From e568dd09c0661fd545cf44530e534b35beec3319 Mon Sep 17 00:00:00 2001 From: Douglas Stebila Date: Tue, 16 Apr 2019 21:11:36 -0400 Subject: [PATCH] Copy ntru fixes from recent commits --- crypto_kem/ntruhps2048509/clean/sample.c | 8 ++++---- crypto_kem/ntruhps2048677/clean/crypto_sort.c | 2 +- crypto_kem/ntruhps2048677/clean/kem.c | 5 ++--- crypto_kem/ntruhps2048677/clean/sample.c | 10 +++++----- crypto_kem/ntruhps4096821/clean/crypto_sort.c | 2 +- crypto_kem/ntruhps4096821/clean/kem.c | 5 ++--- crypto_kem/ntruhps4096821/clean/sample.c | 10 +++++----- crypto_kem/ntruhrss701/clean/kem.c | 5 ++--- 8 files changed, 22 insertions(+), 25 deletions(-) diff --git a/crypto_kem/ntruhps2048509/clean/sample.c b/crypto_kem/ntruhps2048509/clean/sample.c index 461e15f4..c4fc9709 100644 --- a/crypto_kem/ntruhps2048509/clean/sample.c +++ b/crypto_kem/ntruhps2048509/clean/sample.c @@ -30,10 +30,10 @@ void PQCLEAN_NTRUHPS2048509_CLEAN_sample_fixed_type(poly *r, const unsigned char // Use 30 bits of u per word for (i = 0; i < (NTRU_N - 1) / 4; i++) { - s[4 * i + 0] = (u[15 * i + 0] << 2) + (u[15 * i + 1] << 10) + (u[15 * i + 2] << 18) + ((uint32_t)u[15 * i + 3] << 26); - s[4 * i + 1] = ((u[15 * i + 3] & 0xc0) >> 4) + (u[15 * i + 4] << 4) + (u[15 * i + 5] << 12) + (u[15 * i + 6] << 20) + ((uint32_t)u[15 * i + 7] << 28); - s[4 * i + 2] = ((u[15 * i + 7] & 0xf0) >> 2) + (u[15 * i + 8] << 6) + (u[15 * i + 9] << 14) + (u[15 * i + 10] << 22) + ((uint32_t)u[15 * i + 11] << 30); - s[4 * i + 3] = (u[15 * i + 11] & 0xfc) + (u[15 * i + 12] << 8) + (u[15 * i + 13] << 15) + ((uint32_t)u[15 * i + 14] << 24); + s[4 * i + 0] = (u[15 * i + 0] << 2) + (u[15 * i + 1] << 10) + (u[15 * i + 2] << 18) + ((uint32_t) u[15 * i + 3] << 26); + s[4 * i + 1] = ((u[15 * i + 3] & 0xc0) >> 4) + (u[15 * i + 4] << 4) + (u[15 * i + 5] << 12) + (u[15 * i + 6] << 20) + ((uint32_t) u[15 * i + 7] << 28); + s[4 * i + 2] = ((u[15 * i + 7] & 0xf0) >> 2) + (u[15 * i + 8] << 6) + (u[15 * i + 9] << 14) + (u[15 * i + 10] << 22) + ((uint32_t) u[15 * i + 11] << 30); + s[4 * i + 3] = (u[15 * i + 11] & 0xfc) + (u[15 * i + 12] << 8) + (u[15 * i + 13] << 15) + ((uint32_t) u[15 * i + 14] << 24); } for (i = 0; i < NTRU_WEIGHT / 2; i++) { diff --git a/crypto_kem/ntruhps2048677/clean/crypto_sort.c b/crypto_kem/ntruhps2048677/clean/crypto_sort.c index 7b36fa70..1cb88c95 100644 --- a/crypto_kem/ntruhps2048677/clean/crypto_sort.c +++ b/crypto_kem/ntruhps2048677/clean/crypto_sort.c @@ -8,7 +8,7 @@ #define int32_MINMAX(a,b) \ do { \ int32_t ab = (b) ^ (a); \ - int32_t c = (b) - (a); \ + int32_t c = (int32_t)((int64_t)(b) - (int64_t)(a)); \ c ^= ab & (c ^ (b)); \ c >>= 31; \ c &= ab; \ diff --git a/crypto_kem/ntruhps2048677/clean/kem.c b/crypto_kem/ntruhps2048677/clean/kem.c index 80123ea1..d3ff7a15 100644 --- a/crypto_kem/ntruhps2048677/clean/kem.c +++ b/crypto_kem/ntruhps2048677/clean/kem.c @@ -37,7 +37,6 @@ int PQCLEAN_NTRUHPS2048677_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, co int i, fail; uint8_t rm[NTRU_OWCPA_MSGBYTES]; uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES]; - uint8_t *cmp = buf + NTRU_PRFKEYBYTES; fail = PQCLEAN_NTRUHPS2048677_CLEAN_owcpa_dec(rm, c, sk); /* If fail = 0 then c = Enc(h, rm), there is no need to re-encapsulate. */ @@ -50,9 +49,9 @@ int