ensure sike doest use uinitialized reads
This commit is contained in:
parent
c1283aa979
commit
7ba897ed4d
@ -190,7 +190,7 @@ void sike_from_mont(const felm_t ma, felm_t c)
|
|||||||
// Inputs: a = a0+a1*i, where a0, a1 are in [0, 2*p-1]
|
// Inputs: a = a0+a1*i, where a0, a1 are in [0, 2*p-1]
|
||||||
// Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1]
|
// Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1]
|
||||||
void sike_fp2sqr_mont(const f2elm_t a, f2elm_t c) {
|
void sike_fp2sqr_mont(const f2elm_t a, f2elm_t c) {
|
||||||
felm_t t1, t2, t3;
|
felm_t t1 = {0}, t2 = {0}, t3 = {0};
|
||||||
|
|
||||||
mp_addfast(a->c0, a->c1, t1); // t1 = a0+a1
|
mp_addfast(a->c0, a->c1, t1); // t1 = a0+a1
|
||||||
sike_fpsub(a->c0, a->c1, t2); // t2 = a0-a1
|
sike_fpsub(a->c0, a->c1, t2); // t2 = a0-a1
|
||||||
@ -247,7 +247,7 @@ void sike_fpcorrection(felm_t a) {
|
|||||||
// Inputs: a = a0+a1*i and b = b0+b1*i, where a0, a1, b0, b1 are in [0, 2*p-1]
|
// Inputs: a = a0+a1*i and b = b0+b1*i, where a0, a1, b0, b1 are in [0, 2*p-1]
|
||||||
// Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1]
|
// Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1]
|
||||||
void sike_fp2mul_mont(const f2elm_t a, const f2elm_t b, f2elm_t c) {
|
void sike_fp2mul_mont(const f2elm_t a, const f2elm_t b, f2elm_t c) {
|
||||||
felm_t t1, t2;
|
felm_t t1 = {0}, t2 = {0};
|
||||||
dfelm_t tt1, tt2, tt3;
|
dfelm_t tt1, tt2, tt3;
|
||||||
crypto_word_t mask;
|
crypto_word_t mask;
|
||||||
|
|
||||||
@ -270,7 +270,7 @@ void sike_fp2mul_mont(const f2elm_t a, const f2elm_t b, f2elm_t c) {
|
|||||||
|
|
||||||
// GF(p^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2).
|
// GF(p^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2).
|
||||||
void sike_fp2inv_mont(f2elm_t a) {
|
void sike_fp2inv_mont(f2elm_t a) {
|
||||||
f2elm_t t1;
|
f2elm_t t1 = {0};
|
||||||
|
|
||||||
fpsqr_mont(a->c0, t1->c0); // t10 = a0^2
|
fpsqr_mont(a->c0, t1->c0); // t10 = a0^2
|
||||||
fpsqr_mont(a->c1, t1->c1); // t11 = a1^2
|
fpsqr_mont(a->c1, t1->c1); // t11 = a1^2
|
||||||
|
@ -13,7 +13,7 @@ static void xDBL(const point_proj_t P, point_proj_t Q, const f2elm_t A24plus, co
|
|||||||
{ // Doubling of a Montgomery point in projective coordinates (X:Z).
|
{ // Doubling of a Montgomery point in projective coordinates (X:Z).
|
||||||
// Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants A+2C and 4C.
|
// Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants A+2C and 4C.
|
||||||
// Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2).
|
// Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2).
|
||||||
f2elm_t t0, t1;
|
f2elm_t t0 = {0}, t1 = {0};
|
||||||
|
|
||||||
sike_fp2sub(P->X, P->Z, t0); // t0 = X1-Z1
|
sike_fp2sub(P->X, P->Z, t0); // t0 = X1-Z1
|
||||||
sike_fp2add(P->X, P->Z, t1); // t1 = X1+Z1
|
sike_fp2add(P->X, P->Z, t1); // t1 = X1+Z1
|
||||||
@ -60,7 +60,7 @@ void eval_4_isog(point_proj_t P, f2elm_t* coeff)
|
|||||||
// by the 3 coefficients in coeff (computed in the function get_4_isog()).
|
// by the 3 coefficients in coeff (computed in the function get_4_isog()).
|
||||||
// Inputs: the coefficients defining the isogeny, and the projective point P = (X:Z).
|
// Inputs: the coefficients defining the isogeny, and the projective point P = (X:Z).
|
||||||
// Output: the projective point P = phi(P) = (X:Z) in the codomain.
|
// Output: the projective point P = phi(P) = (X:Z) in the codomain.
