From 470c2662f90f1f0035e90475c96147eb924dc5a7 Mon Sep 17 00:00:00 2001 From: "John M. Schanck" Date: Mon, 14 Sep 2020 11:27:56 -0400 Subject: [PATCH] Fix non-constant time FO test --- crypto_kem/hqc-128/avx2/kem.c | 12 +++++++----- crypto_kem/hqc-128/clean/kem.c | 12 +++++++----- crypto_kem/hqc-192/avx2/kem.c | 12 +++++++----- crypto_kem/hqc-192/clean/kem.c | 12 +++++++----- crypto_kem/hqc-256/avx2/kem.c | 12 +++++++----- crypto_kem/hqc-256/clean/kem.c | 12 +++++++----- crypto_kem/hqc-rmrs-128/avx2/kem.c | 12 +++++++----- crypto_kem/hqc-rmrs-128/clean/kem.c | 12 +++++++----- crypto_kem/hqc-rmrs-192/avx2/kem.c | 12 +++++++----- crypto_kem/hqc-rmrs-192/clean/kem.c | 12 +++++++----- crypto_kem/hqc-rmrs-256/avx2/kem.c | 12 +++++++----- crypto_kem/hqc-rmrs-256/clean/kem.c | 12 +++++++----- 12 files changed, 84 insertions(+), 60 deletions(-) diff --git a/crypto_kem/hqc-128/avx2/kem.c b/crypto_kem/hqc-128/avx2/kem.c index b74101ef..d10fa308 100644 --- a/crypto_kem/hqc-128/avx2/kem.c +++ b/crypto_kem/hqc-128/avx2/kem.c @@ -90,7 +90,7 @@ int PQCLEAN_HQC128_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, con */ int PQCLEAN_HQC128_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int8_t result = -1; + uint8_t result; uint64_t u[VEC_N_256_SIZE_64] = {0}; uint64_t v[VEC_N1N2_256_SIZE_64] = {0}; unsigned char d[SHA512_BYTES] = {0}; @@ -127,12 +127,14 @@ int PQCLEAN_HQC128_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *c sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); // Abort if c != c' or d != d' - result = (PQCLEAN_HQC128_AVX2_vect_compare(u, u2, VEC_N_SIZE_BYTES) == 0 && PQCLEAN_HQC128_AVX2_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES) == 0 && PQCLEAN_HQC128_AVX2_vect_compare((uint64_t *)d, (uint64_t *)d2, SHA512_BYTES) == 0); + result = PQCLEAN_HQC128_AVX2_vect_compare(u, u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQC128_AVX2_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES); + result |= memcmp(d, d2, SHA512_BYTES); + result = (uint8_t) (-((int16_t) result) >> 15); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] = result * ss[i]; + ss[i] &= ~result; } - result--; - return result; + return result & 1; } diff --git a/crypto_kem/hqc-128/clean/kem.c b/crypto_kem/hqc-128/clean/kem.c index 9488ba6e..1444bff7 100644 --- a/crypto_kem/hqc-128/clean/kem.c +++ b/crypto_kem/hqc-128/clean/kem.c @@ -92,7 +92,7 @@ int PQCLEAN_HQC128_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, co */ int PQCLEAN_HQC128_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int8_t result = -1; + uint8_t result; uint64_t u[VEC_N_SIZE_64] = {0}; uint64_t v[VEC_N1N2_SIZE_64] = {0}; unsigned char d[SHA512_BYTES] = {0}; @@ -131,12 +131,14 @@ int PQCLEAN_HQC128_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char * sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); // Abort if c != c' or d != d' - result = (PQCLEAN_HQC128_CLEAN_vect_compare(u, u2, VEC_N_SIZE_BYTES) == 0 && PQCLEAN_HQC128_CLEAN_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES) == 0 && memcmp(d, d2, SHA512_BYTES) == 0); + result = PQCLEAN_HQC128_CLEAN_vect_compare(u, u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQC128_CLEAN_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES); + result |= memcmp(d, d2, SHA512_BYTES); + result = (uint8_t) (-((int16_t) result) >> 15); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] = result * ss[i]; + ss[i] &= ~result; } - result--; - return result; + return result & 1; } diff --git a/crypto_kem/hqc-192/avx2/kem.c b/crypto_kem/hqc-192/avx2/kem.c index 81473854..243a2e60 100644 --- a/crypto_kem/hqc-192/avx2/kem.c +++ b/crypto_kem/hqc-192/avx2/kem.c @@ -90,7 +90,7 @@ int PQCLEAN_HQC192_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, con */ int PQCLEAN_HQC192_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int8_t result = -1; + uint8_t result; uint64_t u[VEC_N_256_SIZE_64] = {0}; uint64_t v[VEC_N1N2_256_SIZE_64] = {0}; unsigned char d[SHA512_BYTES] = {0}; @@ -127,12 +127,14 @@ int PQCLEAN_HQC192_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *c sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); // Abort if c != c' or d != d' - result = (PQCLEAN_HQC192_AVX2_vect_compare(u, u2, VEC_N_SIZE_BYTES) == 