: SIKEp503 KATs + run: sike503/PQCtestKAT_kem + - name: SIKEp610 KATs + run: sike610/PQCtestKAT_kem + - name: SIKEp751 KATs + run: sike751/PQCtestKAT_kem + test-sanitize: + runs-on: ubuntu-latest + strategy: + implementation: + opt_level: ['GENERIC', 'FAST'] + sanitizer: ['address', 'undefined'] + steps: + - uses: actions/checkout@v2 + - name: Build + env: + OPT_LEVEL: ${{ implementation.opt_level }} + EXTRA_CFLAGS: -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fsanitize=${{ implementation.sanitizer }} -fno-sanitize-recover=${{ implementation.sanitizer }} + run: make CC=clang-11 + - name: SIKEp434 + run: sike434/test_KEM nobench + - name: SIKEp503 + run: sike503/test_KEM nobench + - name: SIKEp610 + run: sike610/test_KEM nobench + - name: SIKEp751 + run: sike751/test_KEM nobench + test-valgrind-constant-time: + runs-on: ubuntu-latest + strategy: + implementation: + opt_level: ['GENERIC', 'FAST'] + steps: + - uses: actions/checkout@v2 + - name: Install valgrind + run: sudo apt-get install -y valgrind + - name: Build + env: + DO_VALGRIND_CHECK: "TRUE" + OPT_LEVEL: ${{ implementation.opt_level }} + run: make CC=clang-11 + - name: SIKEp434 + env: + DO_VALGRIND_CHECK: "TRUE" + run: make test434 + - name: SIKEp503 + env: + DO_VALGRIND_CHECK: "TRUE" + run: make test503 + - name: SIKEp610 + env: + DO_VALGRIND_CHECK: "TRUE" + run: make test610 + - name: SIKEp751 + env: + DO_VALGRIND_CHECK: "TRUE" + run: make test751 diff --git a/Makefile b/Makefile index f8d4d17..4c6314a 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,5 @@ #### Makefile for compilation on Unix-like operative systems #### -OPT=-O3 # Optimization option by default - CC=clang ifeq "$(CC)" "gcc" COMPILER=gcc @@ -65,7 +63,18 @@ ifeq "$(ARCHITECTURE)" "_S390X_" ADDITIONAL_SETTINGS=-march=z10 endif -CFLAGS=$(OPT) -std=gnu11 $(ADDITIONAL_SETTINGS) -D $(ARCHITECTURE) -D __NIX__ -D $(USE_OPT_LEVEL) $(MULX) $(ADX) +VALGRIND_CFLAGS= +ifeq "$(DO_VALGRIND_CHECK)" "TRUE" +VALGRIND_CFLAGS= -g -O0 -DDO_VALGRIND_CHECK +endif + +ifeq "$(EXTRA_CFLAGS)" "" +CFLAGS= -O3 # Optimization option by default +else +CFLAGS= $(EXTRA_CFLAGS) +endif +CFLAGS+= $(VALGRIND_CFLAGS) +CFLAGS+= -std=gnu11 $(ADDITIONAL_SETTINGS) -D $(ARCHITECTURE) -D __NIX__ -D $(USE_OPT_LEVEL) $(MULX) $(ADX) LDFLAGS=-lm ifeq "$(USE_OPT_LEVEL)" "_GENERIC_" EXTRA_OBJECTS_434=objs434/fp_generic.o @@ -320,6 +329,34 @@ KATS: lib434_for_KATs lib503_for_KATs lib610_for_KATs lib751_for_KATs lib434comp check: tests +test434: +ifeq "$(DO_VALGRIND_CHECK)" "TRUE" + valgrind --tool=memcheck --error-exitcode=1 --max-stackframe=20480000 sike434/test_KEM +else + sike434/test_KEM +endif + +test503: +ifeq "$(DO_VALGRIND_CHECK)" "TRUE" + valgrind --tool=memcheck --error-exitcode=1 --max-stackframe=20480000 sike503/test_KEM +else + sike503/test_KEM +endif + +test610: +ifeq "$(DO_VALGRIND_CHECK)" "TRUE" + valgrind --tool=memcheck --error-exitcode=1 --max-stackframe=20480000 sike610/test_KEM +else + sike610/test_KEM +endif + +test751: +ifeq "$(DO_VALGRIND_CHECK)" "TRUE" + valgrind --tool=memcheck --error-exitcode=1 --max-stackframe=20480000 