1
1
mirror of https://github.com/henrydcase/pqc.git synced 2024-11-22 07:35:38 +00:00

ensure sike doest use uinitialized reads

This commit is contained in:
Henry Case 2021-06-23 07:46:32 +01:00
parent bb3fe16bd5
commit bb36594224
3 changed files with 20 additions and 20 deletions

View File

@ -190,7 +190,7 @@ void sike_from_mont(const felm_t ma, felm_t c)
// Inputs: a = a0+a1*i, where a0, a1 are in [0, 2*p-1] // Inputs: a = a0+a1*i, where a0, a1 are in [0, 2*p-1]
// Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1] // Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1]
void sike_fp2sqr_mont(const f2elm_t a, f2elm_t c) { void sike_fp2sqr_mont(const f2elm_t a, f2elm_t c) {
felm_t t1, t2, t3; felm_t t1 = {0}, t2 = {0}, t3 = {0};
mp_addfast(a->c0, a->c1, t1); // t1 = a0+a1 mp_addfast(a->c0, a->c1, t1); // t1 = a0+a1
sike_fpsub(a->c0, a->c1, t2); // t2 = a0-a1 sike_fpsub(a->c0, a->c1, t2); // t2 = a0-a1
@ -247,7 +247,7 @@ void sike_fpcorrection(felm_t a) {
// Inputs: a = a0+a1*i and b = b0+b1*i, where a0, a1, b0, b1 are in [0, 2*p-1] // Inputs: a = a0+a1*i and b = b0+b1*i, where a0, a1, b0, b1 are in [0, 2*p-1]
// Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1] // Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1]
void sike_fp2mul_mont(const f2elm_t a, const f2elm_t b, f2elm_t c) { void sike_fp2mul_mont(const f2elm_t a, const f2elm_t b, f2elm_t c) {
felm_t t1, t2; felm_t t1 = {0}, t2 = {0};
dfelm_t tt1, tt2, tt3; dfelm_t tt1, tt2, tt3;
crypto_word_t mask; crypto_word_t mask;
@ -270,7 +270,7 @@ void sike_fp2mul_mont(const f2elm_t a, const f2elm_t b, f2elm_t c) {
// GF(p^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2). // GF(p^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2).
void sike_fp2inv_mont(f2elm_t a) { void sike_fp2inv_mont(f2elm_t a) {
f2elm_t t1; f2elm_t t1 = {0};
fpsqr_mont(a->c0, t1->c0); // t10 = a0^2 fpsqr_mont(a->c0, t1->c0); // t10 = a0^2
fpsqr_mont(a->c1, t1->c1); // t11 = a1^2 fpsqr_mont(a->c1, t1->c1); // t11 = a1^2