|
||||||
f2elm_t t0, t1;
|
f2elm_t t0 = {0}, t1 = {0};
|
||||||
|
|
||||||
sike_fp2add(P->X, P->Z, t0); // t0 = X+Z
|
sike_fp2add(P->X, P->Z, t0); // t0 = X+Z
|
||||||
sike_fp2sub(P->X, P->Z, t1); // t1 = X-Z
|
sike_fp2sub(P->X, P->Z, t1); // t1 = X-Z
|
||||||
@ -123,7 +123,7 @@ void get_3_isog(const point_proj_t P, f2elm_t A24minus, f2elm_t A24plus, f2elm_t
|
|||||||
{ // Computes the corresponding 3-isogeny of a projective Montgomery point (X3:Z3) of order 3.
|
{ // Computes the corresponding 3-isogeny of a projective Montgomery point (X3:Z3) of order 3.
|
||||||
// Input: projective point of order three P = (X3:Z3).
|
// Input: projective point of order three P = (X3:Z3).
|
||||||
// Output: the 3-isogenous Montgomery curve with projective coefficient A/C.
|
// Output: the 3-isogenous Montgomery curve with projective coefficient A/C.
|
||||||
f2elm_t t0, t1, t2, t3, t4;
|
f2elm_t t0 = {0}, t1 = {0}, t2 = {0}, t3 = {0}, t4 = {0};
|
||||||
|
|
||||||
sike_fp2sub(P->X, P->Z, coeff[0]); // coeff0 = X-Z
|
sike_fp2sub(P->X, P->Z, coeff[0]); // coeff0 = X-Z
|
||||||
sike_fp2sqr_mont(coeff[0], t0); // t0 = (X-Z)^2
|
sike_fp2sqr_mont(coeff[0], t0); // t0 = (X-Z)^2
|
||||||
@ -189,7 +189,7 @@ void get_A(const f2elm_t xP, const f2elm_t xQ, const f2elm_t xR, f2elm_t A)
|
|||||||
{ // Given the x-coordinates of P, Q, and R, returns the value A corresponding to the Montgomery curve E_A: y^2=x^3+A*x^2+x such that R=Q-P on E_A.
|
{ // Given the x-coordinates of P, Q, and R, returns the value A corresponding to the Montgomery curve E_A: y^2=x^3+A*x^2+x such that R=Q-P on E_A.
|
||||||
// Input: the x-coordinates xP, xQ, and xR of the points P, Q and R.
|
// Input: the x-coordinates xP, xQ, and xR of the points P, Q and R.
|
||||||
// Output: the coefficient A corresponding to the curve E_A: y^2=x^3+A*x^2+x.
|
// Output: the coefficient A corresponding to the curve E_A: y^2=x^3+A*x^2+x.
|
||||||
f2elm_t t0, t1, one = F2ELM_INIT;
|
f2elm_t t0 = F2ELM_INIT, t1 = F2ELM_INIT, one = F2ELM_INIT;
|
||||||
|
|
||||||
extern const struct params_t params;
|
extern const struct params_t params;
|
||||||
sike_fpcopy(params.mont_one, one->c0);
|
sike_fpcopy(params.mont_one, one->c0);
|
||||||
@ -213,7 +213,7 @@ void j_inv(const f2elm_t A, const f2elm_t C, f2elm_t jinv)
|
|||||||
{ // Computes the j-invariant of a Montgomery curve with projective constant.
|
{ // Computes the j-invariant of a Montgomery curve with projective constant.
|
||||||
// Input: A,C in GF(p^2).
|
// Input: A,C in GF(p^2).
|
||||||
// Output: j=256*(A^2-3*C^2)^3/(C^4*(A^2-4*C^2)), which is the j-invariant of the Montgomery curve B*y^2=x^3+(A/C)*x^2+x or (equivalently) j-invariant of B'*y^2=C*x^3+A*x^2+C*x.
|
// Output: j=256*(A^2-3*C^2)^3/(C^4*(A^2-4*C^2)), which is the j-invariant of the Montgomery curve B*y^2=x^3+(A/C)*x^2+x or (equivalently) j-invariant of B'*y^2=C*x^3+A*x^2+C*x.
