From de5cda4d7be3ebe5929cc47bae8e77936cbff45b Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Sat, 15 Feb 2020 10:27:56 +0100 Subject: [PATCH 1/2] Fix NewHope verify https://github.com/mupq/pqm4/issues/132 repoorted that the NewHope verify function does not actually return 0 or 1, but 0 or -1, which consequenctly breaks the cmov in the FO transform. This bug was introduced when I integrated this into PQClean. --- crypto_kem/newhope1024cca/clean/reduce.c | 2 +- crypto_kem/newhope1024cca/clean/verify.c | 2 +- crypto_kem/newhope1024cpa/clean/reduce.c | 2 +- crypto_kem/newhope1024cpa/clean/verify.c | 2 +- crypto_kem/newhope512cca/clean/reduce.c | 2 +- crypto_kem/newhope512cca/clean/verify.c | 2 +- crypto_kem/newhope512cpa/clean/reduce.c | 2 +- crypto_kem/newhope512cpa/clean/verify.c | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/crypto_kem/newhope1024cca/clean/reduce.c b/crypto_kem/newhope1024cca/clean/reduce.c index a024f7ea..e96b25e5 100644 --- a/crypto_kem/newhope1024cca/clean/reduce.c +++ b/crypto_kem/newhope1024cca/clean/reduce.c @@ -5,7 +5,7 @@ static const uint32_t qinv = 12287; // -inverse_mod(p,2^18) static const uint32_t rlog = 18; /************************************************* -* Name: verify +* Name: montgomery_reduce * * Description: Montgomery reduction; given a 32-bit integer a, computes * 16-bit integer congruent to a * R^-1 mod q, diff --git a/crypto_kem/newhope1024cca/clean/verify.c b/crypto_kem/newhope1024cca/clean/verify.c index 0cb31049..f2930ec0 100644 --- a/crypto_kem/newhope1024cca/clean/verify.c +++ b/crypto_kem/newhope1024cca/clean/verify.c @@ -22,7 +22,7 @@ int PQCLEAN_NEWHOPE1024CCA_CLEAN_verify(const unsigned char *a, const unsigned c r |= a[i] ^ b[i]; } - r = (-(int64_t)r) >> 63; + r = (-r) >> 63; return (int)r; } diff --git a/crypto_kem/newhope1024cpa/clean/reduce.c b/crypto_kem/newhope1024cpa/clean/reduce.c index f975bf92..49421e3d 100644 --- a/crypto_kem/newhope1024cpa/clean/reduce.c +++ b/crypto_kem/newhope1024cpa/clean/reduce.c @@ -5,7 +5,7 @@ static const uint32_t qinv = 12287; // -inverse_mod(p,2^18) static const uint32_t rlog = 18; /************************************************* -* Name: verify +* Name: montgomery_reduce * * Description: Montgomery reduction; given a 32-bit integer a, computes * 16-bit integer congruent to a * R^-1 mod q, diff --git a/crypto_kem/newhope1024cpa/clean/verify.c b/crypto_kem/newhope1024cpa/clean/verify.c index 53276b93..3cf20833 100644 --- a/crypto_kem/newhope1024cpa/clean/verify.c +++ b/crypto_kem/newhope1024cpa/clean/verify.c @@ -22,7 +22,7 @@ int PQCLEAN_NEWHOPE1024CPA_CLEAN_verify(const unsigned char *a, const unsigned c r |= a[i] ^ b[i]; } - r = (-(int64_t)r) >> 63; + r = (-r) >> 63; return (int)r; } diff --git a/crypto_kem/newhope512cca/clean/reduce.c b/crypto_kem/newhope512cca/clean/reduce.c index cdaffba7..c3d7f97e 100644 --- a/crypto_kem/newhope512cca/clean/reduce.c +++ b/crypto_kem/newhope512cca/clean/reduce.c @@ -5,7 +5,7 @@ static const uint32_t qinv = 12287; // -inverse_mod(p,2^18) static const uint32_t rlog = 18; /************************************************* -* Name: verify +* Name: montgomery_reduce * * Description: Montgomery reduction; given a 32-bit integer a, computes * 16-bit integer congruent to a * R^-1 mod q, diff --git a/crypto_kem/newhope512cca/clean/verify.c