Avoid ==, !=, etc in arithmetic expressions. Some compilers will produce non-constant time code.

crypto_kem/hqc-rmrs-128/clean/reed_solomon.c

@@ -228,9 +228,9 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons
     // Compute the beta_{j_i} page 31 of the documentation
     for (size_t i = 0 ; i < PARAM_N1 ; i++) {
         uint16_t found = 0;
-        int16_t valuemask = ((int16_t) - (error[i] != 0)) >> 15;
-        for (size_t j = 0 ; j < PARAM_DELTA ; j++) {
-            int16_t indexmask = ((int16_t) - (j == delta_counter)) >> 15;
+        uint16_t valuemask = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0
+        for (uint16_t j = 0 ; j < PARAM_DELTA ; j++) {
+            uint16_t indexmask = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter
             beta_j[j] += indexmask & valuemask & exp[i];
             found += indexmask & valuemask & 1;
         }
@@ -252,7 +252,7 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons
         for (size_t k = 1 ; k < PARAM_DELTA ; ++k) {
             tmp2 = PQCLEAN_HQCRMRS128_CLEAN_gf_mul(tmp2, (1 ^ PQCLEAN_HQCRMRS128_CLEAN_gf_mul(inverse, beta_j[(i + k) % PARAM_DELTA])));
         }
-        int16_t mask = ((int16_t) - (i < delta_real_value)) >> 15;
+        uint16_t mask = (uint16_t) (((int16_t) i - delta_real_value) >> 15); // i < delta_real_value
         e_j[i] = mask & PQCLEAN_HQCRMRS128_CLEAN_gf_mul(tmp1, PQCLEAN_HQCRMRS128_CLEAN_gf_inverse(tmp2));
     }
 
@@ -260,9 +260,9 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons
     delta_counter = 0;
     for (size_t i = 0 ; i < PARAM_N1 ; ++i) {
         uint16_t found = 0;
-        int16_t valuemask = ((int16_t) - (error[i] != 0)) >> 15;
+        uint16_t valuemask = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0
         for (size_t j = 0 ; j < PARAM_DELTA ; j++) {
-            int16_t indexmask = ((int16_t) - (j == delta_counter)) >> 15;
+            uint16_t indexmask = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter
             error_values[i] += indexmask & valuemask & e_j[j];
             found += indexmask & valuemask & 1;
         }

crypto_kem/hqc-rmrs-192/clean/reed_solomon.c

@@ -228,9 +228,9 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons
     // Compute the beta_{j_i} page 31 of the documentation
     for (size_t i = 0 ; i < PARAM_N1 ; i++) {
         uint16_t found = 0;
-        int16_t valuemask = ((int16_t) - (error[i] != 0)) >> 15;
-        for (size_t j = 0 ; j < PARAM_DELTA ; j++) {
-            int16_t indexmask = ((int16_t) - (j == delta_counter)) >> 15;
+        uint16_t valuemask = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0
+        for (uint16_t j = 0 ; j < PARAM_DELTA ; j++) {
+            uint16_t indexmask = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter
             beta_j[j] += indexmask & valuemask & exp[i];
             found += indexmask & valuemask & 1;
         }
@@ -252,7 +252,7 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons
         for (size_t k = 1 ; k < PARAM_DELTA ; ++k) {
             tmp2 = PQCLEAN_HQCRMRS192_CLEAN_gf_mul(tmp2, (1 ^ PQCLEAN_HQCRMRS192_CLEAN_gf_mul(inverse, beta_j[(i + k) % PARAM_DELTA])));
         }
-        int16_t mask = ((int16_t) - (i < delta_real_value)) >> 15;
+        uint16_t mask = (uint16_t) (((int16_t) i - delta_real_value) >> 15); // i < delta_real_value
         e_j[i] = mask & PQCLEAN_HQCRMRS192_CLEAN_gf_mul(tmp1, PQCLEAN_HQCRMRS192_CLEAN_gf_inverse(tmp2));
     }
 
@@ -260,9 +260,9 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons
     delta_counter = 0;
     for (size_t i = 0 ; i < PARAM_N1 ; ++i) {
         uint16_t found = 0;
-        int16_t valuemask = ((int16_t) - (error[i] != 0)) >> 15;
+        uint16_t valuemask = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0
         for (size_t j = 0 ; j < PARAM_DELTA ; j++) {
-            int16_t indexmask = ((int16_t) - (j == delta_counter)) >> 15;
+            uint16_t indexmask = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter
             error_values[i] += indexmask & valuemask & e_j[j];
             found += indexmask & valuemask & 1;
         }