|
||||||
f2elm_t t0, t1;
|
f2elm_t t0 = F2ELM_INIT, t1 = F2ELM_INIT;
|
||||||
|
|
||||||
sike_fp2sqr_mont(A, jinv); // jinv = A^2
|
sike_fp2sqr_mont(A, jinv); // jinv = A^2
|
||||||
sike_fp2sqr_mont(C, t1); // t1 = C^2
|
sike_fp2sqr_mont(C, t1); // t1 = C^2
|
||||||
@ -238,7 +238,7 @@ void xDBLADD(point_proj_t P, point_proj_t Q, const f2elm_t xPQ, const f2elm_t A2
|
|||||||
{ // Simultaneous doubling and differential addition.
|
{ // Simultaneous doubling and differential addition.
|
||||||
// Input: projective Montgomery points P=(XP:ZP) and Q=(XQ:ZQ) such that xP=XP/ZP and xQ=XQ/ZQ, affine difference xPQ=x(P-Q) and Montgomery curve constant A24=(A+2)/4.
|
// Input: projective Montgomery points P=(XP:ZP) and Q=(XQ:ZQ) such that xP=XP/ZP and xQ=XQ/ZQ, affine difference xPQ=x(P-Q) and Montgomery curve constant A24=(A+2)/4.
|
||||||
// Output: projective Montgomery points P <- 2*P = (X2P:Z2P) such that x(2P)=X2P/Z2P, and Q <- P+Q = (XQP:ZQP) such that = x(Q+P)=XQP/ZQP.
|
// Output: projective Montgomery points P <- 2*P = (X2P:Z2P) such that x(2P)=X2P/Z2P, and Q <- P+Q = (XQP:ZQP) such that = x(Q+P)=XQP/ZQP.
|
||||||
f2elm_t t0, t1, t2;
|
f2elm_t t0 = F2ELM_INIT, t1 = F2ELM_INIT, t2 = F2ELM_INIT;
|
||||||
|
|
||||||
sike_fp2add(P->X, P->Z, t0); // t0 = XP+ZP
|
sike_fp2add(P->X, P->Z, t0); // t0 = XP+ZP
|
||||||
sike_fp2sub(P->X, P->Z, t1); // t1 = XP-ZP
|
sike_fp2sub(P->X, P->Z, t1); // t1 = XP-ZP
|
||||||
|
@ -136,11 +136,11 @@ static void gen_iso_A(const uint8_t* skA, uint8_t* pkA)
|
|||||||
point_proj_t phiP = POINT_PROJ_INIT;
|
point_proj_t phiP = POINT_PROJ_INIT;
|
||||||
point_proj_t phiQ = POINT_PROJ_INIT;
|
point_proj_t phiQ = POINT_PROJ_INIT;
|
||||||
point_proj_t phiR = POINT_PROJ_INIT;
|
point_proj_t phiR = POINT_PROJ_INIT;
|
||||||
f2elm_t XPA, XQA, XRA, coeff[3];
|
f2elm_t XPA, XQA, XRA, coeff[3] = {0};
|
||||||
f2elm_t A24plus = F2ELM_INIT;
|
f2elm_t A24plus = F2ELM_INIT;
|
||||||
f2elm_t C24 = F2ELM_INIT;
|
f2elm_t C24 = F2ELM_INIT;
|
||||||
f2elm_t A = F2ELM_INIT;
|
f2elm_t A = F2ELM_INIT;
|
||||||
unsigned int m, index = 0, pts_index[MAX_INT_POINTS_ALICE], npts = 0, ii = 0;
|
unsigned int m, index = 0, pts_index[MAX_INT_POINTS_ALICE] = {0}, npts = 0, ii = 0;
|
||||||
|
|
||||||
// Initialize basis points
|
// Initialize basis points
|
||||||
sike_init_basis(params.A_gen, XPA, XQA, XRA);
|
sike_init_basis(params.A_gen, XPA, XQA, XRA);
|
||||||
@ -211,11 +211,11 @@ static void gen_iso_B(const uint8_t* skB, uint8_t* pkB)
|
|||||||
point_proj_t phiP = POINT_PROJ_INIT;
|
point_proj_t phiP = POINT_PROJ_INIT;
|
||||||
point_proj_t phiQ = POINT_PROJ_INIT;
|
point_proj_t phiQ = POINT_PROJ_INIT;
|
||||||
point_proj_t phiR = POINT_PROJ_INIT;
|
point_proj_t phiR = POINT_PROJ_INIT;
|
||||||
f2elm_t XPB, XQB, XRB, coeff[3];
|
f2elm_t XPB, XQB, XRB, coeff[3] = {0};
|
||||||
f2elm_t A24plus = F2ELM_INIT;
|
f2elm_t A24plus = F2ELM_INIT;
|
||||||
f2elm_t A24minus = F2ELM_INIT;
|
f2elm_t A24minus = F2ELM_INIT;
|
||||||
f2elm_t A = F2ELM_INIT;
|
f2elm_t A = F2ELM_INIT;
|
||||||
unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0;
|
unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB] = {0}, npts = 0, ii = 0;
|
||||||
|
|
||||||
// Initialize basis points
|
// Initialize basis points
|
||||||
sike_init_basis(params.B_gen, XPB, XQB, XRB);
|
sike_init_basis(params.B_gen, XPB, XQB, XRB);
|
||||||
@ -342,12 +342,12 @@ static void ex_iso_A(const uint8_t* skA, const uint8_t* pkB, uint8_t* ssA)
|
|||||||
// Output: a shared secret ssB that consists of one element in GF(p503^2) encoded in 126 bytes.
