From ae30e1f43234530d2480d17a465eabc19f749c42 Mon Sep 17 00:00:00 2001 From: "John M. Schanck" Date: Wed, 9 Sep 2020 16:07:20 -0400 Subject: [PATCH] Avoid ==, !=, etc in arithmetic expressions. Some compilers will produce non-constant time code. --- crypto_kem/hqc-rmrs-128/clean/reed_solomon.c | 12 ++++++------ crypto_kem/hqc-rmrs-192/clean/reed_solomon.c | 12 ++++++------ crypto_kem/hqc-rmrs-256/clean/reed_solomon.c | 12 ++++++------ test/duplicate_consistency/hqc-rmrs-128_avx2.yml | 4 +++- test/duplicate_consistency/hqc-rmrs-128_clean.yml | 4 +++- test/duplicate_consistency/hqc-rmrs-192_avx2.yml | 3 ++- test/duplicate_consistency/hqc-rmrs-192_clean.yml | 3 ++- test/duplicate_consistency/hqc-rmrs-256_avx2.yml | 2 +- test/duplicate_consistency/hqc-rmrs-256_clean.yml | 2 +- 9 files changed, 30 insertions(+), 24 deletions(-) diff --git a/crypto_kem/hqc-rmrs-128/clean/reed_solomon.c b/crypto_kem/hqc-rmrs-128/clean/reed_solomon.c index 0265c446..709f4e0c 100644 --- a/crypto_kem/hqc-rmrs-128/clean/reed_solomon.c +++ b/crypto_kem/hqc-rmrs-128/clean/reed_solomon.c @@ -228,9 +228,9 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons // Compute the beta_{j_i} page 31 of the documentation for (size_t i = 0 ; i < PARAM_N1 ; i++) { uint16_t found = 0; - int16_t valuemask = ((int16_t) - (error[i] != 0)) >> 15; - for (size_t j = 0 ; j < PARAM_DELTA ; j++) { - int16_t indexmask = ((int16_t) - (j == delta_counter)) >> 15; + uint16_t valuemask = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 + for (uint16_t j = 0 ; j < PARAM_DELTA ; j++) { + uint16_t indexmask = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter beta_j[j] += indexmask & valuemask & exp[i]; found += indexmask & valuemask & 1; } @@ -252,7 +252,7 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons for (size_t k = 1 ; k < PARAM_DELTA ; ++k) { tmp2 = PQCLEAN_HQCRMRS128_CLEAN_gf_mul(tmp2, (1 ^ PQCLEAN_HQCRMRS128_CLEAN_gf_mul(inverse, beta_j[(i + k) % PARAM_DELTA]))); } - int16_t mask = ((int16_t) - (i < delta_real_value)) >> 15; + uint16_t mask = (uint16_t) (((int16_t) i - delta_real_value) >> 15); // i < delta_real_value e_j[i] = mask & PQCLEAN_HQCRMRS128_CLEAN_gf_mul(tmp1, PQCLEAN_HQCRMRS128_CLEAN_gf_inverse(tmp2)); } @@ -260,9 +260,9 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons delta_counter = 0; for (size_t i = 0 ; i < PARAM_N1 ; ++i) { uint16_t found = 0; - int16_t valuemask = ((int16_t) - (error[i] != 0)) >> 15; + uint16_t valuemask = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 for (size_t j = 0 ; j < PARAM_DELTA ; j++) { - int16_t indexmask = ((int16_t) - (j == delta_counter)) >> 15; + uint16_t indexmask = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter error_values[i] += indexmask & valuemask & e_j[j]; found += indexmask & valuemask & 1; } diff --git a/crypto_kem/hqc-rmrs-192/clean/reed_solomon.c b/crypto_kem/hqc-rmrs-192/clean/reed_solomon.c index c3e782af..b00a8742 100644 --- a/crypto_kem/hqc-rmrs-192/clean/reed_solomon.c +++ b/crypto_kem/hqc-rmrs-192/clean/reed_solomon.c @@ -228,9 +228,9 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons // Compute the beta_{j_i} page 31 of the documentation for (size_t i = 0 ; i < PARAM_N1 ; i++) { uint16_t found = 0; - int16_t valuemask = ((int16_t) - (error[i] != 0)) >> 15; - for (size_t j = 0 ; j < PARAM_DELTA ; j++) { - int16_t indexmask = ((int16_t) - (j == delta_counter)) >> 15; + uint16_t valuemask = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 + for (uint16_t j = 0 ; j < PARAM_DELTA ; j++) { + uint16_t indexmask = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter beta_j[j] += indexmask & valuemask & exp[i]; found += indexmask & valuemask & 1; } @@ -252,7 +252,7 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons for (size_t k = 1 ; k < PARAM_DELTA ; ++k) { tmp2 = PQCLEAN_HQCRMRS192_CLEAN_gf_mul(tmp2, (1 ^ PQCLEAN_HQCRMRS192_CLEAN_gf_mul(inverse, beta_j[(i + k) % PARAM_DELTA]))); } - int16_t mask = ((int16_t) - (i < delta_real_value)) >> 15; + uint16_t mask = (uint16_t) (((int16_t) i - delta_real_value) >> 15); // i < delta_real_value e_j[i] = mask & PQCLEAN_HQCRMRS192_CLEAN_gf_mul(tmp1, PQCLEAN_HQCRMRS192_CLEAN_gf_inverse(tmp2)); } @@ -260,9 +260,9 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons delta_counter = 0; for (size_t i = 0 ; i < PARAM_N1 ; ++i) { uint16_t found = 0; - int16_t valuemask = ((int16_t) - (error[i] != 0)) >> 15; + uint16_t valuemask = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 for (size_t j = 0 ; j < PARAM_DELTA ; j++) { - int16_t indexmask = ((int16_t) - (j == delta_counter)) >> 15; + uint16_t indexmask = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter error_values[i] += indexmask & valuemask & e_j[j]; found += indexmask & valuemask & 1; } diff --git a/crypto_kem/hqc-rmrs-256/clean/reed_solomon.c b/crypto_kem/hqc-rmrs-256/clean/reed_solomon.c index 7022698f..35c1e05b 100644 --- a/crypto_kem/hqc-rmrs-256/clean/reed_solomon.c +++ b/crypto_kem/hqc-rmrs-256/clean/reed_solomon.c @@ -228,9 +228,9 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons // Compute the beta_{j_i} page 31 of the documentation for (size_t i = 0 ; i < PARAM_N1 ; i++) { uint16_t found = 0; - int16_t valuemask = ((int16_t) - (error[i] != 0)) >> 15; - for (size_t j = 0 ; j < PARAM_DELTA ; j++) { - int16_t indexmask = ((int16_t) - (j == delta_counter)) >> 15; + uint16_t valuemask = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 + for (uint16_t j = 0 ; j < PARAM_DELTA ; j++) { + uint16_t indexmask = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter beta_j[j] += indexmask & valuemask & exp[i]; found += indexmask & valuemask & 1; } @@ -252,7 +252,7 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons for (size_t k = 1 ; k < PARAM_DELTA ; ++k) { tmp2 = PQCLEAN_HQCRMRS256_CLEAN_gf_mul(tmp2, (1 ^ PQCLEAN_HQCRMRS256_CLEAN_gf_mul(inverse, beta_j[(i + k) % PARAM_DELTA]))); } - int16_t mask = ((int16_t) - (i < delta_real_value)) >> 15; + uint16_t mask = (uint16_t) (((int16_t) i - delta_real_value) >> 15); // i < delta_real_value e_j[i] = mask & PQCLEAN_HQCRMRS256_CLEAN_gf_mul(tmp1, PQCLEAN_HQCRMRS256_CLEAN_gf_inverse(tmp2)); } @@ -260,9 +260,9 @@ static void compute_error_values(uint16_t *error_values, const uint16_t *z, cons delta_counter = 0; for (size_t i = 0 ; i < PARAM_N1 ; ++i) { uint16_t found = 0; - int16_t valuemask = ((int16_t) - (error[i] != 0)) >> 15; + uint16_t valuemask = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 for (size_t j = 0 ; j < PARAM_DELTA ; j++) { - int16_t indexmask = ((int16_t) - (j == delta_counter)) >> 15; + uint16_t indexmask = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter error_values[i] += indexmask & valuemask & e_j[j]; found += indexmask & valuemask & 1; } diff --git a/test/duplicate_consistency/hqc-rmrs-128_avx2.yml b/test/duplicate_consistency/hqc-rmrs-128_avx2.yml index 907f0594..a16db890 100644 --- a/test/duplicate_consistency/hqc-rmrs-128_avx2.yml +++ b/test/duplicate_consistency/hqc-rmrs-128_avx2.yml @@ -6,18 +6,19 @@ consistency_checks: - api.h - code.h - fft.h + - gf.h - hqc.h - reed_muller.h - reed_solomon.h - code.c - fft.c - - reed_solomon.c - source: scheme: hqc-rmrs-192 implementation: clean files: - code.h - fft.h + - gf.h - hqc.h - reed_muller.h - reed_solomon.h @@ -50,6 +51,7 @@ consistency_checks: files: - code.h - fft.h + - gf.h - hqc.h - reed_muller.h - reed_solomon.h diff --git a/test/duplicate_consistency/hqc-rmrs-128_clean.yml b/test/duplicate_consistency/hqc-rmrs-128_clean.yml index 49d2e43f..4bed9a73 100644 --- a/test/duplicate_consistency/hqc-rmrs-128_clean.yml +++ b/test/duplicate_consistency/hqc-rmrs-128_clean.yml @@ -6,12 +6,12 @@ consistency_checks: - api.h - code.h - fft.h + - gf.h - hqc.h - reed_muller.h - reed_solomon.h - code.c - fft.c - - reed_solomon.c - source: scheme: hqc-rmrs-192 implementation: clean @@ -40,6 +40,7 @@ consistency_checks: files: - code.h - fft.h + - gf.h - hqc.h - reed_muller.h - reed_solomon.h @@ -73,6 +74,7 @@ consistency_checks: files: - code.h - fft.h + - gf.h - hqc.h - reed_muller.h - reed_solomon.h diff --git a/test/duplicate_consistency/hqc-rmrs-192_avx2.yml b/test/duplicate_consistency/hqc-rmrs-192_avx2.yml index 01ad8699..ab92b812 100644 --- a/test/duplicate_consistency/hqc-rmrs-192_avx2.yml +++ b/test/duplicate_consistency/hqc-rmrs-192_avx2.yml @@ -6,18 +6,19 @@ consistency_checks: - api.h - code.h - fft.h + - gf.h - hqc.h - reed_muller.h - reed_solomon.h - code.c - fft.c - - reed_solomon.c - source: scheme: hqc-rmrs-256 implementation: clean files: - code.h - fft.h + - gf.h - hqc.h - reed_muller.h - reed_solomon.h diff --git a/test/duplicate_consistency/hqc-rmrs-192_clean.yml b/test/duplicate_consistency/hqc-rmrs-192_clean.yml index 26a40de5..db7a8c32 100644 --- a/test/duplicate_consistency/hqc-rmrs-192_clean.yml +++ b/test/duplicate_consistency/hqc-rmrs-192_clean.yml @@ -6,12 +6,12 @@ consistency_checks: - api.h - code.h - fft.h + - gf.h - hqc.h - reed_muller.h - reed_solomon.h - code.c - fft.c - - reed_solomon.c - source: scheme: hqc-rmrs-256 implementation: clean @@ -40,6 +40,7 @@ consistency_checks: files: - code.h - fft.h + - gf.h - hqc.h - reed_muller.h - reed_solomon.h diff --git a/test/duplicate_consistency/hqc-rmrs-256_avx2.yml b/test/duplicate_consistency/hqc-rmrs-256_avx2.yml index ff1c3f6d..755728eb 100644 --- a/test/duplicate_consistency/hqc-rmrs-256_avx2.yml +++ b/test/duplicate_consistency/hqc-rmrs-256_avx2.yml @@ -6,9 +6,9 @@ consistency_checks: - api.h - code.h - fft.h + - gf.h - hqc.h - reed_muller.h - reed_solomon.h - code.c - fft.c - - reed_solomon.c diff --git a/test/duplicate_consistency/hqc-rmrs-256_clean.yml b/test/duplicate_consistency/hqc-rmrs-256_clean.yml index 44afbb9d..895ecd4b 100644 --- a/test/duplicate_consistency/hqc-rmrs-256_clean.yml +++ b/test/duplicate_consistency/hqc-rmrs-256_clean.yml @@ -6,9 +6,9 @@ consistency_checks: - api.h - code.h - fft.h + - gf.h - hqc.h - reed_muller.h - reed_solomon.h - code.c - fft.c - - reed_solomon.c