From 1fc2f51f8240b5d61d614ea14c713ce2eb321662 Mon Sep 17 00:00:00 2001 From: Leon Botros Date: Thu, 22 Aug 2019 12:59:04 +0200 Subject: [PATCH] fix clang-tidy warnings, replace variable-time schoolbook multiplications --- crypto_kem/ledakemlt12/leaktime/dfr_test.c | 6 +- crypto_kem/ledakemlt12/leaktime/gf2x_arith.c | 61 ++++++++----------- .../leaktime/gf2x_arith_mod_xPplusOne.c | 52 +++++++++------- .../leaktime/gf2x_arith_mod_xPplusOne.h | 4 +- crypto_kem/ledakemlt32/leaktime/dfr_test.c | 6 +- crypto_kem/ledakemlt32/leaktime/gf2x_arith.c | 61 ++++++++----------- .../leaktime/gf2x_arith_mod_xPplusOne.c | 53 +++++++++------- .../leaktime/gf2x_arith_mod_xPplusOne.h | 6 +- crypto_kem/ledakemlt52/leaktime/dfr_test.c | 6 +- crypto_kem/ledakemlt52/leaktime/gf2x_arith.c | 61 ++++++++----------- .../leaktime/gf2x_arith_mod_xPplusOne.c | 53 +++++++++------- .../leaktime/gf2x_arith_mod_xPplusOne.h | 6 +- 12 files changed, 184 insertions(+), 191 deletions(-) diff --git a/crypto_kem/ledakemlt12/leaktime/dfr_test.c b/crypto_kem/ledakemlt12/leaktime/dfr_test.c index 86f74bd2..ff704be9 100644 --- a/crypto_kem/ledakemlt12/leaktime/dfr_test.c +++ b/crypto_kem/ledakemlt12/leaktime/dfr_test.c @@ -10,9 +10,9 @@ int PQCLEAN_LEDAKEMLT12_LEAKTIME_DFR_test(POSITION_T LSparse[N0][DV * M], uint8_t *secondIterThreshold) { POSITION_T LSparse_loc[N0][DV * M]; /* vector of N_0 sparse blocks */ - int gamma[N0][N0][P] = {{{0}}}; - int maxMut[N0], maxMutMinusOne[N0]; - int allBlockMaxSumst, allBlockMaxSumstMinusOne; + unsigned int gamma[N0][N0][P] = {{{0}}}; + unsigned int maxMut[N0], maxMutMinusOne[N0]; + unsigned int allBlockMaxSumst, allBlockMaxSumstMinusOne; unsigned int gammaHist[N0][DV * M + 1] = {{0}}; for (int i = 0; i < N0; i++) { diff --git a/crypto_kem/ledakemlt12/leaktime/gf2x_arith.c b/crypto_kem/ledakemlt12/leaktime/gf2x_arith.c index 00e17e7e..bf681303 100644 --- a/crypto_kem/ledakemlt12/leaktime/gf2x_arith.c +++ b/crypto_kem/ledakemlt12/leaktime/gf2x_arith.c @@ -25,7 +25,7 @@ void PQCLEAN_LEDAKEMLT12_LEAKTIME_right_bit_shift_n(int length, DIGIT in[], unsi unsigned int j; DIGIT mask; mask = ((DIGIT)0x01 << amount) - 1; - for (j = length - 1; j > 0 ; j--) { + for (j = length - 1; j > 0; j--) { in[j] >>= amount; in[j] |= (in[j - 1] & mask) << (DIGIT_SIZE_b - amount); } @@ -40,44 +40,35 @@ void PQCLEAN_LEDAKEMLT12_LEAKTIME_left_bit_shift_n(int length, DIGIT in[], unsig int j; DIGIT mask; mask = ~(((DIGIT)0x01 << (DIGIT_SIZE_b - amount)) - 1); - for (j = 0 ; j < length - 1 ; j++) { + for (j = 0 ; j < length - 1; j++) { in[j] <<= amount; in[j] |= (in[j + 1] & mask) >> (DIGIT_SIZE_b - amount); } in[j] <<= amount; } -static void gf2x_mul_comb(int nr, DIGIT Res[], - int na, const DIGIT A[], - int nb, const DIGIT B[]) { - int i, j, k; - DIGIT u, h; +static void gf2x_mul1(DIGIT *R, const DIGIT A, const DIGIT B) { + DIGIT tmp; - memset(Res, 0x00, nr * sizeof(DIGIT)); - - for (k = DIGIT_SIZE_b - 1; k > 0; k--) { - for (i = na - 1; i >= 0; i--) { - if ( A[i] & (((DIGIT)0x1) << k) ) { - for (j = nb - 1; j >= 0; j--) { - Res[i + j + 1] ^= B[j]; - } - } - } - - u = Res[na + nb - 1]; - Res[na + nb - 1] = u << 0x1; - for (j = 1; j < na + nb; ++j) { - h = u >> (DIGIT_SIZE_b - 1); - u = Res[na + nb - 1 - j]; - Res[na + nb - 1 - j] = h ^ (u << 0x1); - } + R[0] = 0; + R[1] = (A & 1) * B; + for (unsigned i = 1; i < DIGIT_SIZE_b; i++) { + tmp = ((A >> i) & 1) * B; + R[1] ^= tmp << i; + R[0] ^= tmp >> (DIGIT_SIZE_b - i); } - for (i = na - 1; i >= 0; i--) { - if ( A[i] & ((DIGIT)0x1) ) { - for (j = nb - 1; j >= 0; j--) { - Res[i + j + 1] ^= B[j]; - } +} + +static void gf2x_mul_n(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n) { + DIGIT tmp[2]; + + memset(R, 0x00, 2 * n * sizeof(DIGIT)); + for (size_t i = 0; i < n; i++) { + for (size_t j = 0; j < n; j++) { + gf2x_mul1(tmp, A[i], B[j]); + R[i + j] ^= tmp[0]; + R[i + j + 1] ^= tmp[1]; } } } @@ -96,8 +87,8 @@ static void gf2x_cpy(DIGIT *R, const DIGIT *A, size_t len) { * first operand must be the bigger one. * aligns last array elements */ static inline void gf2x_add_asymm(DIGIT *R, - int