|
// Output: a shared secret ssB that consists of one element in GF(p503^2) encoded in 126 bytes.
|
||||||
static void ex_iso_B(const uint8_t* skB, const uint8_t* pkA, uint8_t* ssB)
|
static void ex_iso_B(const uint8_t* skB, const uint8_t* pkA, uint8_t* ssB)
|
||||||
{
|
{
|
||||||
point_proj_t R, pts[MAX_INT_POINTS_BOB];
|
point_proj_t R, pts[MAX_INT_POINTS_BOB] = {0};
|
||||||
f2elm_t coeff[3], PKB[3], jinv;
|
f2elm_t coeff[3] = {0}, PKB[3] = {0}, jinv;
|
||||||
f2elm_t A24plus = F2ELM_INIT;
|
f2elm_t A24plus = F2ELM_INIT;
|
||||||
f2elm_t A24minus = F2ELM_INIT;
|
f2elm_t A24minus = F2ELM_INIT;
|
||||||
f2elm_t A = F2ELM_INIT;
|
f2elm_t A = F2ELM_INIT;
|
||||||
unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0;
|
unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB] = {0}, npts = 0, ii = 0;
|
||||||
|
|
||||||
// Initialize images of Alice's basis
|
// Initialize images of Alice's basis
|
||||||
fp2_decode(pkA, PKB[0]);
|
fp2_decode(pkA, PKB[0]);
|
||||||
@ -412,7 +412,7 @@ void SIKE_encaps(uint8_t out_shared_key[SIKE_SS_BYTESZ],
|
|||||||
// secret data. It's size must be maximum of 64,
|
// secret data. It's size must be maximum of 64,
|
||||||
// SIKE_MSG_BYTESZ and SIDH_PRV_A_BITSZ in bytes.
|
// SIKE_MSG_BYTESZ and SIDH_PRV_A_BITSZ in bytes.
|
||||||
uint8_t secret[32]; // OZAPTF, why?
|
uint8_t secret[32]; // OZAPTF, why?
|
||||||
uint8_t j[SIDH_JINV_BYTESZ];
|
uint8_t j[SIDH_JINV_BYTESZ] = {0};
|
||||||
uint8_t temp[SIKE_MSG_BYTESZ + SIKE_CT_BYTESZ];
|
uint8_t temp[SIKE_MSG_BYTESZ + SIKE_CT_BYTESZ];
|
||||||
shake256incctx ctx;
|
shake256incctx ctx;
|
||||||
|
|
||||||
@ -460,9 +460,9 @@ void SIKE_decaps(uint8_t out_shared_key[SIKE_SS_BYTESZ],
|
|||||||
// secret data. It's size must be maximum of 64,
|
// secret data. It's size must be maximum of 64,
|
||||||
// SIKE_MSG_BYTESZ and SIDH_PRV_A_BITSZ in bytes.
|
// SIKE_MSG_BYTESZ and SIDH_PRV_A_BITSZ in bytes.
|
||||||
uint8_t secret[32];
|
uint8_t secret[32];
|
||||||
uint8_t j[SIDH_JINV_BYTESZ];
|
uint8_t j[SIDH_JINV_BYTESZ] = {0};
|
||||||
uint8_t c0[SIKE_PUB_BYTESZ];
|
uint8_t c0[SIKE_PUB_BYTESZ] = {0};
|
||||||
uint8_t temp[SIKE_MSG_BYTESZ];
|
uint8_t temp[SIKE_MSG_BYTESZ] = {0};
|
||||||
shake256incctx ctx;
|
shake256incctx ctx;
|
||||||
|
|
||||||
// Recover m
|
// Recover m
|
||||||
|
Loading…
Reference in New Issue
Block a user