sike751/test_KEM +else + sike751/test_KEM +endif + .PHONY: clean clean: diff --git a/src/sike.c b/src/sike.c index c166450..36d7293 100644 --- a/src/sike.c +++ b/src/sike.c @@ -7,6 +7,10 @@ #include #include "sha3/fips202.h" +#ifdef DO_VALGRIND_CHECK +#include +#endif + int crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { // SIKE's key generation @@ -16,6 +20,9 @@ int crypto_kem_keypair(unsigned char *pk, unsigned char *sk) // Generate lower portion of secret key sk <- s||SK randombytes(sk, MSG_BYTES); random_mod_order_B(sk + MSG_BYTES); +#ifdef DO_VALGRIND_CHECK + VALGRIND_MAKE_MEM_UNDEFINED(sk, MSG_BYTES + SECRETKEY_B_BYTES); +#endif // Generate public key pk EphemeralKeyGeneration_B(sk + MSG_BYTES, pk); @@ -23,6 +30,9 @@ int crypto_kem_keypair(unsigned char *pk, unsigned char *sk) // Append public key pk to secret key sk memcpy(&sk[MSG_BYTES + SECRETKEY_B_BYTES], pk, CRYPTO_PUBLICKEYBYTES); +#ifdef DO_VALGRIND_CHECK + VALGRIND_MAKE_MEM_DEFINED(sk, MSG_BYTES + SECRETKEY_B_BYTES); +#endif return 0; } @@ -39,6 +49,9 @@ int crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk // Generate ephemeralsk <- G(m||pk) mod oA randombytes(temp, MSG_BYTES); +#ifdef DO_VALGRIND_CHECK + VALGRIND_MAKE_MEM_UNDEFINED(temp, MSG_BYTES); +#endif memcpy(&temp[MSG_BYTES], pk, CRYPTO_PUBLICKEYBYTES); shake256(ephemeralsk, SECRETKEY_A_BYTES, temp, CRYPTO_PUBLICKEYBYTES+MSG_BYTES); ephemeralsk[SECRETKEY_A_BYTES - 1] &= MASK_ALICE; @@ -55,6 +68,9 @@ int crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk memcpy(&temp[MSG_BYTES], ct, CRYPTO_CIPHERTEXTBYTES); shake256(ss, CRYPTO_BYTES, temp, CRYPTO_CIPHERTEXTBYTES+MSG_BYTES); +#ifdef DO_VALGRIND_CHECK + VALGRIND_MAKE_MEM_DEFINED(temp, MSG_BYTES); +#endif return 0; } @@ -69,6 +85,9 @@ int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned ch unsigned char h_[MSG_BYTES]; unsigned char c0_[CRYPTO_PUBLICKEYBYTES]; unsigned char temp[CRYPTO_CIPHERTEXTBYTES+MSG_BYTES]; +#ifdef DO_VALGRIND_CHECK + VALGRIND_MAKE_MEM_UNDEFINED(sk, CRYPTO_SECRETKEYBYTES); +#endif // Decrypt EphemeralSecretAgreement_B(sk + MSG_BYTES, ct, jinvariant_); @@ -89,6 +108,9 @@ int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned ch ct_cmov(temp, sk, MSG_BYTES, selector); memcpy(&temp[MSG_BYTES], ct, CRYPTO_CIPHERTEXTBYTES); shake256(ss, CRYPTO_BYTES, temp, CRYPTO_CIPHERTEXTBYTES+MSG_BYTES); - + +#ifdef DO_VALGRIND_CHECK + VALGRIND_MAKE_MEM_DEFINED(sk, CRYPTO_SECRETKEYBYTES); +#endif return 0; } \ No newline at end of file diff --git a/tests/test_sike.c b/tests/test_sike.c index 34483be..c4080bf 100644 --- a/tests/test_sike.c +++ b/tests/test_sike.c @@ -6,14 +6,24 @@ #include "../src/random/random.h" +#ifdef DO_VALGRIND_CHECK +#include +#endif -// Benchmark and test parameters +#ifdef DO_VALGRIND_CHECK + #define TEST_LOOPS 1 +#else #if defined(GENERIC_IMPLEMENTATION) || (TARGET == TARGET_ARM) - #define BENCH_LOOPS 5 // Number of iterations per bench #define TEST_LOOPS 5 // Number of iterations per test #else - #define BENCH_LOOPS 100 #define TEST_LOOPS 10 +#endif +#endif + +#if defined(GENERIC_IMPLEMENTATION) || (TARGET == TARGET_ARM) + #define BENCH_LOOPS 5 // Number of iterations per bench +#else + #define BENCH_LOOPS 100 #endif @@ -29,6 +39,14 @@ int cryptotest_kem() uint32_t* pos = (uint32_t*)bytes; bool passed = true; + #ifdef DO_VALGRIND_CHECK + if (!RUNNING_ON_VALGRIND) { + fprintf(stderr, "This test can only usefully be run inside valgrind.