na, const DIGIT *A, - int nb, const DIGIT *B) { + size_t na, const DIGIT *A, + size_t nb, const DIGIT *B) { size_t delta = na - nb; gf2x_cpy(R, A, delta); PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_add(R + delta, A + delta, B, nb);; @@ -105,8 +96,8 @@ static inline void gf2x_add_asymm(DIGIT *R, /* aligns first array elements */ static inline void gf2x_add_asymm2(DIGIT *R, - int na, const DIGIT *A, - int nb, const DIGIT *B) { + size_t na, const DIGIT *A, + size_t nb, const DIGIT *B) { size_t delta = na - nb; PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_add(R, A, B, nb); gf2x_cpy(R + nb, A + nb, delta); @@ -121,7 +112,7 @@ static void gf2x_mul_kar(DIGIT *R, DIGIT *stack) { if (n < MIN_KAR_DIGITS) { - gf2x_mul_comb(2 * n, R, n, A, n, B); + gf2x_mul_n(R, A, B, n); return; } diff --git a/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.c b/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.c index aa69c704..c88a6236 100644 --- a/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.c +++ b/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.c @@ -294,15 +294,17 @@ void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_transpose_in_place_sparse(int sizeA, POSI } -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_sparse(int sizeR, POSITION_T Res[], - int sizeA, const POSITION_T A[], - int sizeB, const POSITION_T B[]) { +void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_sparse(size_t sizeR, POSITION_T Res[], + size_t sizeA, const POSITION_T A[], + size_t sizeB, const POSITION_T B[]) { + + POSITION_T prod; /* compute all the coefficients, filling invalid positions with P*/ - int lastFilledPos = 0; - for (int i = 0 ; i < sizeA ; i++) { - for (int j = 0 ; j < sizeB ; j++) { - uint32_t prod = ((uint32_t) A[i]) + ((uint32_t) B[j]); + size_t lastFilledPos = 0; + for (size_t i = 0 ; i < sizeA ; i++) { + for (size_t j = 0 ; j < sizeB ; j++) { + prod = A[i] + B[j]; prod = ( (prod >= P) ? prod - P : prod); if ((A[i] != INVALID_POS_VALUE) && (B[j] != INVALID_POS_VALUE)) { @@ -320,9 +322,9 @@ void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_sparse(int sizeR, POSITION_T Res[ PQCLEAN_LEDAKEMLT12_LEAKTIME_uint32_sort(Res, sizeR); /* eliminate duplicates */ POSITION_T lastReadPos = Res[0]; - int duplicateCount; - int write_idx = 0; - int read_idx = 0; + size_t duplicateCount; + size_t write_idx = 0; + size_t read_idx = 0; while (read_idx < sizeR && Res[read_idx] != INVALID_POS_VALUE) { lastReadPos = Res[read_idx]; read_idx++; @@ -446,16 +448,15 @@ void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_circulant_sparse_block(POSITION_T *pos_on void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_circulant_blocks_sequence(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], AES_XOF_struct *seed_expander_ctx) { - int rndPos[NUM_ERRORS_T], duplicated, counter = 0; - int p, polyIndex, exponent; + size_t polyIndex, duplicated, counter = 0; + POSITION_T p, exponent, rndPos[NUM_ERRORS_T]; memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); while (counter < NUM_ERRORS_T) { - p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, - seed_expander_ctx); + p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); duplicated = 0; - for (int j = 0; j < counter; j++) { + for (size_t j = 0; j < counter; j++) { if (rndPos[j] == p) { duplicated = 1; } @@ -465,7 +466,7 @@ void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_circulant_blocks_sequence(DIGIT sequence[ counter++; } } - for (int j = 0; j < counter; j++) { + for (size_t j = 0; j < counter; j++) { polyIndex = rndPos[j] / P; exponent = rndPos[j] % P; PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent, @@ -478,14 +479,17 @@ void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_circulant_blocks_sequence(DIGIT sequence[ void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_T], AES_XOF_struct *seed_expander_ctx) { - int duplicated, counter = 0; + int duplicated; + size_t counter = 0; while (counter < NUM_ERRORS_T) { - uint32_t p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); + POSITION_T