View File

@ -13,7 +13,7 @@ static void xDBL(const point_proj_t P, point_proj_t Q, const f2elm_t A24plus, co
{ // Doubling of a Montgomery point in projective coordinates (X:Z). { // Doubling of a Montgomery point in projective coordinates (X:Z).
// Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants A+2C and 4C. // Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants A+2C and 4C.
// Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2). // Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2).
f2elm_t t0, t1; f2elm_t t0 = {0}, t1 = {0};
sike_fp2sub(P->X, P->Z, t0); // t0 = X1-Z1 sike_fp2sub(P->X, P->Z, t0); // t0 = X1-Z1
sike_fp2add(P->X, P->Z, t1); // t1 = X1+Z1 sike_fp2add(P->X, P->Z, t1); // t1 = X1+Z1
@ -60,7 +60,7 @@ void eval_4_isog(point_proj_t P, f2elm_t* coeff)
// by the 3 coefficients in coeff (computed in the function get_4_isog()). // by the 3 coefficients in coeff (computed in the function get_4_isog()).
// Inputs: the coefficients defining the isogeny, and the projective point P = (X:Z). // Inputs: the coefficients defining the isogeny, and the projective point P = (X:Z).
// Output: the projective point P = phi(P) = (X:Z) in the codomain. // Output: the projective point P = phi(P) = (X:Z) in the codomain.
f2elm_t t0, t1; f2elm_t t0 = {0}, t1 = {0};
sike_fp2add(P->X, P->Z, t0); // t0 = X+Z sike_fp2add(P->X, P->Z, t0); // t0 = X+Z
sike_fp2sub(P->X, P->Z, t1); // t1 = X-Z sike_fp2sub(P->X, P->Z, t1); // t1 = X-Z
@ -123,7 +123,7 @@ void get_3_isog(const point_proj_t P, f2elm_t A24minus, f2elm_t A24plus, f2elm_t
{ // Computes the corresponding 3-isogeny of a projective Montgomery point (X3:Z3) of order 3. { // Computes the corresponding 3-isogeny of a projective Montgomery point (X3:Z3) of order 3.
// Input: projective point of order three P = (X3:Z3). // Input: projective point of order three P = (X3:Z3).
// Output: the 3-isogenous Montgomery curve with projective coefficient A/C. // Output: the 3-isogenous Montgomery curve with projective coefficient A/C.
f2elm_t t0, t1, t2, t3, t4; f2elm_t t0 = {0}, t1 = {0}, t2 = {0}, t3 = {0}, t4 = {0};
sike_fp2sub(P->X, P->Z, coeff[0]); // coeff0 = X-Z sike_fp2sub(P->X, P->Z, coeff[0]); // coeff0 = X-Z
sike_fp2sqr_mont(coeff[0], t0); // t0 = (X-Z)^2 sike_fp2sqr_mont(coeff[0], t0); // t0 = (X-Z)^2
@ -189,7 +189,7 @@ void get_A(const f2elm_t xP, const f2elm_t xQ, const f2elm_t xR, f2elm_t A)
{ // Given the x-coordinates of P, Q, and R, returns the value A corresponding to the Montgomery curve E_A: y^2=x^3+A*x^2+x such that R=Q-P on E_A. { // Given the x-coordinates of P, Q, and R, returns the value A corresponding to the Montgomery curve E_A: y^2=x^3+A*x^2+x such that R=Q-P on E_A.
// Input: the x-coordinates xP, xQ, and xR of the points P, Q and R. // Input: the x-coordinates xP, xQ, and xR of the points P, Q and R.
// Output: the coefficient A corresponding to the curve E_A: y^2=x^3+A*x^2+x. // Output: the coefficient A corresponding to the curve E_A: y^2=x^3+A*x^2+x.
f2elm_t t0, t1, one = F2ELM_INIT; f2elm_t t0 = F2ELM_INIT, t1 = F2ELM_INIT, one = F2ELM_INIT;
extern const struct params_t params; extern const struct params_t params;
sike_fpcopy(params.mont_one, one->c0); sike_fpcopy(params.mont_one, one->c0);
@ -213,7 +213,7 @@ void j_inv(const f2elm_t A, const f2elm_t C, f2elm_t jinv)
{ // Computes the j-invariant of a Montgomery curve with projective constant. { // Computes the j-invariant of a Montgomery curve with projective constant.
// Input: A,C in GF(p^2). // Input: A,C in GF(p^2).
// Output: j=256*(A^2-3*C^2)^3/(C^4*(A^2-4*C^2)), which is the j-invariant of the Montgomery curve B*y^2=x^3+(A/C)*x^2+x or (equivalently) j-invariant of B'*y^2=C*x^3+A*x^2+C*x. // Output: j=256*(A^2-3*C^2)^3/(C^4*(A^2-4*C^2)), which is the j-invariant of the Montgomery curve B*y^2=x^3+(A/C)*x^2+x or (equivalently) j-invariant of B'*y^2=C*x^3+A*x^2+C*x.
f2elm_t t0, t1; f2elm_t t0 = F2ELM_INIT, t1 = F2ELM_INIT;
sike_fp2sqr_mont(A, jinv); // jinv = A^2 sike_fp2sqr_mont(A, jinv); // jinv = A^2
sike_fp2sqr_mont(C, t1); // t1 = C^2 sike_fp2sqr_mont(C, t1); // t1 = C^2
@ -238,7 +238,7 @@ void xDBLADD(point_proj_t P, point_proj_t Q, const f2elm_t xPQ, const f2elm_t A2
{ // Simultaneous doubling and differential addition. { // Simultaneous doubling and differential addition.
// Input: projective Montgomery points P=(XP:ZP) and Q=(XQ:ZQ) such that xP=XP/ZP and xQ=XQ/ZQ, affine difference xPQ=x(P-Q) and Montgomery curve constant A24=(A+2)/4. // Input: projective Montgomery points P=(XP:ZP) and Q=(XQ:ZQ) such that xP=XP/ZP and xQ=XQ/ZQ, affine difference xPQ=x(P-Q) and Montgomery curve constant A24=(A+2)/4.
// Output: projective Montgomery points P <- 2*P = (X2P:Z2P) such that x(2P)=X2P/Z2P, and Q <- P+Q = (XQP:ZQP) such that = x(Q+P)=XQP/ZQP. // Output: projective Montgomery points P <- 2*P = (X2P:Z2P) such that x(2P)=X2P/Z2P, and Q <- P+Q = (XQP:ZQP) such that = x(Q+P)=XQP/ZQP.
f2elm_t t0, t1, t2; f2elm_t t0 = F2ELM_INIT, t1 = F2ELM_INIT, t2 = F2ELM_INIT;
sike_fp2add(P->X, P->Z, t0); // t0 = XP+ZP sike_fp2add(P->X, P->Z, t0); // t0 = XP+ZP
sike_fp2sub(P->X, P->Z, t1); // t1 = XP-ZP sike_fp2sub(P->X, P->Z, t1); // t1 = XP-ZP