\n"); + fprintf(stderr, "valgrind sikexxx/test_KEM\n"); + exit(1); + } + #endif + printf("\n\nTESTING ISOGENY-BASED KEY ENCAPSULATION MECHANISM %s\n", SCHEME_NAME); printf("--------------------------------------------------------------------------------------------------------\n\n"); @@ -37,6 +55,10 @@ int cryptotest_kem() crypto_kem_keypair(pk, sk); crypto_kem_enc(ct, ss, pk); crypto_kem_dec(ss_, ct, sk); +#ifdef DO_VALGRIND_CHECK + VALGRIND_MAKE_MEM_DEFINED(ss, CRYPTO_BYTES); + VALGRIND_MAKE_MEM_DEFINED(ss_, CRYPTO_BYTES); +#endif if (memcmp(ss, ss_, CRYPTO_BYTES) != 0) { passed = false; @@ -48,6 +70,10 @@ int cryptotest_kem() *pos %= CRYPTO_CIPHERTEXTBYTES; ct[*pos] ^= 1; crypto_kem_dec(ss_, ct, sk); +#ifdef DO_VALGRIND_CHECK + VALGRIND_MAKE_MEM_DEFINED(ss, CRYPTO_BYTES); + VALGRIND_MAKE_MEM_DEFINED(ss_, CRYPTO_BYTES); +#endif if (memcmp(ss, ss_, CRYPTO_BYTES) == 0) { passed = false; @@ -108,20 +134,23 @@ int cryptorun_kem() } -int main() +int main(int argc, char **argv) { int Status = PASSED; - Status = cryptotest_kem(); // Test key encapsulation mechanism + Status = cryptotest_kem(SYSTEM_NAME, TEST_LOOPS); // Test key encapsulation mechanism if (Status != PASSED) { printf("\n\n Error detected: KEM_ERROR_SHARED_KEY \n\n"); return FAILED; } - - Status = cryptorun_kem(); // Benchmark key encapsulation mechanism - if (Status != PASSED) { - printf("\n\n Error detected: KEM_ERROR_SHARED_KEY \n\n"); - return FAILED; + + if ((argc > 1) && (strcmp("nobench", argv[1]) == 0)) {} + else { + Status = cryptorun_kem(); // Benchmark key encapsulation mechanism + if (Status != PASSED) { + printf("\n\n Error detected: KEM_ERROR_SHARED_KEY \n\n"); + return FAILED; + } } return Status; From 9eaeab488d7549ccf524cc11f061b908b13c43b0 Mon Sep 17 00:00:00 2001 From: Patrick Longa Date: Sun, 6 Jun 2021 19:31:14 -0700 Subject: [PATCH 2/9] Fix --- .github/workflows/c.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/c.yml b/.github/workflows/c.yml index 8f1cb59..3da0d98 100644 --- a/.github/workflows/c.yml +++ b/.github/workflows/c.yml @@ -20,13 +20,13 @@ jobs: test-basic: runs-on: ubuntu-latest strategy: - implementation: + matrix: opt_level: ['GENERIC', 'FAST'] steps: - uses: actions/checkout@v2 - name: Build env: - OPT_LEVEL: ${{ implementation.opt_level }} + OPT_LEVEL: ${{ matrix.opt_level }} run: make - name: SIKEp434 run: make test434 @@ -47,15 +47,15 @@ jobs: test-sanitize: runs-on: ubuntu-latest strategy: - implementation: + matrix: opt_level: ['GENERIC', 'FAST'] sanitizer: ['address', 'undefined'] steps: - uses: actions/checkout@v2 - name: Build env: - OPT_LEVEL: ${{ implementation.opt_level }} - EXTRA_CFLAGS: -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fsanitize=${{ implementation.sanitizer }} -fno-sanitize-recover=${{ implementation.sanitizer }} + OPT_LEVEL: ${{ matrix.opt_level }} + EXTRA_CFLAGS: -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fsanitize=${{ matrix.sanitizer }} -fno-sanitize-recover=${{ matrix.sanitizer }} run: make CC=clang-11 - name: SIKEp434 run: sike434/test_KEM nobench @@ -68,7 +68,7 @@ jobs: test-valgrind-constant-time: runs-on: ubuntu-latest strategy: - implementation: + matrix: opt_level: ['GENERIC', 'FAST'] steps: - uses: actions/checkout@v2 @@ -77,7 +77,7 @@ jobs: - name: Build env: DO_VALGRIND_CHECK: "TRUE" - OPT_LEVEL: ${{ implementation.opt_level }} + OPT_LEVEL: ${{ matrix.opt_level }} run: make CC=clang-11 - name: SIKEp434 env: From bcea207f586385fd05f526bf4fffc9a9a736a3cc Mon Sep 17 00:00:00 2001 From: Patrick Longa Date: Sun, 6 Jun 2021 19:34:46 -0700 Subject: [PATCH 3/9] Fix --- tests/test_sike.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/test_sike.c b/tests/test_sike.c index c4080bf..a85bb91 100644 --- a/tests/test_sike.c +++ b/tests/test_sike.c @@ -27,7 +27,7 @@ #endif -int cryptotest_kem() +int cryptotest_kem(int iterations) { // Testing KEM unsigned int i; unsigned char sk[CRYPTO_SECRETKEYBYTES] = {0}; @@ -138,7 +138,7 @@ int main(int argc, char **argv) { int Status = PASSED; - Status = cryptotest_kem(SYSTEM_NAME, TEST_LOOPS); // Test key encapsulation mechanism + Status = cryptotest_kem(TEST_LOOPS); // Test key encapsulation mechanism if (Status != PASSED) { printf("\n\n Error detected: KEM_ERROR_SHARED_KEY \n\n"); return FAILED; @@ -146,7 +146,7 @@ int main(int argc, char **argv) if ((argc > 1) && (strcmp("nobench", argv[1]) == 0)) {} else { - Status = cryptorun_kem(); // Benchmark key encapsulation mechanism + Status = cryptorun_kem(); // Benchmark key encapsulation mechanism if (Status != PASSED) { printf("\n\n Error detected: KEM_ERROR_SHARED_KEY \n\n"); return FAILED; From ab287ff1d03953c7215a3a0ee2e2ece781b03e51 Mon Sep 17 00:00:00 2001 From: Patrick Longa Date: Sun, 6 Jun 2021 19:38:15 -0700 Subject: [PATCH 4/9] Fix --- tests/test_sike.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/test_sike.c b/tests/test_sike.c index a85bb91..7305133 100644 --- a/tests/test_sike.c +++ b/tests/test_sike.c @@ -27,7 +27,7 @@ #endif -int cryptotest_kem(int iterations) +int cryptotest_kem() { // Testing KEM unsigned int i; unsigned char sk[CRYPTO_SECRETKEYBYTES] = {0}; @@ -138,7 +138,7 @@ int main(int argc, char **argv) { int Status = PASSED; - Status = cryptotest_kem(TEST_LOOPS); // Test key encapsulation mechanism + Status = cryptotest_kem(); // Test key encapsulation mechanism if (Status != PASSED) { printf("\n\n Error detected: KEM_ERROR_SHARED_KEY \n\n"); return FAILED; @@ -146,7 +146,7 @@ int main(int argc, char **argv) if ((argc > 1) && (strcmp("nobench", argv[1]) == 0)) {} else { - Status = cryptorun_kem(); // Benchmark key encapsulation mechanism + Status = cryptorun_kem(); // Benchmark key encapsulation mechanism if (Status != PASSED) { printf("\n\n Error detected: KEM_ERROR_SHARED_KEY \n\n"); return FAILED; From 402a07188df0d31e0b59144149a43295b1d95298 Mon Sep 17 00:00:00 2001 From: Patrick Longa Date: Sun, 6 Jun 2021 19:43:16 -0700 Subject: [PATCH 5/9] Fix --- .github/workflows/c.yml | 8 ++++---- Makefile | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/c.yml b/.github/workflows/c.yml index 3da0d98..8d85435 100644 --- a/.github/workflows/c.yml +++ b/.github/workflows/c.yml @@ -58,13 +58,13 @@ jobs: EXTRA_CFLAGS: -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fsanitize=${{ matrix.sanitizer }} -fno-sanitize-recover=${{ matrix.sanitizer }} run: make CC=clang-11 - name: SIKEp434 - run: sike434/test_KEM nobench + run: sike434/test_SIKE nobench - name: SIKEp503 - run: sike503/test_KEM nobench + run: sike503/test_SIKE nobench - name: SIKEp610 - run: sike610/test_KEM nobench + run: sike610/test_SIKE nobench - name: SIKEp751 - run: sike751/test_KEM nobench + run: sike751/test_SIKE nobench test-valgrind-constant-time: runs-on: ubuntu-latest strategy: diff --git a/Makefile b/Makefile index 4c6314a..b2188c9 100644 --- a/Makefile +++ b/Makefile @@ -331,30 +331,30 @@ check: tests test434: ifeq "$(DO_VALGRIND_CHECK)" "TRUE" - valgrind --tool=memcheck --error-exitcode=1 --max-stackframe=20480000 sike434/test_KEM + valgrind --tool=memcheck --error-exitcode=1 --max-stackframe=20480000 sike434/test_SIKE else - sike434/test_KEM + sike434/test_SIKE endif test503: ifeq "$(DO_VALGRIND_CHECK)" "TRUE" - valgrind --tool=memcheck --error-exitcode=1 --max-stackframe=20480000 sike503/test_KEM + valgrind --tool=memcheck --error-exitcode=1 --max-stackframe=20480000 sike503/test_SIKE else - sike503/test_KEM + sike503/test_SIKE endif test610: ifeq "$(DO_VALGRIND_CHECK)" "TRUE" - valgrind --tool=memcheck --error-exitcode=1 --max-stackframe=20480000 sike610/test_KEM + valgrind --tool=memcheck --error-exitcode=1 --max-stackframe=20480000 sike610/test_SIKE else - sike610/test_KEM + sike610/test_SIKE endif test751: ifeq "$(DO_VALGRIND_CHECK)" "TRUE" - valgrind --tool=memcheck --error-exitcode=1 --max-stackframe=20480000 sike751/test_KEM + valgrind --tool=memcheck --error-exitcode=1 --max-stackframe=20480000 sike751/test_SIKE else - sike751/test_KEM + sike751/test_SIKE endif .PHONY: clean From 683978b86359cef435d16656ea4343cf48127c21 Mon Sep 17 00:00:00 2001 From: Patrick Longa Date: Mon, 7 Jun 2021 13:37:00 -0700 Subject: [PATCH 6/9] Test --- src/fpx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/fpx.c b/src/fpx.c index 49a170d..f3c554a 100644 --- a/src/fpx.c +++ b/src/fpx.c @@ -25,7 +25,7 @@ int8_t ct_compare(const uint8_t *a, const uint8_t *b, unsigned int len) for (unsigned int i = 0; i < len; i++) r |= a[i] ^ b[i]; - return (int8_t)((-(int32_t)r) >> (8*sizeof(uint32_t)-1)); + return (-(int8_t)r) >> (8*sizeof(uint8_t)-1); } From c1f4727c5bb88d147029b182455c280e5c67b2bc Mon Sep 17 00:00:00 2001 From: Patrick Longa Date: Mon, 7 Jun 2021 14:53:58 -0700 Subject: [PATCH 7/9] Constant-time test --- src/fpx.c | 2 +- src/sike.c | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/fpx.c b/src/fpx.c index f3c554a..49a170d 100644 --- a/src/fpx.c +++ b/src/fpx.c @@ -25,7 +25,7 @@ int8_t ct_compare(const uint8_t *a, const uint8_t *b, unsigned int len) for (unsigned