0 && PQCLEAN_HQC192_AVX2_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES) == 0 && PQCLEAN_HQC192_AVX2_vect_compare((uint64_t *)d, (uint64_t *)d2, SHA512_BYTES) == 0); + result = PQCLEAN_HQC192_AVX2_vect_compare(u, u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQC192_AVX2_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES); + result |= memcmp(d, d2, SHA512_BYTES); + result = (uint8_t) (-((int16_t) result) >> 15); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] = result * ss[i]; + ss[i] &= ~result; } - result--; - return result; + return result & 1; } diff --git a/crypto_kem/hqc-192/clean/kem.c b/crypto_kem/hqc-192/clean/kem.c index 6410ce5e..4d1f12a5 100644 --- a/crypto_kem/hqc-192/clean/kem.c +++ b/crypto_kem/hqc-192/clean/kem.c @@ -92,7 +92,7 @@ int PQCLEAN_HQC192_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, co */ int PQCLEAN_HQC192_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int8_t result = -1; + uint8_t result; uint64_t u[VEC_N_SIZE_64] = {0}; uint64_t v[VEC_N1N2_SIZE_64] = {0}; unsigned char d[SHA512_BYTES] = {0}; @@ -131,12 +131,14 @@ int PQCLEAN_HQC192_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char * sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); // Abort if c != c' or d != d' - result = (PQCLEAN_HQC192_CLEAN_vect_compare(u, u2, VEC_N_SIZE_BYTES) == 0 && PQCLEAN_HQC192_CLEAN_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES) == 0 && memcmp(d, d2, SHA512_BYTES) == 0); + result = PQCLEAN_HQC192_CLEAN_vect_compare(u, u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQC192_CLEAN_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES); + result |= memcmp(d, d2, SHA512_BYTES); + result = (uint8_t) (-((int16_t) result) >> 15); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] = result * ss[i]; + ss[i] &= ~result; } - result--; - return result; + return result & 1; } diff --git a/crypto_kem/hqc-256/avx2/kem.c b/crypto_kem/hqc-256/avx2/kem.c index c5cb8f58..86c39a58 100644 --- a/crypto_kem/hqc-256/avx2/kem.c +++ b/crypto_kem/hqc-256/avx2/kem.c @@ -90,7 +90,7 @@ int PQCLEAN_HQC256_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, con */ int PQCLEAN_HQC256_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int8_t result = -1; + uint8_t result; uint64_t u[VEC_N_256_SIZE_64] = {0}; uint64_t v[VEC_N1N2_256_SIZE_64] = {0}; unsigned char d[SHA512_BYTES] = {0}; @@ -127,12 +127,14 @@ int PQCLEAN_HQC256_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *c sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); // Abort if c != c' or d != d' - result = (PQCLEAN_HQC256_AVX2_vect_compare(u, u2, VEC_N_SIZE_BYTES) == 0 && PQCLEAN_HQC256_AVX2_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES) == 0 && PQCLEAN_HQC256_AVX2_vect_compare((uint64_t *)d, (uint64_t *)d2, SHA512_BYTES) == 0); + result = PQCLEAN_HQC256_AVX2_vect_compare(u, u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQC256_AVX2_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES); + result |= memcmp(d, d2, SHA512_BYTES); + result = (uint8_t) (-((int16_t) result) >> 15); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] = result * ss[i]; + ss[i] &= ~result; } - result--; - return result; + return result & 1; } diff --git a/crypto_kem/hqc-256/clean/kem.c b/crypto_kem/hqc-256/clean/kem.c index f86ea41e..47195987 100644 --- a/crypto_kem/hqc-256/clean/kem.c +++ b/crypto_kem/hqc-256/clean/kem.c @@ -92,7 +92,7 @@ int PQCLEAN_HQC256_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, co */ int PQCLEAN_HQC256_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int8_t result = -1; + uint8_t result; uint64_t u[VEC_N_SIZE_64] = {0}; uint64_t v[VEC_N1N2_SIZE_64] = {0}; unsigned char d[SHA512_BYTES] = {0}; @@ -131,12 +131,14 @@ int PQCLEAN_HQC256_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char * sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); // Abort if c != c' or d != d' - result = (PQCLEAN_HQC256_CLEAN_vect_compare(u, u2, VEC_N_SIZE_BYTES) == 0 && PQCLEAN_HQC256_CLEAN_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES) == 0 && memcmp(d, d2, SHA512_BYTES) == 0); + result = PQCLEAN_HQC256_CLEAN_vect_compare(u, u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQC256_CLEAN_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES); + result |= memcmp(d, d2, SHA512_BYTES); + result = (uint8_t) (-((int16_t) result) >> 15); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] = result * ss[i]; + ss[i] &= ~result; } - result--; - return result; + return result & 1; } diff --git a/crypto_kem/hqc-rmrs-128/avx2/kem.c b/crypto_kem/hqc-rmrs-128/avx2/kem.c index 4f5e6d3b..0d2e0453 100644 --- a/crypto_kem/hqc-rmrs-128/avx2/kem.c +++ b/crypto_kem/hqc-rmrs-128/avx2/kem.c @@ -90,7 +90,7 @@ int PQCLEAN_HQCRMRS128_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, */ int PQCLEAN_HQCRMRS128_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int8_t result = -1; + uint8_t result; uint64_t u[VEC_N_256_SIZE_64] = {0}; uint64_t v[VEC_N1N2_256_SIZE_64] = {0}; unsigned char d[SHA512_BYTES] = {0}; @@ -127,12 +127,14 @@ int PQCLEAN_HQCRMRS128_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned cha sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); // Abort if c != c' or d != d' - result = (PQCLEAN_HQCRMRS128_AVX2_vect_compare(u, u2, VEC_N_SIZE_BYTES) == 0 && PQCLEAN_HQCRMRS128_AVX2_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES) == 0 && PQCLEAN_HQCRMRS128_AVX2_vect_compare((uint64_t *)d, (uint64_t *)d2, SHA512_BYTES) == 0); + result = PQCLEAN_HQCRMRS128_AVX2_vect_compare(u, u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQCRMRS128_AVX2_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES); + result |= memcmp(d, d2, SHA512_BYTES); + result = (uint8_t) (-((int16_t) result) >> 15); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] = result * ss[i]; + ss[i] &= ~result; } - result--; - return result; + return result & 1; } diff --git a/crypto_kem/hqc-rmrs-128/clean/kem.c b/crypto_kem/hqc-rmrs-128/clean/kem.c index 66b61446..05c10fac 100644 --- a/crypto_kem/hqc-rmrs-128/clean/kem.c +++ b/crypto_kem/hqc-rmrs-128/clean/kem.c @@ -90,7 +90,7 @@ int PQCLEAN_HQCRMRS128_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss */ int PQCLEAN_HQCRMRS128_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int8_t result = -1; + uint8_t result; uint64_t u[VEC_N_SIZE_64] = {0}; uint64_t v[VEC_N1N2_SIZE_64] = {0}; unsigned char d[SHA512_BYTES] = {0}; @@ -127,12 +127,14 @@ int PQCLEAN_HQCRMRS128_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned ch sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); // Abort if c != c' or d != d' - result = (PQCLEAN_HQCRMRS128_CLEAN_vect_compare(u, u2, VEC_N_SIZE_BYTES) == 0 && PQCLEAN_HQCRMRS128_CLEAN_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES) == 0 && memcmp(d, d2, SHA512_BYTES) == 0); + result = PQCLEAN_HQCRMRS128_CLEAN_vect_compare(u, u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQCRMRS128_CLEAN_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES); + result |= memcmp(d, d2, SHA512_BYTES); + result = (uint8_t) (-((int16_t) result) >> 15); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] = result * ss[i]; + ss[i] &= ~result; } - result--; - return result; + return result & 1; } diff --git a/crypto_kem/hqc-rmrs-192/avx2/kem.c b/crypto_kem/hqc-rmrs-192/avx2/kem.c index c09fb3d2..5507d41e 100644 --- a/crypto_kem/hqc-rmrs-192/avx2/kem.c +++ b/crypto_kem/hqc-rmrs-192/avx2/kem.c @@ -90,7 +90,7 @@ int PQCLEAN_HQCRMRS192_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, */ int PQCLEAN_HQCRMRS192_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int8_t result = -1; + uint8_t result; uint64_t u[VEC_N_256_SIZE_64] = {0}; uint64_t v[VEC_N1N2_256_SIZE_64] = {0}; unsigned char d[SHA512_BYTES] = {0}; @@ -127,12 +127,14 @@ int PQCLEAN_HQCRMRS192_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned cha sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); // Abort if c != c' or d != d' - result = (PQCLEAN_HQCRMRS192_AVX2_vect_compare(u, u2, VEC_N_SIZE_BYTES) == 0 && PQCLEAN_HQCRMRS192_AVX2_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES) == 0 && PQCLEAN_HQCRMRS192_AVX2_vect_compare((uint64_t *)d, (uint64_t *)d2, SHA512_BYTES) == 0); + result = PQCLEAN_HQCRMRS192_AVX2_vect_compare(u, u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQCRMRS192_AVX2_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES); + result |= memcmp(d, d2, SHA512_BYTES); + result = (uint8_t) (-((int16_t) result) >> 15); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] = result * ss[i]; + ss[i] &= ~result; } - result--; - return result; + return result & 1; } diff --git a/crypto_kem/hqc-rmrs-192/clean/kem.c b/crypto_kem/hqc-rmrs-192/clean/kem.c index a77e8210..1e1519ad 100644 --- a/crypto_kem/hqc-rmrs-192/clean/kem.c +++ b/crypto_kem/hqc-rmrs-192/clean/kem.c @@ -90,7 +90,7 @@ int PQCLEAN_HQCRMRS192_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss */ int PQCLEAN_HQCRMRS192_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int8_t result = -1; + uint8_t result; uint64_t u[VEC_N_SIZE_64] = {0}; uint64_t v[VEC_N1N2_SIZE_64] = {0}; unsigned char d[SHA512_BYTES] = {0}; @@ -127,12 +127,14 @@ int PQCLEAN_HQCRMRS192_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned ch sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); // Abort if c != c' or d != d' - result = (PQCLEAN_HQCRMRS192_CLEAN_vect_compare(u, u2, VEC_N_SIZE_BYTES) == 0 && PQCLEAN_HQCRMRS192_CLEAN_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES) == 0 && memcmp(d, d2, SHA512_BYTES) == 0); + result = PQCLEAN_HQCRMRS192_CLEAN_vect_compare(u, u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQCRMRS192_CLEAN_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES); + result |= memcmp(d, d2, SHA512_BYTES); + result = (uint8_t) (-((int16_t) result) >> 15); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] = result * ss[i]; + ss[i] &= ~result; } - result--; - return result; + return result & 1; } diff --git a/crypto_kem/hqc-rmrs-256/avx2/kem.c b/crypto_kem/hqc-rmrs-256/avx2/kem.c index 66c6d534..e2259232 100644 --- a/crypto_kem/hqc-rmrs-256/avx2/kem.c +++ b/crypto_kem/hqc-rmrs-256/avx2/kem.c @@ -90,7 +90,7 @@ int PQCLEAN_HQCRMRS256_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, */ int PQCLEAN_HQCRMRS256_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int8_t result = -1; + uint8_t result; uint64_t u[VEC_N_256_SIZE_64] = {0}; uint64_t v[VEC_N1N2_256_SIZE_64] = {0}; unsigned char d[SHA512_BYTES] = {0}; @@ -127,12 +127,14 @@ int PQCLEAN_HQCRMRS256_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned cha sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); // Abort if c != c' or d != d' - result = (PQCLEAN_HQCRMRS256_AVX2_vect_compare(u, u2, VEC_N_SIZE_BYTES) == 0 && PQCLEAN_HQCRMRS256_AVX2_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES) == 0 && PQCLEAN_HQCRMRS256_AVX2_vect_compare((uint64_t *)d, (uint64_t *)d2, SHA512_BYTES) == 0); + result = PQCLEAN_HQCRMRS256_AVX2_vect_compare(u, u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQCRMRS256_AVX2_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES); + result |= memcmp(d, d2, SHA512_BYTES); + result = (uint8_t) (-((int16_t) result) >> 15); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] = result * ss[i]; + ss[i] &= ~result; } - result--; - return result; + return result & 1; } diff --git a/crypto_kem/hqc-rmrs-256/clean/kem.c b/crypto_kem/hqc-rmrs-256/clean/kem.c index 10184de4..fd97e8a2 100644 --- a/crypto_kem/hqc-rmrs-256/clean/kem.c +++ b/crypto_kem/hqc-rmrs-256/clean/kem.c @@ -90,7 +90,7 @@ int PQCLEAN_HQCRMRS256_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss */ int PQCLEAN_HQCRMRS256_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - int8_t result = -1; + uint8_t result; uint64_t u[VEC_N_SIZE_64] = {0}; uint64_t v[VEC_N1N2_SIZE_64] = {0}; unsigned char d[SHA512_BYTES] = {0}; @@ -127,12 +127,14 @@ int PQCLEAN_HQCRMRS256_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned ch sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); // Abort if c != c' or d != d' - result = (PQCLEAN_HQCRMRS256_CLEAN_vect_compare(u, u2, VEC_N_SIZE_BYTES) == 0 && PQCLEAN_HQCRMRS256_CLEAN_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES) == 0 && memcmp(d, d2, SHA512_BYTES) == 0); + result = PQCLEAN_HQCRMRS256_CLEAN_vect_compare(u, u2, VEC_N_SIZE_BYTES); + result |= PQCLEAN_HQCRMRS256_CLEAN_vect_compare(v, v2, VEC_N1N2_SIZE_BYTES); + result |= memcmp(d, d2, SHA512_BYTES); + result = (uint8_t) (-((int16_t) result) >> 15); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] = result * ss[i]; + ss[i] &= ~result; } - result--; - return result; + return result & 1; }