PQCLEAN_NTRUHPS2048677_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, co buf[i] = sk[i + NTRU_OWCPA_SECRETKEYBYTES]; } for (i = 0; i < NTRU_CIPHERTEXTBYTES; i++) { - cmp[i] = c[i]; + buf[NTRU_PRFKEYBYTES + i] = c[i]; } - sha3_256(rm, cmp, NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES); + sha3_256(rm, buf, NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES); PQCLEAN_NTRUHPS2048677_CLEAN_cmov(k, rm, NTRU_SHAREDKEYBYTES, (unsigned char) fail); diff --git a/crypto_kem/ntruhps2048677/clean/sample.c b/crypto_kem/ntruhps2048677/clean/sample.c index a462b214..7cc893ad 100644 --- a/crypto_kem/ntruhps2048677/clean/sample.c +++ b/crypto_kem/ntruhps2048677/clean/sample.c @@ -25,15 +25,15 @@ void PQCLEAN_NTRUHPS2048677_CLEAN_sample_iid(poly *r, const unsigned char unifor void PQCLEAN_NTRUHPS2048677_CLEAN_sample_fixed_type(poly *r, const unsigned char u[NTRU_SAMPLE_FT_BYTES]) { // Assumes NTRU_SAMPLE_FT_BYTES = ceil(30*(n-1)/8) - int32_t s[NTRU_N - 1]; + uint32_t s[NTRU_N - 1]; int i; // Use 30 bits of u per word for (i = 0; i < (NTRU_N - 1) / 4; i++) { - s[4 * i + 0] = (u[15 * i + 0] << 2) + (u[15 * i + 1] << 10) + (u[15 * i + 2] << 18) + (u[15 * i + 3] << 26); - s[4 * i + 1] = ((u[15 * i + 3] & 0xc0) >> 4) + (u[15 * i + 4] << 4) + (u[15 * i + 5] << 12) + (u[15 * i + 6] << 20) + (u[15 * i + 7] << 28); - s[4 * i + 2] = ((u[15 * i + 7] & 0xf0) >> 2) + (u[15 * i + 8] << 6) + (u[15 * i + 9] << 14) + (u[15 * i + 10] << 22) + (u[15 * i + 11] << 30); - s[4 * i + 3] = (u[15 * i + 11] & 0xfc) + (u[15 * i + 12] << 8) + (u[15 * i + 13] << 15) + (u[15 * i + 14] << 24); + s[4 * i + 0] = (u[15 * i + 0] << 2) + (u[15 * i + 1] << 10) + (u[15 * i + 2] << 18) + ((uint32_t) u[15 * i + 3] << 26); + s[4 * i + 1] = ((u[15 * i + 3] & 0xc0) >> 4) + (u[15 * i + 4] << 4) + (u[15 * i + 5] << 12) + (u[15 * i + 6] << 20) + ((uint32_t) u[15 * i + 7] << 28); + s[4 * i + 2] = ((u[15 * i + 7] & 0xf0) >> 2) + (u[15 * i + 8] << 6) + (u[15 * i + 9] << 14) + (u[15 * i + 10] << 22) + ((uint32_t) u[15 * i + 11] << 30); + s[4 * i + 3] = (u[15 * i + 11] & 0xfc) + (u[15 * i + 12] << 8) + (u[15 * i + 13] << 15) + ((uint32_t) u[15 * i + 14] << 24); } for (i = 0; i < NTRU_WEIGHT / 2; i++) { diff --git a/crypto_kem/ntruhps4096821/clean/crypto_sort.c b/crypto_kem/ntruhps4096821/clean/crypto_sort.c index 2add05c2..5df65a79 100644 --- a/crypto_kem/ntruhps4096821/clean/crypto_sort.c +++ b/crypto_kem/ntruhps4096821/clean/crypto_sort.c @@ -8,7 +8,7 @@ #define int32_MINMAX(a,b) \ do { \ int32_t ab = (b) ^ (a); \ - int32_t c = (b) - (a); \ + int32_t c = (int32_t)((int64_t)(b) - (int64_t)(a)); \ c ^= ab & (c ^ (b)); \ c >>= 31; \ c &= ab; \ diff --git a/crypto_kem/ntruhps4096821/clean/kem.c b/crypto_kem/ntruhps4096821/clean/kem.c index 32ddc94b..b1f0941c 100644 --- a/crypto_kem/ntruhps4096821/clean/kem.c +++ b/crypto_kem/ntruhps4096821/clean/kem.c @@ -37,7 +37,6 @@ int PQCLEAN_NTRUHPS4096821_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, co int i, fail; uint8_t rm[NTRU_OWCPA_MSGBYTES]; uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES]; - uint8_t *cmp = buf + NTRU_PRFKEYBYTES; fail = PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec(rm, c, sk); /* If fail = 0 then c = Enc(h, rm), there is no need to re-encapsulate. */ @@ -50,9 +49,9 @@ int PQCLEAN_NTRUHPS4096821_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, co buf[i] = sk[i + NTRU_OWCPA_SECRETKEYBYTES]; } for (i = 0; i < NTRU_CIPHERTEXTBYTES; i++) { - cmp[i] = c[i]; + buf[NTRU_PRFKEYBYTES + i] = c[i]; } - sha3_256(rm, cmp, NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES); + sha3_256(rm, buf, NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES); PQCLEAN_NTRUHPS4096821_CLEAN_cmov(k, rm, NTRU_SHAREDKEYBYTES, (unsigned char) fail); diff --git a/crypto_kem/ntruhps4096821/clean/sample.c b/crypto_kem/ntruhps4096821/clean/sample.c index 1140be46..f0409663 100644 --- a/crypto_kem/ntruhps4096821/clean/sample.c +++ b/crypto_kem/ntruhps4096821/clean/sample.c @@ -25,15 +25,15 @@ void PQCLEAN_NTRUHPS4096821_CLEAN_sample_iid(poly *r, const unsigned char unifor void PQCLEAN_NTRUHPS4096821_CLEAN_sample_fixed_type(poly *r, const unsigned char u[NTRU_SAMPLE_FT_BYTES]) { // Assumes NTRU_SAMPLE_FT_BYTES = ceil(30*(n-1)/8) - int32_t s[NTRU_N - 1]; + uint32_t s[NTRU_N - 1]; int i; // Use 30 bits of u per word for (i = 0; i < (NTRU_N - 1) / 4; i++) { - s[4 * i + 0] = (u[15 * i + 0] << 2) + (u[15 * i + 1] << 10) + (u[15 * i + 2] << 18) + (u[15 * i + 3] << 26); - s[4 * i + 1] = ((u[15 * i + 3] & 0xc0) >> 4) + (u[15 * i + 4] << 4) + (u[15 * i + 5] << 12) + (u[15 * i + 6] << 20) + (u[15 * i + 7] << 28); - s[4 * i + 2] = ((u[15 * i + 7] & 0xf0) >> 2) + (u[15 * i + 8] << 6) + (u[15 * i + 9] << 14) + (u[15 * i + 10] << 22) + (u[15 * i + 11] << 30); - s[4 * i + 3] = (u[15 * i + 11] & 0xfc) + (u[15 * i + 12] << 8) + (u[15 * i + 13] << 15) + (u[15 * i + 14] << 24); + s[4 * i + 0] = (u[15 * i + 0] << 2) + (u[15 * i + 1] << 10) + (u[15 * i + 2] << 18) + ((uint32_t) u[15 * i + 3] << 26); + s[4 * i + 1] = ((u[15 * i + 3] & 0xc0) >> 4) + (u[15 * i + 4] << 4) + (u[15 * i + 5] << 12) + (u[15 * i + 6] << 20) + ((uint32_t) u[15 * i + 7] << 28); + s[4 * i + 2] = ((u[15 * i + 7] & 0xf0) >> 2) + (u[15 * i + 8] << 6) + (u[15 * i + 9] << 14) + (u[15 * i + 10] << 22) + ((uint32_t) u[15 * i + 11] << 30); + s[4 * i + 3] = (u[15 * i + 11] & 0xfc) + (u[15 * i + 12] << 8) + (u[15 * i + 13] << 15) + ((uint32_t) u[15 * i + 14] << 24); } for (i = 0; i < NTRU_WEIGHT / 2; i++) { diff --git a/crypto_kem/ntruhrss701/clean/kem.c b/crypto_kem/ntruhrss701/clean/kem.c index 8ca6f691..8adc31aa 100644 --- a/crypto_kem/ntruhrss701/clean/kem.c +++ b/crypto_kem/ntruhrss701/clean/kem.c @@ -37,7 +37,6 @@ int PQCLEAN_NTRUHRSS701_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, const int i, fail; uint8_t rm[NTRU_OWCPA_MSGBYTES]; uint8_t buf[NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES]; - uint8_t *cmp = buf + NTRU_PRFKEYBYTES; fail = PQCLEAN_NTRUHRSS701_CLEAN_owcpa_dec(rm, c, sk); /* If fail = 0 then c = Enc(h, rm), there is no need to re-encapsulate. */ @@ -50,9 +49,9 @@ int PQCLEAN_NTRUHRSS701_CLEAN_crypto_kem_dec(uint8_t *k, const uint8_t *c, const buf[i] = sk[i + NTRU_OWCPA_SECRETKEYBYTES]; } for (i = 0; i < NTRU_CIPHERTEXTBYTES; i++) { - cmp[i] = c[i]; + buf[NTRU_PRFKEYBYTES + i] = c[i]; } - sha3_256(rm, cmp, NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES); + sha3_256(rm, buf, NTRU_PRFKEYBYTES + NTRU_CIPHERTEXTBYTES); PQCLEAN_NTRUHRSS701_CLEAN_cmov(k, rm, NTRU_SHAREDKEYBYTES, (unsigned char) fail);