crypto_kem/hqc-rmrs-256/clean/reed_solomon.c

@@ -228,9 +228,9 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons
     // Compute the beta_{j_i} page 31 of the documentation
     for (size_t i = 0 ; i < PARAM_N1 ; i++) {
         uint16_t found = 0;
-        int16_t valuemask = ((int16_t) - (error[i] != 0)) >> 15;
-        for (size_t j = 0 ; j < PARAM_DELTA ; j++) {
-            int16_t indexmask = ((int16_t) - (j == delta_counter)) >> 15;
+        uint16_t valuemask = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0
+        for (uint16_t j = 0 ; j < PARAM_DELTA ; j++) {
+            uint16_t indexmask = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter
             beta_j[j] += indexmask & valuemask & exp[i];
             found += indexmask & valuemask & 1;
         }
@@ -252,7 +252,7 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons
         for (size_t k = 1 ; k < PARAM_DELTA ; ++k) {
             tmp2 = PQCLEAN_HQCRMRS256_CLEAN_gf_mul(tmp2, (1 ^ PQCLEAN_HQCRMRS256_CLEAN_gf_mul(inverse, beta_j[(i + k) % PARAM_DELTA])));
         }
-        int16_t mask = ((int16_t) - (i < delta_real_value)) >> 15;
+        uint16_t mask = (uint16_t) (((int16_t) i - delta_real_value) >> 15); // i < delta_real_value
         e_j[i] = mask & PQCLEAN_HQCRMRS256_CLEAN_gf_mul(tmp1, PQCLEAN_HQCRMRS256_CLEAN_gf_inverse(tmp2));
     }
 
@@ -260,9 +260,9 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons
     delta_counter = 0;
     for (size_t i = 0 ; i < PARAM_N1 ; ++i) {
         uint16_t found = 0;
-        int16_t valuemask = ((int16_t) - (error[i] != 0)) >> 15;
+        uint16_t valuemask = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0
         for (size_t j = 0 ; j < PARAM_DELTA ; j++) {
-            int16_t indexmask = ((int16_t) - (j == delta_counter)) >> 15;
+            uint16_t indexmask = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter
             error_values[i] += indexmask & valuemask & e_j[j];
             found += indexmask & valuemask & 1;
         }

test/duplicate_consistency/hqc-rmrs-128_avx2.yml

@@ -6,18 +6,19 @@ consistency_checks:
       - api.h
       - code.h
       - fft.h
+      - gf.h
       - hqc.h
       - reed_muller.h
       - reed_solomon.h
       - code.c
       - fft.c
-      - reed_solomon.c
 - source:
     scheme: hqc-rmrs-192
     implementation: clean
   files:
       - code.h
       - fft.h
+      - gf.h
       - hqc.h
       - reed_muller.h
       - reed_solomon.h
@@ -50,6 +51,7 @@ consistency_checks:
   files:
       - code.h
       - fft.h
+      - gf.h
       - hqc.h
       - reed_muller.h
       - reed_solomon.h

test/duplicate_consistency/hqc-rmrs-128_clean.yml

@@ -6,12 +6,12 @@ consistency_checks:
       - api.h
       - code.h
       - fft.h
+      - gf.h
       - hqc.h
       - reed_muller.h
       - reed_solomon.h
       - code.c
       - fft.c
-      - reed_solomon.c
 - source:
     scheme: hqc-rmrs-192
     implementation: clean
@@ -40,6 +40,7 @@ consistency_checks:
   files:
       - code.h
       - fft.h
+      - gf.h
       - hqc.h
       - reed_muller.h
       - reed_solomon.h
@@ -73,6 +74,7 @@ consistency_checks:
   files:
       - code.h
       - fft.h
+      - gf.h
       - hqc.h
       - reed_muller.h
       - reed_solomon.h

test/duplicate_consistency/hqc-rmrs-192_avx2.yml

@@ -6,18 +6,19 @@ consistency_checks:
       - api.h
       - code.h
       - fft.h
+      - gf.h
       - hqc.h
       - reed_muller.h
       - reed_solomon.h
       - code.c
       - fft.c
-      - reed_solomon.c
 - source:
     scheme: hqc-rmrs-256
     implementation: clean
   files:
       - code.h
       - fft.h
+      - gf.h
       - hqc.h
       - reed_muller.h
       - reed_solomon.h

test/duplicate_consistency/hqc-rmrs-192_clean.yml

@@ -6,12 +6,12 @@ consistency_checks:
       - api.h
       - code.h
       - fft.h
+      - gf.h
       - hqc.h
       - reed_muller.h
       - reed_solomon.h
       - code.c
       - fft.c
-      - reed_solomon.c
 - source:
     scheme: hqc-rmrs-256
     implementation: clean
@@ -40,6 +40,7 @@ consistency_checks:
   files:
       - code.h
       - fft.h
+      - gf.h
       - hqc.h
       - reed_muller.h
       - reed_solomon.h

test/duplicate_consistency/hqc-rmrs-256_avx2.yml

@@ -6,9 +6,9 @@ consistency_checks:
       - api.h
       - code.h
       - fft.h
+      - gf.h
       - hqc.h
       - reed_muller.h
       - reed_solomon.h
       - code.c
       - fft.c
-      - reed_solomon.c

test/duplicate_consistency/hqc-rmrs-256_clean.yml

@@ -6,9 +6,9 @@ consistency_checks:
       - api.h
       - code.h
       - fft.h
+      - gf.h
       - hqc.h
       - reed_muller.h
       - reed_solomon.h
       - code.c
       - fft.c
-      - reed_solomon.c