From 3efcd2b186f2567c6bb0cb0cf5ed8dc9daeb5173 Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Tue, 17 Nov 2020 12:25:34 +0100 Subject: [PATCH 1/2] Fix overflowing multiplication in FrodoKEM AES --- crypto_kem/frodokem1344aes/opt/matrix_aes.c | 8 ++++---- crypto_kem/frodokem640aes/opt/matrix_aes.c | 10 +++++----- crypto_kem/frodokem976aes/opt/matrix_aes.c | 8 ++++---- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/crypto_kem/frodokem1344aes/opt/matrix_aes.c b/crypto_kem/frodokem1344aes/opt/matrix_aes.c index 58a91fba..ca461c99 100644 --- a/crypto_kem/frodokem1344aes/opt/matrix_aes.c +++ b/crypto_kem/frodokem1344aes/opt/matrix_aes.c @@ -110,10 +110,10 @@ int PQCLEAN_FRODOKEM1344AES_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t uint16_t sum[PARAMS_PARALLEL] = {0}; for (j = 0; j < PARAMS_N; j++) { // Matrix-vector multiplication uint16_t sp = s[i * PARAMS_N + j]; - sum[0] += sp * a_cols_t[(k + 0) * PARAMS_N + j]; - sum[1] += sp * a_cols_t[(k + 1) * PARAMS_N + j]; - sum[2] += sp * a_cols_t[(k + 2) * PARAMS_N + j]; - sum[3] += sp * a_cols_t[(k + 3) * PARAMS_N + j]; + sum[0] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 0) * PARAMS_N + j]); + sum[1] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 1) * PARAMS_N + j]); + sum[2] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 2) * PARAMS_N + j]); + sum[3] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 3) * PARAMS_N + j]); } out[i * PARAMS_N + kk + k + 0] += sum[0]; out[i * PARAMS_N + kk + k + 2] += sum[2]; diff --git a/crypto_kem/frodokem640aes/opt/matrix_aes.c b/crypto_kem/frodokem640aes/opt/matrix_aes.c index 2d858502..84b29f50 100644 --- a/crypto_kem/frodokem640aes/opt/matrix_aes.c +++ b/crypto_kem/frodokem640aes/opt/matrix_aes.c @@ -80,7 +80,7 @@ int PQCLEAN_FRODOKEM640AES_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t * *((uint32_t *)&out[i]) = *((uint32_t *)&e[i]); } - int k; + size_t k; uint16_t a_cols[PARAMS_N * PARAMS_STRIPE_STEP] = {0}; uint16_t a_cols_t[PARAMS_N * PARAMS_STRIPE_STEP]; uint16_t a_cols_temp[PARAMS_N * PARAMS_STRIPE_STEP] = {0}; @@ -110,10 +110,10 @@ int PQCLEAN_FRODOKEM640AES_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t * uint16_t sum[PARAMS_PARALLEL] = {0}; for (j = 0; j < PARAMS_N; j++) { // Matrix-vector multiplication uint16_t sp = s[i * PARAMS_N + j]; - sum[0] += sp * a_cols_t[(k + 0) * PARAMS_N + j]; - sum[1] += sp * a_cols_t[(k + 1) * PARAMS_N + j]; - sum[2] += sp * a_cols_t[(k + 2) * PARAMS_N + j]; - sum[3] += sp * a_cols_t[(k + 3) * PARAMS_N + j]; + sum[0] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 0) * PARAMS_N + j]); + sum[1] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 1) * PARAMS_N + j]); + sum[2] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 2) * PARAMS_N + j]); + sum[3] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 3) * PARAMS_N + j]); } out[i * PARAMS_N + kk + k + 0] += sum[0]; out[i * PARAMS_N + kk + k + 2] += sum[2]; diff --git a/crypto_kem/frodokem976aes/opt/matrix_aes.c b/crypto_kem/frodokem976aes/opt/matrix_aes.c index ddff99ac..8461bda0 100644 --- a/crypto_kem/frodokem976aes/opt/matrix_aes.c +++ b/crypto_kem/frodokem976aes/opt/matrix_aes.c @@ -110,10 +110,10 @@ int PQCLEAN_FRODOKEM976AES_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t * uint16_t sum[PARAMS_PARALLEL] = {0}; for (j = 0; j < PARAMS_N; j++) { // Matrix-vector multiplication uint16_t sp = s[i * PARAMS_N + j]; - sum[0] += sp * a_cols_t[(k + 0) * PARAMS_N + j]; - sum[1] += sp * a_cols_t[(k + 1) * PARAMS_N + j]; - sum[2] += sp * a_cols_t[(k + 2) * PARAMS_N + j]; - sum[3] += sp * a_cols_t[(k + 3) * PARAMS_N + j]; + sum[0] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 0) * PARAMS_N + j]); + sum[1] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 1) * PARAMS_N + j]); + sum[2] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 2) * PARAMS_N + j]); + sum[3] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 3) * PARAMS_N + j]); } out[i * PARAMS_N + kk + k + 0] += sum[0]; out[i * PARAMS_N + kk + k + 2] += sum[2]; From 01f709ac337c2a8c192a4927f02e737d1009c2fa Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Tue, 17 Nov 2020 12:28:12 +0100 Subject: [PATCH 2/2] Also fix problem in FrodoKEM-SHAKE --- crypto_kem/frodokem1344shake/opt/matrix_shake.c | 2 +- crypto_kem/frodokem640aes/opt/matrix_aes.c | 2 +- crypto_kem/frodokem640shake/opt/matrix_shake.c | 2 +- crypto_kem/frodokem976shake/opt/matrix_shake.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto_kem/frodokem1344shake/opt/matrix_shake.c b/crypto_kem/frodokem1344shake/opt/matrix_shake.c index 7fab5e5f..6d037ec1 100644 --- a/crypto_kem/frodokem1344shake/opt/matrix_shake.c +++ b/crypto_kem/frodokem1344shake/opt/matrix_shake.c @@ -96,7 +96,7 @@ int PQCLEAN_FRODOKEM1344SHAKE_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_ for (j = 0; j < 4; j++) { uint16_t sp = s[i * PARAMS_N + kk + j]; for (k = 0; k < PARAMS_N; k++) { // Matrix-vector multiplication - sum[k] += sp * a_cols[(t + j) * PARAMS_N + k]; + sum[k] += (uint16_t)(sp * (uint32_t)a_cols[(t + j) * PARAMS_N + k]); } } for (k = 0; k < PARAMS_N; k++) { diff --git a/crypto_kem/frodokem640aes/opt/matrix_aes.c b/crypto_kem/frodokem640aes/opt/matrix_aes.c index 84b29f50..3f245fcf 100644 --- a/crypto_kem/frodokem640aes/opt/matrix_aes.c +++ b/crypto_kem/frodokem640aes/opt/matrix_aes.c @@ -80,7 +80,7 @@ int PQCLEAN_FRODOKEM640AES_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t * *((uint32_t *)&out[i]) = *((uint32_t *)&e[i]); } - size_t k; + int k; uint16_t a_cols[PARAMS_N * PARAMS_STRIPE_STEP] = {0}; uint16_t a_cols_t[PARAMS_N * PARAMS_STRIPE_STEP]; uint16_t a_cols_temp[PARAMS_N * PARAMS_STRIPE_STEP] = {0}; diff --git a/crypto_kem/frodokem640shake/opt/matrix_shake.c b/crypto_kem/frodokem640shake/opt/matrix_shake.c index 3094f2a9..fa8a5f06 100644 --- a/crypto_kem/frodokem640shake/opt/matrix_shake.c +++ b/crypto_kem/frodokem640shake/opt/matrix_shake.c @@ -96,7 +96,7 @@ int PQCLEAN_FRODOKEM640SHAKE_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t for (j = 0; j < 4; j++) { uint16_t sp = s[i * PARAMS_N + kk + j]; for (k = 0; k < PARAMS_N; k++) { // Matrix-vector multiplication - sum[k] += sp * a_cols[(t + j) * PARAMS_N + k]; + sum[k] += (uint16_t)(sp * (uint32_t)a_cols[(t + j) * PARAMS_N + k]); } } for (k = 0; k < PARAMS_N; k++) { diff --git a/crypto_kem/frodokem976shake/opt/matrix_shake.c b/crypto_kem/frodokem976shake/opt/matrix_shake.c index 43cf3fd2..80826ca5 100644 --- a/crypto_kem/frodokem976shake/opt/matrix_shake.c +++ b/crypto_kem/frodokem976shake/opt/matrix_shake.c @@ -96,7 +96,7 @@ int PQCLEAN_FRODOKEM976SHAKE_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t for (j = 0; j < 4; j++) { uint16_t sp = s[i * PARAMS_N + kk + j]; for (k = 0; k < PARAMS_N; k++) { // Matrix-vector multiplication - sum[k] += sp * a_cols[(t + j) * PARAMS_N + k]; + sum[k] += (uint16_t)(sp * (uint32_t)a_cols[(t + j) * PARAMS_N + k]); } } for (k = 0; k < PARAMS_N; k++) {