b/crypto_kem/newhope512cca/clean/verify.c index 553c0e50..96694524 100644 --- a/crypto_kem/newhope512cca/clean/verify.c +++ b/crypto_kem/newhope512cca/clean/verify.c @@ -22,7 +22,7 @@ int PQCLEAN_NEWHOPE512CCA_CLEAN_verify(const unsigned char *a, const unsigned ch r |= a[i] ^ b[i]; } - r = (-(int64_t)r) >> 63; + r = (-r) >> 63; return (int)r; } diff --git a/crypto_kem/newhope512cpa/clean/reduce.c b/crypto_kem/newhope512cpa/clean/reduce.c index 75d23570..c7adf562 100644 --- a/crypto_kem/newhope512cpa/clean/reduce.c +++ b/crypto_kem/newhope512cpa/clean/reduce.c @@ -5,7 +5,7 @@ static const uint32_t qinv = 12287; // -inverse_mod(p,2^18) static const uint32_t rlog = 18; /************************************************* -* Name: verify +* Name: montgomery_reduce * * Description: Montgomery reduction; given a 32-bit integer a, computes * 16-bit integer congruent to a * R^-1 mod q, diff --git a/crypto_kem/newhope512cpa/clean/verify.c b/crypto_kem/newhope512cpa/clean/verify.c index 449bc219..471f052b 100644 --- a/crypto_kem/newhope512cpa/clean/verify.c +++ b/crypto_kem/newhope512cpa/clean/verify.c @@ -22,7 +22,7 @@ int PQCLEAN_NEWHOPE512CPA_CLEAN_verify(const unsigned char *a, const unsigned ch r |= a[i] ^ b[i]; } - r = (-(int64_t)r) >> 63; + r = (-r) >> 63; return (int)r; } From 85c6605bbf977babc1a8d835635df50cfc547191 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Thu, 5 Mar 2020 11:31:28 +0100 Subject: [PATCH 2/2] fix MSVS warning --- crypto_kem/newhope1024cca/clean/verify.c | 2 +- crypto_kem/newhope1024cpa/clean/verify.c | 2 +- crypto_kem/newhope512cca/clean/verify.c | 2 +- crypto_kem/newhope512cpa/clean/verify.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto_kem/newhope1024cca/clean/verify.c b/crypto_kem/newhope1024cca/clean/verify.c index f2930ec0..f68c9328 100644 --- a/crypto_kem/newhope1024cca/clean/verify.c +++ b/crypto_kem/newhope1024cca/clean/verify.c @@ -22,7 +22,7 @@ int PQCLEAN_NEWHOPE1024CCA_CLEAN_verify(const unsigned char *a, const unsigned c r |= a[i] ^ b[i]; } - r = (-r) >> 63; + r = (uint64_t)(-(int64_t)r) >> 63; return (int)r; } diff --git a/crypto_kem/newhope1024cpa/clean/verify.c b/crypto_kem/newhope1024cpa/clean/verify.c index 3cf20833..677e3ae9 100644 --- a/crypto_kem/newhope1024cpa/clean/verify.c +++ b/crypto_kem/newhope1024cpa/clean/verify.c @@ -22,7 +22,7 @@ int PQCLEAN_NEWHOPE1024CPA_CLEAN_verify(const unsigned char *a, const unsigned c r |= a[i] ^ b[i]; } - r = (-r) >> 63; + r = (uint64_t)(-(int64_t)r) >> 63; return (int)r; } diff --git a/crypto_kem/newhope512cca/clean/verify.c b/crypto_kem/newhope512cca/clean/verify.c index 96694524..37e65f94 100644 --- a/crypto_kem/newhope512cca/clean/verify.c +++ b/crypto_kem/newhope512cca/clean/verify.c @@ -22,7 +22,7 @@ int PQCLEAN_NEWHOPE512CCA_CLEAN_verify(const unsigned char *a, const unsigned ch r |= a[i] ^ b[i]; } - r = (-r) >> 63; + r = (uint64_t)(-(int64_t)r) >> 63; return (int)r; } diff --git a/crypto_kem/newhope512cpa/clean/verify.c b/crypto_kem/newhope512cpa/clean/verify.c index 471f052b..a03cf862 100644 --- a/crypto_kem/newhope512cpa/clean/verify.c +++ b/crypto_kem/newhope512cpa/clean/verify.c @@ -22,7 +22,7 @@ int PQCLEAN_NEWHOPE512CPA_CLEAN_verify(const unsigned char *a, const unsigned ch r |= a[i] ^ b[i]; } - r = (-r) >> 63; + r = (uint64_t)(-(int64_t)r) >> 63; return (int)r; }