From c1f4727c5bb88d147029b182455c280e5c67b2bc Mon Sep 17 00:00:00 2001 From: Patrick Longa Date: Mon, 7 Jun 2021 14:53:58 -0700 Subject: [PATCH] Constant-time test --- src/fpx.c | 2 +- src/sike.c | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/fpx.c b/src/fpx.c index f3c554a..49a170d 100644 --- a/src/fpx.c +++ b/src/fpx.c @@ -25,7 +25,7 @@ int8_t ct_compare(const uint8_t *a, const uint8_t *b, unsigned int len) for (unsigned int i = 0; i < len; i++) r |= a[i] ^ b[i]; - return (-(int8_t)r) >> (8*sizeof(uint8_t)-1); + return (int8_t)((-(int32_t)r) >> (8*sizeof(uint32_t)-1)); } diff --git a/src/sike.c b/src/sike.c index 36d7293..8d251f7 100644 --- a/src/sike.c +++ b/src/sike.c @@ -101,11 +101,11 @@ int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned ch shake256(ephemeralsk_, SECRETKEY_A_BYTES, temp, CRYPTO_PUBLICKEYBYTES+MSG_BYTES); ephemeralsk_[SECRETKEY_A_BYTES - 1] &= MASK_ALICE; - // Generate shared secret ss <- H(m||ct), or output ss <- H(s||ct) in case of ct verification failure - EphemeralKeyGeneration_A(ephemeralsk_, c0_); - // If selector = 0 then do ss = H(m||ct), else if selector = -1 load s to do ss = H(s||ct) - int8_t selector = ct_compare(c0_, ct, CRYPTO_PUBLICKEYBYTES); - ct_cmov(temp, sk, MSG_BYTES, selector); + // Generate shared secret ss <- H(m||ct) or output ss <- H(s||ct) + EphemeralKeyGeneration_A(ephemeralsk_, c0_); + if (memcmp(c0_, ct, CRYPTO_PUBLICKEYBYTES) != 0) { + memcpy(temp, sk, MSG_BYTES); + } memcpy(&temp[MSG_BYTES], ct, CRYPTO_CIPHERTEXTBYTES); shake256(ss, CRYPTO_BYTES, temp, CRYPTO_CIPHERTEXTBYTES+MSG_BYTES);