Constant-time test

microsoft · Jun 7, 2021 · c1f4727 · c1f4727
1 parent 683978b
commit c1f4727
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/src/fpx.c b/src/fpx.c
@@ -25,7 +25,7 @@ int8_t ct_compare(const uint8_t *a, const uint8_t *b, unsigned int len)
     for (unsigned int i = 0; i < len; i++)
         r |= a[i] ^ b[i];
 
-    return (-(int8_t)r) >> (8*sizeof(uint8_t)-1);
+    return (int8_t)((-(int32_t)r) >> (8*sizeof(uint32_t)-1));
 }
 
 

diff --git a/src/sike.c b/src/sike.c
@@ -101,11 +101,11 @@ int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned ch
     shake256(ephemeralsk_, SECRETKEY_A_BYTES, temp, CRYPTO_PUBLICKEYBYTES+MSG_BYTES);
     ephemeralsk_[SECRETKEY_A_BYTES - 1] &= MASK_ALICE;
 
-    // Generate shared secret ss <- H(m||ct), or output ss <- H(s||ct) in case of ct verification failure
-    EphemeralKeyGeneration_A(ephemeralsk_, c0_);
-    // If selector = 0 then do ss = H(m||ct), else if selector = -1 load s to do ss = H(s||ct)
-    int8_t selector = ct_compare(c0_, ct, CRYPTO_PUBLICKEYBYTES);
-    ct_cmov(temp, sk, MSG_BYTES, selector);
+   // Generate shared secret ss <- H(m||ct) or output ss <- H(s||ct)
+    EphemeralKeyGeneration_A(ephemeralsk_, c0_);
+    if (memcmp(c0_, ct, CRYPTO_PUBLICKEYBYTES) != 0) {
+        memcpy(temp, sk, MSG_BYTES);
+    }
     memcpy(&temp[MSG_BYTES], ct, CRYPTO_CIPHERTEXTBYTES);
     shake256(ss, CRYPTO_BYTES, temp, CRYPTO_CIPHERTEXTBYTES+MSG_BYTES);