p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); duplicated = 0; - for (int j = 0; j < counter; j++) if (errorPos[j] == p) { + for (size_t j = 0; j < counter; j++) { + if (errorPos[j] == p) { duplicated = 1; } + } if (duplicated == 0) { errorPos[counter] = p; counter++; @@ -494,13 +498,15 @@ void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_ } void PQCLEAN_LEDAKEMLT12_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], - POSITION_T errorPos[NUM_ERRORS_T]) { + const POSITION_T errorPos[NUM_ERRORS_T]) { + + size_t polyIndex; + POSITION_T exponent; memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - for (int j = 0; j < NUM_ERRORS_T; j++) { - int polyIndex = errorPos[j] / P; - int exponent = errorPos[j] % P; + polyIndex = errorPos[j] / P; + exponent = errorPos[j] % P; PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent, ( (DIGIT) 1)); } diff --git a/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.h b/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.h index ced3ccf9..c4c6d9ae 100644 --- a/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.h +++ b/crypto_kem/ledakemlt12/leaktime/gf2x_arith_mod_xPplusOne.h @@ -26,11 +26,11 @@ void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_transpose_in_place(DIGIT A[]); void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_circulant_sparse_block(POSITION_T *pos_ones, int countOnes, AES_XOF_struct *seed_expander_ctx); void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_circulant_blocks_sequence(DIGIT *sequence, AES_XOF_struct *seed_expander_ctx); void PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_T], AES_XOF_struct *seed_expander_ctx); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], POSITION_T errorPos[NUM_ERRORS_T]); +void PQCLEAN_LEDAKEMLT12_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], const POSITION_T errorPos[NUM_ERRORS_T]); void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add_sparse(int sizeR, POSITION_T Res[], int sizeA, const POSITION_T A[], int sizeB, const POSITION_T B[]); void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_transpose_in_place_sparse(int sizeA, POSITION_T A[]); int PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_inverse(DIGIT out[], const DIGIT in[]); -void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_sparse(int sizeR, POSITION_T Res[], int sizeA, const POSITION_T A[], int sizeB, const POSITION_T B[]); +void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_sparse(size_t sizeR, POSITION_T Res[], size_t sizeA, const POSITION_T A[], size_t sizeB, const POSITION_T B[]); void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_dense_to_sparse(DIGIT Res[], const DIGIT dense[], POSITION_T sparse[], unsigned int nPos); void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_tobytes(uint8_t *bytes, const DIGIT *poly); void PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_frombytes(DIGIT *poly, const uint8_t *poly_bytes); diff --git a/crypto_kem/ledakemlt32/leaktime/dfr_test.c b/crypto_kem/ledakemlt32/leaktime/dfr_test.c index cfda84ea..e4403260 100644 --- a/crypto_kem/ledakemlt32/leaktime/dfr_test.c +++ b/crypto_kem/ledakemlt32/leaktime/dfr_test.c @@ -10,9 +10,9 @@ int PQCLEAN_LEDAKEMLT32_LEAKTIME_DFR_test(POSITION_T LSparse[N0][DV * M], uint8_t *secondIterThreshold) { POSITION_T LSparse_loc[N0][DV * M]; /* vector of N_0 sparse blocks */ - int gamma[N0][N0][P] = {{{0}}}; - int maxMut[N0], maxMutMinusOne[N0]; - int allBlockMaxSumst, allBlockMaxSumstMinusOne; + unsigned int gamma[N0][N0][P] = {{{0}}}; + unsigned int maxMut[N0], maxMutMinusOne[N0]; + unsigned int allBlockMaxSumst, allBlockMaxSumstMinusOne; unsigned int gammaHist[N0][DV * M + 1] = {{0}}; for (int i = 0; i < N0; i++) { diff --git a/crypto_kem/ledakemlt32/leaktime/gf2x_arith.c b/crypto_kem/ledakemlt32/leaktime/gf2x_arith.c index 675868a9..dc82f164 100644 --- a/crypto_kem/ledakemlt32/leaktime/gf2x_arith.c +++ b/crypto_kem/ledakemlt32/leaktime/gf2x_arith.c @@ -25,7 +25,7 @@ void PQCLEAN_LEDAKEMLT32_LEAKTIME_right_bit_shift_n(int length, DIGIT in[], unsi unsigned int j; DIGIT