int i = 0; i < len; i++) r |= a[i] ^ b[i]; - return (-(int8_t)r) >> (8*sizeof(uint8_t)-1); + return (int8_t)((-(int32_t)r) >> (8*sizeof(uint32_t)-1)); } diff --git a/src/sike.c b/src/sike.c index 36d7293..8d251f7 100644 --- a/src/sike.c +++ b/src/sike.c @@ -101,11 +101,11 @@ int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned ch shake256(ephemeralsk_, SECRETKEY_A_BYTES, temp, CRYPTO_PUBLICKEYBYTES+MSG_BYTES); ephemeralsk_[SECRETKEY_A_BYTES - 1] &= MASK_ALICE; - // Generate shared secret ss <- H(m||ct), or output ss <- H(s||ct) in case of ct verification failure - EphemeralKeyGeneration_A(ephemeralsk_, c0_); - // If selector = 0 then do ss = H(m||ct), else if selector = -1 load s to do ss = H(s||ct) - int8_t selector = ct_compare(c0_, ct, CRYPTO_PUBLICKEYBYTES); - ct_cmov(temp, sk, MSG_BYTES, selector); + // Generate shared secret ss <- H(m||ct) or output ss <- H(s||ct) + EphemeralKeyGeneration_A(ephemeralsk_, c0_); + if (memcmp(c0_, ct, CRYPTO_PUBLICKEYBYTES) != 0) { + memcpy(temp, sk, MSG_BYTES); + } memcpy(&temp[MSG_BYTES], ct, CRYPTO_CIPHERTEXTBYTES); shake256(ss, CRYPTO_BYTES, temp, CRYPTO_CIPHERTEXTBYTES+MSG_BYTES); From dceb07f69fa079b520f5197f156e258067e3019f Mon Sep 17 00:00:00 2001 From: Patrick Longa Date: Mon, 7 Jun 2021 15:47:26 -0700 Subject: [PATCH 8/9] Restoring after test --- src/sike.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/sike.c b/src/sike.c index 8d251f7..36d7293 100644 --- a/src/sike.c +++ b/src/sike.c @@ -101,11 +101,11 @@ int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned ch shake256(ephemeralsk_, SECRETKEY_A_BYTES, temp, CRYPTO_PUBLICKEYBYTES+MSG_BYTES); ephemeralsk_[SECRETKEY_A_BYTES - 1] &= MASK_ALICE; - // Generate shared secret ss <- H(m||ct) or output ss <- H(s||ct) - EphemeralKeyGeneration_A(ephemeralsk_, c0_); - if (memcmp(c0_, ct, CRYPTO_PUBLICKEYBYTES) != 0) { - memcpy(temp, sk, MSG_BYTES); - } + // Generate shared secret ss <- H(m||ct), or output ss <- H(s||ct) in case of ct verification failure + EphemeralKeyGeneration_A(ephemeralsk_, c0_); + // If selector = 0 then do ss = H(m||ct), else if selector = -1 load s to do ss = H(s||ct) + int8_t selector = ct_compare(c0_, ct, CRYPTO_PUBLICKEYBYTES); + ct_cmov(temp, sk, MSG_BYTES, selector); memcpy(&temp[MSG_BYTES], ct, CRYPTO_CIPHERTEXTBYTES); shake256(ss, CRYPTO_BYTES, temp, CRYPTO_CIPHERTEXTBYTES+MSG_BYTES); From 2b804aa649e612d69c964ed465f526ae6ab95d99 Mon Sep 17 00:00:00 2001 From: Patrick Longa Date: Mon, 7 Jun 2021 16:46:37 -0700 Subject: [PATCH 9/9] Update test_sike.c --- tests/test_sike.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_sike.c b/tests/test_sike.c index 7305133..33007ae 100644 --- a/tests/test_sike.c +++ b/tests/test_sike.c @@ -42,7 +42,7 @@ int cryptotest_kem() #ifdef DO_VALGRIND_CHECK if (!RUNNING_ON_VALGRIND) { fprintf(stderr, "This test can only usefully be run inside valgrind.\n"); - fprintf(stderr, "valgrind sikexxx/test_KEM\n"); + fprintf(stderr, "valgrind sikexxx/test_SIKE\n"); exit(1); } #endif @@ -154,4 +154,4 @@ int main(int argc, char **argv) } return Status; -} \ No newline at end of file +}