From 560ac1533482eb4ff13b11520638be1406d03743 Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Tue, 24 Nov 2020 11:23:09 +0100 Subject: [PATCH] Fix missed overflowing mul in FrodoKEM It happened in another place --- crypto_kem/frodokem1344aes/clean/util.c | 2 +- crypto_kem/frodokem1344aes/opt/util.c | 2 +- crypto_kem/frodokem1344shake/clean/util.c | 2 +- crypto_kem/frodokem1344shake/opt/util.c | 2 +- crypto_kem/frodokem640aes/clean/util.c | 2 +- crypto_kem/frodokem640aes/opt/util.c | 2 +- crypto_kem/frodokem640shake/clean/util.c | 2 +- crypto_kem/frodokem640shake/opt/util.c | 2 +- crypto_kem/frodokem976aes/clean/util.c | 2 +- crypto_kem/frodokem976aes/opt/util.c | 2 +- crypto_kem/frodokem976shake/clean/util.c | 2 +- crypto_kem/frodokem976shake/opt/util.c | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/crypto_kem/frodokem1344aes/clean/util.c b/crypto_kem/frodokem1344aes/clean/util.c index 53bb63fa..ac291eac 100644 --- a/crypto_kem/frodokem1344aes/clean/util.c +++ b/crypto_kem/frodokem1344aes/clean/util.c @@ -40,7 +40,7 @@ void PQCLEAN_FRODOKEM1344AES_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, cons for (j = 0; j < PARAMS_NBAR; j++) { out[i * PARAMS_NBAR + j] = 0; for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += b[i * PARAMS_N + k] * s[j * PARAMS_N + k]; + out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); } out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); } diff --git a/crypto_kem/frodokem1344aes/opt/util.c b/crypto_kem/frodokem1344aes/opt/util.c index ddce506c..c05d1f11 100644 --- a/crypto_kem/frodokem1344aes/opt/util.c +++ b/crypto_kem/frodokem1344aes/opt/util.c @@ -40,7 +40,7 @@ void PQCLEAN_FRODOKEM1344AES_OPT_mul_bs(uint16_t *out, const uint16_t *b, const for (j = 0; j < PARAMS_NBAR; j++) { out[i * PARAMS_NBAR + j] = 0; for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += b[i * PARAMS_N + k] * s[j * PARAMS_N + k]; + out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); } out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); } diff --git a/crypto_kem/frodokem1344shake/clean/util.c b/crypto_kem/frodokem1344shake/clean/util.c index 87cde592..9c1eae62 100644 --- a/crypto_kem/frodokem1344shake/clean/util.c +++ b/crypto_kem/frodokem1344shake/clean/util.c @@ -40,7 +40,7 @@ void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, co for (j = 0; j < PARAMS_NBAR; j++) { out[i * PARAMS_NBAR + j] = 0; for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += b[i * PARAMS_N + k] * s[j * PARAMS_N + k]; + out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); } out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); } diff --git a/crypto_kem/frodokem1344shake/opt/util.c b/crypto_kem/frodokem1344shake/opt/util.c index 38cc33db..73cf8df9 100644 --- a/crypto_kem/frodokem1344shake/opt/util.c +++ b/crypto_kem/frodokem1344shake/opt/util.c @@ -40,7 +40,7 @@ void PQCLEAN_FRODOKEM1344SHAKE_OPT_mul_bs(uint16_t *out, const uint16_t *b, cons for (j = 0; j < PARAMS_NBAR; j++) { out[i * PARAMS_NBAR + j] = 0; for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += b[i * PARAMS_N + k] * s[j * PARAMS_N + k]; + out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); } out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); } diff --git a/crypto_kem/frodokem640aes/clean/util.c b/crypto_kem/frodokem640aes/clean/util.c index afcd1d56..84dd0ca0 100644 --- a/crypto_kem/frodokem640aes/clean/util.c +++ b/crypto_kem/frodokem640aes/clean/util.c @@ -40,7 +40,7 @@ void PQCLEAN_FRODOKEM640AES_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const for (j = 0; j < PARAMS_NBAR; j++) { out[i * PARAMS_NBAR + j] = 0; for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += b[i * PARAMS_N + k] * s[j * PARAMS_N + k]; + out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); } out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); } diff --git a/crypto_kem/frodokem640aes/opt/util.c b/crypto_kem/frodokem640aes/opt/util.c index bd4aa970..ef739987 100644 --- a/crypto_kem/frodokem640aes/opt/util.c +++ b/crypto_kem/frodokem640aes/opt/util.c @@ -40,7 +40,7 @@ void PQCLEAN_FRODOKEM640AES_OPT_mul_bs(uint16_t *out, const uint16_t *b, const u for (j = 0; j < PARAMS_NBAR; j++) { out[i * PARAMS_NBAR + j] = 0; for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += b[i * PARAMS_N + k] * s[j * PARAMS_N + k]; + out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); } out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); } diff --git a/crypto_kem/frodokem640shake/clean/util.c b/crypto_kem/frodokem640shake/clean/util.c index 6056adff..621a3a5c 100644 --- a/crypto_kem/frodokem640shake/clean/util.c +++ b/crypto_kem/frodokem640shake/clean/util.c @@ -40,7 +40,7 @@ void PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, con for (j = 0; j < PARAMS_NBAR; j++) { out[i * PARAMS_NBAR + j] = 0; for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += b[i * PARAMS_N + k] * s[j * PARAMS_N + k]; + out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); } out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); } diff --git a/crypto_kem/frodokem640shake/opt/util.c b/crypto_kem/frodokem640shake/opt/util.c index e466f92f..518fd646 100644 --- a/crypto_kem/frodokem640shake/opt/util.c +++ b/crypto_kem/frodokem640shake/opt/util.c @@ -40,7 +40,7 @@ void PQCLEAN_FRODOKEM640SHAKE_OPT_mul_bs(uint16_t *out, const uint16_t *b, const for (j = 0; j < PARAMS_NBAR; j++) { out[i * PARAMS_NBAR + j] = 0; for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += b[i * PARAMS_N + k] * s[j * PARAMS_N + k]; + out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); } out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); } diff --git a/crypto_kem/frodokem976aes/clean/util.c b/crypto_kem/frodokem976aes/clean/util.c index e4225e67..e440ddef 100644 --- a/crypto_kem/frodokem976aes/clean/util.c +++ b/crypto_kem/frodokem976aes/clean/util.c @@ -40,7 +40,7 @@ void PQCLEAN_FRODOKEM976AES_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const for (j = 0; j < PARAMS_NBAR; j++) { out[i * PARAMS_NBAR + j] = 0; for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += b[i * PARAMS_N + k] * s[j * PARAMS_N + k]; + out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); } out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); } diff --git a/crypto_kem/frodokem976aes/opt/util.c b/crypto_kem/frodokem976aes/opt/util.c index ae9e31fd..02191023 100644 --- a/crypto_kem/frodokem976aes/opt/util.c +++ b/crypto_kem/frodokem976aes/opt/util.c @@ -40,7 +40,7 @@ void PQCLEAN_FRODOKEM976AES_OPT_mul_bs(uint16_t *out, const uint16_t *b, const u for (j = 0; j < PARAMS_NBAR; j++) { out[i * PARAMS_NBAR + j] = 0; for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += b[i * PARAMS_N + k] * s[j * PARAMS_N + k]; + out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); } out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); } diff --git a/crypto_kem/frodokem976shake/clean/util.c b/crypto_kem/frodokem976shake/clean/util.c index 2242a28c..042572b5 100644 --- a/crypto_kem/frodokem976shake/clean/util.c +++ b/crypto_kem/frodokem976shake/clean/util.c @@ -40,7 +40,7 @@ void PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, con for (j = 0; j < PARAMS_NBAR; j++) { out[i * PARAMS_NBAR + j] = 0; for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += b[i * PARAMS_N + k] * s[j * PARAMS_N + k]; + out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); } out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); } diff --git a/crypto_kem/frodokem976shake/opt/util.c b/crypto_kem/frodokem976shake/opt/util.c index f3ec5756..3b3e7286 100644 --- a/crypto_kem/frodokem976shake/opt/util.c +++ b/crypto_kem/frodokem976shake/opt/util.c @@ -40,7 +40,7 @@ void PQCLEAN_FRODOKEM976SHAKE_OPT_mul_bs(uint16_t *out, const uint16_t *b, const for (j = 0; j < PARAMS_NBAR; j++) { out[i * PARAMS_NBAR + j] = 0; for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += b[i * PARAMS_N + k] * s[j * PARAMS_N + k]; + out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); } out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); }