mask; mask = ((DIGIT)0x01 << amount) - 1; - for (j = length - 1; j > 0 ; j--) { + for (j = length - 1; j > 0; j--) { in[j] >>= amount; in[j] |= (in[j - 1] & mask) << (DIGIT_SIZE_b - amount); } @@ -40,44 +40,35 @@ void PQCLEAN_LEDAKEMLT32_LEAKTIME_left_bit_shift_n(int length, DIGIT in[], unsig int j; DIGIT mask; mask = ~(((DIGIT)0x01 << (DIGIT_SIZE_b - amount)) - 1); - for (j = 0 ; j < length - 1 ; j++) { + for (j = 0 ; j < length - 1; j++) { in[j] <<= amount; in[j] |= (in[j + 1] & mask) >> (DIGIT_SIZE_b - amount); } in[j] <<= amount; } -static void gf2x_mul_comb(int nr, DIGIT Res[], - int na, const DIGIT A[], - int nb, const DIGIT B[]) { - int i, j, k; - DIGIT u, h; +static void gf2x_mul1(DIGIT *R, const DIGIT A, const DIGIT B) { + DIGIT tmp; - memset(Res, 0x00, nr * sizeof(DIGIT)); - - for (k = DIGIT_SIZE_b - 1; k > 0; k--) { - for (i = na - 1; i >= 0; i--) { - if ( A[i] & (((DIGIT)0x1) << k) ) { - for (j = nb - 1; j >= 0; j--) { - Res[i + j + 1] ^= B[j]; - } - } - } - - u = Res[na + nb - 1]; - Res[na + nb - 1] = u << 0x1; - for (j = 1; j < na + nb; ++j) { - h = u >> (DIGIT_SIZE_b - 1); - u = Res[na + nb - 1 - j]; - Res[na + nb - 1 - j] = h ^ (u << 0x1); - } + R[0] = 0; + R[1] = (A & 1) * B; + for (unsigned i = 1; i < DIGIT_SIZE_b; i++) { + tmp = ((A >> i) & 1) * B; + R[1] ^= tmp << i; + R[0] ^= tmp >> (DIGIT_SIZE_b - i); } - for (i = na - 1; i >= 0; i--) { - if ( A[i] & ((DIGIT)0x1) ) { - for (j = nb - 1; j >= 0; j--) { - Res[i + j + 1] ^= B[j]; - } +} + +static void gf2x_mul_n(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n) { + DIGIT tmp[2]; + + memset(R, 0x00, 2 * n * sizeof(DIGIT)); + for (size_t i = 0; i < n; i++) { + for (size_t j = 0; j < n; j++) { + gf2x_mul1(tmp, A[i], B[j]); + R[i + j] ^= tmp[0]; + R[i + j + 1] ^= tmp[1]; } } } @@ -96,8 +87,8 @@ static void gf2x_cpy(DIGIT *R, const DIGIT *A, size_t len) { * first operand must be the bigger one. * aligns last array elements */ static inline void gf2x_add_asymm(DIGIT *R, - int na, const DIGIT *A, - int nb, const DIGIT *B) { + size_t na, const DIGIT *A, + size_t nb, const DIGIT *B) { size_t delta = na - nb; gf2x_cpy(R, A, delta); PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_add(R + delta, A + delta, B, nb);; @@ -105,8 +96,8 @@ static inline void gf2x_add_asymm(DIGIT *R, /* aligns first array elements */ static inline void gf2x_add_asymm2(DIGIT *R, - int na, const DIGIT *A, - int nb, const DIGIT *B) { + size_t na, const DIGIT *A, + size_t nb, const DIGIT *B) { size_t delta = na - nb; PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_add(R, A, B, nb); gf2x_cpy(R + nb, A + nb, delta); @@ -121,7 +112,7 @@ static void gf2x_mul_kar(DIGIT *R, DIGIT *stack) { if (n < MIN_KAR_DIGITS) { - gf2x_mul_comb(2 * n, R, n, A, n, B); + gf2x_mul_n(R, A, B, n); return; } diff --git a/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.c b/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.c index e7fe310c..2502cb0d 100644 --- a/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.c +++ b/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.c @@ -84,6 +84,7 @@ static void right_bit_shift(unsigned int length, DIGIT in[]) { in[j] >>= 1; } + /* shifts by whole digits */ static void left_DIGIT_shift_n(unsigned int length, DIGIT in[], unsigned int amount) { unsigned int j; @@ -291,15 +292,17 @@ void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_transpose_in_place_sparse(int sizeA, POSI } -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_sparse(int sizeR, POSITION_T Res[], - int sizeA, const POSITION_T A[], - int sizeB, const POSITION_T B[]) { +void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_sparse(size_t sizeR, POSITION_T Res[], + size_t sizeA, const POSITION_T A[], + size_t sizeB, const POSITION_T B[]) { + + POSITION_T prod; /* compute all the coefficients, filling invalid positions with P*/ - int lastFilledPos = 0; - for (int i = 0 ; i < sizeA ; i++) { - for (int j = 0 ; j < sizeB ; j++) { - uint32_t prod = ((uint32_t) A[i]) + ((uint32_t) B[j]); + size_t lastFilledPos = 0; + for (size_t i = 0 ; i < sizeA ; i++) { + for (size_t j = 0 ; j < sizeB ; j++) { + prod = A[i] + B[j]; prod = ( (prod >= P) ? prod - P : prod); if ((A[i] != INVALID_POS_VALUE) && (B[j] != INVALID_POS_VALUE)) { @@ -317,9 +320,9 @@ void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_sparse(int sizeR, POSITION_T Res[ PQCLEAN_LEDAKEMLT32_LEAKTIME_uint32_sort(Res, sizeR); /* eliminate duplicates */ POSITION_T lastReadPos = Res[0]; - int duplicateCount; - int write_idx = 0; - int read_idx = 0; + size_t duplicateCount; + size_t write_idx = 0; + size_t read_idx = 0; while (read_idx < sizeR && Res[read_idx] != INVALID_POS_VALUE) { lastReadPos = Res[read_idx]; read_idx++; @@ -443,16 +446,15 @@ void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_circulant_sparse_block(POSITION_T *pos_on void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_circulant_blocks_sequence(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], AES_XOF_struct *seed_expander_ctx) { - int rndPos[NUM_ERRORS_T], duplicated, counter = 0; - int p, polyIndex, exponent; + size_t polyIndex, duplicated, counter = 0; + POSITION_T p, exponent, rndPos[NUM_ERRORS_T]; memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); while (counter < NUM_ERRORS_T) { - p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, - seed_expander_ctx); + p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); duplicated = 0; - for (int j = 0; j < counter; j++) { + for (size_t j = 0; j < counter; j++) { if (rndPos[j] == p) { duplicated = 1; } @@ -462,7 +464,7 @@ void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_circulant_blocks_sequence(DIGIT sequence[ counter++; } } - for (int j = 0; j < counter; j++) { + for (size_t j = 0; j < counter; j++) { polyIndex = rndPos[j] / P; exponent = rndPos[j] % P; PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent, @@ -475,14 +477,17 @@ void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_circulant_blocks_sequence(DIGIT sequence[ void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_T], AES_XOF_struct *seed_expander_ctx) { - int duplicated, counter = 0; + int duplicated; + size_t counter = 0; while (counter < NUM_ERRORS_T) { - uint32_t p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); + POSITION_T p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); duplicated = 0; - for (int j = 0; j < counter; j++) if (errorPos[j] == p) { + for (size_t j = 0; j < counter; j++) { + if (errorPos[j] == p) { duplicated = 1; } + } if (duplicated == 0) { errorPos[counter] = p; counter++; @@ -491,13 +496,15 @@ void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_ } void PQCLEAN_LEDAKEMLT32_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], - POSITION_T errorPos[NUM_ERRORS_T]) { + const POSITION_T errorPos[NUM_ERRORS_T]) { + + size_t polyIndex; + POSITION_T exponent; memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - for (int j = 0; j < NUM_ERRORS_T; j++) { - int polyIndex = errorPos[j] / P; - int exponent = errorPos[j] % P; + polyIndex = errorPos[j] / P; + exponent = errorPos[j] % P; PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent, ( (DIGIT) 1)); } diff --git a/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.h b/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.h index b26ff901..7ce000d7 100644 --- a/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.h +++ b/crypto_kem/ledakemlt32/leaktime/gf2x_arith_mod_xPplusOne.h @@ -6,7 +6,7 @@ #include "gf2x_arith.h" #include "rng.h" -#define NUM_BITS_GF2X_ELEMENT (P) // 96221 +#define NUM_BITS_GF2X_ELEMENT (P) #define NUM_DIGITS_GF2X_ELEMENT ((P+DIGIT_SIZE_b-1)/DIGIT_SIZE_b) #define MSb_POSITION_IN_MSB_DIGIT_OF_ELEMENT ((P % DIGIT_SIZE_b) ? (P % DIGIT_SIZE_b)-1 : DIGIT_SIZE_b-1) #define NUM_BITS_GF2X_MODULUS (P+1) @@ -26,11 +26,11 @@ void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_transpose_in_place(DIGIT A[]); void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_circulant_sparse_block(POSITION_T *pos_ones, int countOnes, AES_XOF_struct *seed_expander_ctx); void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_circulant_blocks_sequence(DIGIT *sequence, AES_XOF_struct *seed_expander_ctx); void PQCLEAN_LEDAKEMLT32_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_T], AES_XOF_struct *seed_expander_ctx); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], POSITION_T errorPos[NUM_ERRORS_T]); +void PQCLEAN_LEDAKEMLT32_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], const POSITION_T errorPos[NUM_ERRORS_T]); void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add_sparse(int sizeR, POSITION_T Res[], int sizeA, const POSITION_T A[], int sizeB, const POSITION_T B[]); void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_transpose_in_place_sparse(int sizeA, POSITION_T A[]); int PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_inverse(DIGIT out[], const DIGIT in[]); -void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_sparse(int sizeR, POSITION_T Res[], int sizeA, const POSITION_T A[], int sizeB, const POSITION_T B[]); +void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_sparse(size_t sizeR, POSITION_T Res[], size_t sizeA, const POSITION_T A[], size_t sizeB, const POSITION_T B[]); void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_dense_to_sparse(DIGIT Res[], const DIGIT dense[], POSITION_T sparse[], unsigned int nPos); void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_tobytes(uint8_t *bytes, const DIGIT *poly); void PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_frombytes(DIGIT *poly, const uint8_t *poly_bytes); diff --git a/crypto_kem/ledakemlt52/leaktime/dfr_test.c b/crypto_kem/ledakemlt52/leaktime/dfr_test.c index a189ac18..ce4a252b 100644 --- a/crypto_kem/ledakemlt52/leaktime/dfr_test.c +++ b/crypto_kem/ledakemlt52/leaktime/dfr_test.c @@ -10,9 +10,9 @@ int PQCLEAN_LEDAKEMLT52_LEAKTIME_DFR_test(POSITION_T LSparse[N0][DV * M], uint8_t *secondIterThreshold) { POSITION_T LSparse_loc[N0][DV * M]; /* vector of N_0 sparse blocks */ - int gamma[N0][N0][P] = {{{0}}}; - int maxMut[N0], maxMutMinusOne[N0]; - int allBlockMaxSumst, allBlockMaxSumstMinusOne; + unsigned int gamma[N0][N0][P] = {{{0}}}; + unsigned int maxMut[N0], maxMutMinusOne[N0]; + unsigned int allBlockMaxSumst, allBlockMaxSumstMinusOne; unsigned int gammaHist[N0][DV * M + 1] = {{0}}; for (int i = 0; i < N0; i++) { diff --git a/crypto_kem/ledakemlt52/leaktime/gf2x_arith.c b/crypto_kem/ledakemlt52/leaktime/gf2x_arith.c index cab058e8..60130747 100644 --- a/crypto_kem/ledakemlt52/leaktime/gf2x_arith.c +++ b/crypto_kem/ledakemlt52/leaktime/gf2x_arith.c @@ -25,7 +25,7 @@ void PQCLEAN_LEDAKEMLT52_LEAKTIME_right_bit_shift_n(int length, DIGIT in[], unsi unsigned int j; DIGIT mask; mask = ((DIGIT)0x01 << amount) - 1; - for (j = length - 1; j > 0 ; j--) { + for (j = length - 1; j > 0; j--) { in[j] >>= amount; in[j] |= (in[j - 1] & mask) << (DIGIT_SIZE_b - amount); } @@ -40,44 +40,35 @@ void PQCLEAN_LEDAKEMLT52_LEAKTIME_left_bit_shift_n(int length, DIGIT in[], unsig int j; DIGIT mask; mask = ~(((DIGIT)0x01 << (DIGIT_SIZE_b - amount)) - 1); - for (j = 0 ; j < length - 1 ; j++) { + for (j = 0 ; j < length - 1; j++) { in[j] <<= amount; in[j] |= (in[j + 1] & mask) >> (DIGIT_SIZE_b - amount); } in[j] <<= amount; } -static void gf2x_mul_comb(int nr, DIGIT Res[], - int na, const DIGIT A[], - int nb, const DIGIT B[]) { - int i, j, k; - DIGIT u, h; +static void gf2x_mul1(DIGIT *R, const DIGIT A, const DIGIT B) { + DIGIT tmp; - memset(Res, 0x00, nr * sizeof(DIGIT)); - - for (k = DIGIT_SIZE_b - 1; k > 0; k--) { - for (i = na - 1; i >= 0; i--) { - if ( A[i] & (((DIGIT)0x1) << k) ) { - for (j = nb - 1; j >= 0; j--) { - Res[i + j + 1] ^= B[j]; - } - } - } - - u = Res[na + nb - 1]; - Res[na + nb - 1] = u << 0x1; - for (j = 1; j < na + nb; ++j) { - h = u >> (DIGIT_SIZE_b - 1); - u = Res[na + nb - 1 - j]; - Res[na + nb - 1 - j] = h ^ (u << 0x1); - } + R[0] = 0; + R[1] = (A & 1) * B; + for (unsigned i = 1; i < DIGIT_SIZE_b; i++) { + tmp = ((A >> i) & 1) * B; + R[1] ^= tmp << i; + R[0] ^= tmp >> (DIGIT_SIZE_b - i); } - for (i = na - 1; i >= 0; i--) { - if ( A[i] & ((DIGIT)0x1) ) { - for (j = nb - 1; j >= 0; j--) { - Res[i + j + 1] ^= B[j]; - } +} + +static void gf2x_mul_n(DIGIT *R, const DIGIT *A, const DIGIT *B, size_t n) { + DIGIT tmp[2]; + + memset(R, 0x00, 2 * n * sizeof(DIGIT)); + for (size_t i = 0; i < n; i++) { + for (size_t j = 0; j < n; j++) { + gf2x_mul1(tmp, A[i], B[j]); + R[i + j] ^= tmp[0]; + R[i + j + 1] ^= tmp[1]; } } } @@ -96,8 +87,8 @@ static void gf2x_cpy(DIGIT *R, const DIGIT *A, size_t len) { * first operand must be the bigger one. * aligns last array elements */ static inline void gf2x_add_asymm(DIGIT *R, - int na, const DIGIT *A, - int nb, const DIGIT *B) { + size_t na, const DIGIT *A, + size_t nb, const DIGIT *B) { size_t delta = na - nb; gf2x_cpy(R, A, delta); PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_add(R + delta, A + delta, B, nb);; @@ -105,8 +96,8 @@ static inline void gf2x_add_asymm(DIGIT *R, /* aligns first array elements */ static inline void gf2x_add_asymm2(DIGIT *R, - int na, const DIGIT *A, - int nb, const DIGIT *B) { + size_t na, const DIGIT *A, + size_t nb, const DIGIT *B) { size_t delta = na - nb; PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_add(R, A, B, nb); gf2x_cpy(R + nb, A + nb, delta); @@ -121,7 +112,7 @@ static void gf2x_mul_kar(DIGIT *R, DIGIT *stack) { if (n < MIN_KAR_DIGITS) { - gf2x_mul_comb(2 * n, R, n, A, n, B); + gf2x_mul_n(R, A, B, n); return; } diff --git a/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.c b/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.c index f3a22955..21ab22e8 100644 --- a/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.c +++ b/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.c @@ -84,6 +84,7 @@ static void right_bit_shift(unsigned int length, DIGIT in[]) { in[j] >>= 1; } + /* shifts by whole digits */ static void left_DIGIT_shift_n(unsigned int length, DIGIT in[], unsigned int amount) { unsigned int j; @@ -291,15 +292,17 @@ void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_transpose_in_place_sparse(int sizeA, POSI } -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_sparse(int sizeR, POSITION_T Res[], - int sizeA, const POSITION_T A[], - int sizeB, const POSITION_T B[]) { +void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_sparse(size_t sizeR, POSITION_T Res[], + size_t sizeA, const POSITION_T A[], + size_t sizeB, const POSITION_T B[]) { + + POSITION_T prod; /* compute all the coefficients, filling invalid positions with P*/ - int lastFilledPos = 0; - for (int i = 0 ; i < sizeA ; i++) { - for (int j = 0 ; j < sizeB ; j++) { - uint32_t prod = ((uint32_t) A[i]) + ((uint32_t) B[j]); + size_t lastFilledPos = 0; + for (size_t i = 0 ; i < sizeA ; i++) { + for (size_t j = 0 ; j < sizeB ; j++) { + prod = A[i] + B[j]; prod = ( (prod >= P) ? prod - P : prod); if ((A[i] != INVALID_POS_VALUE) && (B[j] != INVALID_POS_VALUE)) { @@ -317,9 +320,9 @@ void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_sparse(int sizeR, POSITION_T Res[ PQCLEAN_LEDAKEMLT52_LEAKTIME_uint32_sort(Res, sizeR); /* eliminate duplicates */ POSITION_T lastReadPos = Res[0]; - int duplicateCount; - int write_idx = 0; - int read_idx = 0; + size_t duplicateCount; + size_t write_idx = 0; + size_t read_idx = 0; while (read_idx < sizeR && Res[read_idx] != INVALID_POS_VALUE) { lastReadPos = Res[read_idx]; read_idx++; @@ -443,16 +446,15 @@ void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_circulant_sparse_block(POSITION_T *pos_on void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_circulant_blocks_sequence(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], AES_XOF_struct *seed_expander_ctx) { - int rndPos[NUM_ERRORS_T], duplicated, counter = 0; - int p, polyIndex, exponent; + size_t polyIndex, duplicated, counter = 0; + POSITION_T p, exponent, rndPos[NUM_ERRORS_T]; memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); while (counter < NUM_ERRORS_T) { - p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, - seed_expander_ctx); + p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); duplicated = 0; - for (int j = 0; j < counter; j++) { + for (size_t j = 0; j < counter; j++) { if (rndPos[j] == p) { duplicated = 1; } @@ -462,7 +464,7 @@ void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_circulant_blocks_sequence(DIGIT sequence[ counter++; } } - for (int j = 0; j < counter; j++) { + for (size_t j = 0; j < counter; j++) { polyIndex = rndPos[j] / P; exponent = rndPos[j] % P; PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent, @@ -475,14 +477,17 @@ void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_circulant_blocks_sequence(DIGIT sequence[ void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_T], AES_XOF_struct *seed_expander_ctx) { - int duplicated, counter = 0; + int duplicated; + size_t counter = 0; while (counter < NUM_ERRORS_T) { - uint32_t p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); + POSITION_T p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, P_BITS, seed_expander_ctx); duplicated = 0; - for (int j = 0; j < counter; j++) if (errorPos[j] == p) { + for (size_t j = 0; j < counter; j++) { + if (errorPos[j] == p) { duplicated = 1; } + } if (duplicated == 0) { errorPos[counter] = p; counter++; @@ -491,13 +496,15 @@ void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_ } void PQCLEAN_LEDAKEMLT52_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], - POSITION_T errorPos[NUM_ERRORS_T]) { + const POSITION_T errorPos[NUM_ERRORS_T]) { + + size_t polyIndex; + POSITION_T exponent; memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B); - for (int j = 0; j < NUM_ERRORS_T; j++) { - int polyIndex = errorPos[j] / P; - int exponent = errorPos[j] % P; + polyIndex = errorPos[j] / P; + exponent = errorPos[j] % P; PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent, ( (DIGIT) 1)); } diff --git a/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.h b/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.h index 568fb53e..c9ba927a 100644 --- a/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.h +++ b/crypto_kem/ledakemlt52/leaktime/gf2x_arith_mod_xPplusOne.h @@ -6,7 +6,7 @@ #include "gf2x_arith.h" #include "rng.h" -#define NUM_BITS_GF2X_ELEMENT (P) // 152267 +#define NUM_BITS_GF2X_ELEMENT (P) #define NUM_DIGITS_GF2X_ELEMENT ((P+DIGIT_SIZE_b-1)/DIGIT_SIZE_b) #define MSb_POSITION_IN_MSB_DIGIT_OF_ELEMENT ((P % DIGIT_SIZE_b) ? (P % DIGIT_SIZE_b)-1 : DIGIT_SIZE_b-1) #define NUM_BITS_GF2X_MODULUS (P+1) @@ -26,11 +26,11 @@ void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_transpose_in_place(DIGIT A[]); void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_circulant_sparse_block(POSITION_T *pos_ones, int countOnes, AES_XOF_struct *seed_expander_ctx); void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_circulant_blocks_sequence(DIGIT *sequence, AES_XOF_struct *seed_expander_ctx); void PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_error_pos(POSITION_T errorPos[NUM_ERRORS_T], AES_XOF_struct *seed_expander_ctx); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], POSITION_T errorPos[NUM_ERRORS_T]); +void PQCLEAN_LEDAKEMLT52_LEAKTIME_expand_error(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT], const POSITION_T errorPos[NUM_ERRORS_T]); void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_add_sparse(int sizeR, POSITION_T Res[], int sizeA, const POSITION_T A[], int sizeB, const POSITION_T B[]); void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_transpose_in_place_sparse(int sizeA, POSITION_T A[]); int PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_inverse(DIGIT out[], const DIGIT in[]); -void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_sparse(int sizeR, POSITION_T Res[], int sizeA, const POSITION_T A[], int sizeB, const POSITION_T B[]); +void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_sparse(size_t sizeR, POSITION_T Res[], size_t sizeA, const POSITION_T A[], size_t sizeB, const POSITION_T B[]); void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_mod_mul_dense_to_sparse(DIGIT Res[], const DIGIT dense[], POSITION_T sparse[], unsigned int nPos); void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_tobytes(uint8_t *bytes, const DIGIT *poly); void PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_frombytes(DIGIT *poly, const uint8_t *poly_bytes);