View File

@ -136,11 +136,11 @@ static void gen_iso_A(const uint8_t* skA, uint8_t* pkA)
point_proj_t phiP = POINT_PROJ_INIT; point_proj_t phiP = POINT_PROJ_INIT;
point_proj_t phiQ = POINT_PROJ_INIT; point_proj_t phiQ = POINT_PROJ_INIT;
point_proj_t phiR = POINT_PROJ_INIT; point_proj_t phiR = POINT_PROJ_INIT;
f2elm_t XPA, XQA, XRA, coeff[3]; f2elm_t XPA, XQA, XRA, coeff[3] = {0};
f2elm_t A24plus = F2ELM_INIT; f2elm_t A24plus = F2ELM_INIT;
f2elm_t C24 = F2ELM_INIT; f2elm_t C24 = F2ELM_INIT;
f2elm_t A = F2ELM_INIT; f2elm_t A = F2ELM_INIT;
unsigned int m, index = 0, pts_index[MAX_INT_POINTS_ALICE], npts = 0, ii = 0; unsigned int m, index = 0, pts_index[MAX_INT_POINTS_ALICE] = {0}, npts = 0, ii = 0;
// Initialize basis points // Initialize basis points
sike_init_basis(params.A_gen, XPA, XQA, XRA); sike_init_basis(params.A_gen, XPA, XQA, XRA);
@ -211,11 +211,11 @@ static void gen_iso_B(const uint8_t* skB, uint8_t* pkB)
point_proj_t phiP = POINT_PROJ_INIT; point_proj_t phiP = POINT_PROJ_INIT;
point_proj_t phiQ = POINT_PROJ_INIT; point_proj_t phiQ = POINT_PROJ_INIT;
point_proj_t phiR = POINT_PROJ_INIT; point_proj_t phiR = POINT_PROJ_INIT;
f2elm_t XPB, XQB, XRB, coeff[3]; f2elm_t XPB, XQB, XRB, coeff[3] = {0};
f2elm_t A24plus = F2ELM_INIT; f2elm_t A24plus = F2ELM_INIT;
f2elm_t A24minus = F2ELM_INIT; f2elm_t A24minus = F2ELM_INIT;
f2elm_t A = F2ELM_INIT; f2elm_t A = F2ELM_INIT;
unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0; unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB] = {0}, npts = 0, ii = 0;
// Initialize basis points // Initialize basis points
sike_init_basis(params.B_gen, XPB, XQB, XRB); sike_init_basis(params.B_gen, XPB, XQB, XRB);
@ -342,12 +342,12 @@ static void ex_iso_A(const uint8_t* skA, const uint8_t* pkB, uint8_t* ssA)
// Output: a shared secret ssB that consists of one element in GF(p503^2) encoded in 126 bytes. // Output: a shared secret ssB that consists of one element in GF(p503^2) encoded in 126 bytes.
static void ex_iso_B(const uint8_t* skB, const uint8_t* pkA, uint8_t* ssB) static void ex_iso_B(const uint8_t* skB, const uint8_t* pkA, uint8_t* ssB)
{ {
point_proj_t R, pts[MAX_INT_POINTS_BOB]; point_proj_t R, pts[MAX_INT_POINTS_BOB] = {0};
f2elm_t coeff[3], PKB[3], jinv; f2elm_t coeff[3] = {0}, PKB[3] = {0}, jinv;
f2elm_t A24plus = F2ELM_INIT; f2elm_t A24plus = F2ELM_INIT;
f2elm_t A24minus = F2ELM_INIT; f2elm_t A24minus = F2ELM_INIT;
f2elm_t A = F2ELM_INIT; f2elm_t A = F2ELM_INIT;
unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0; unsigned int m, index = 0, pts_index[MAX_INT_POINTS_BOB] = {0}, npts = 0, ii = 0;
// Initialize images of Alice's basis // Initialize images of Alice's basis
fp2_decode(pkA, PKB[0]); fp2_decode(pkA, PKB[0]);
@ -412,7 +412,7 @@ void SIKE_encaps(uint8_t out_shared_key[SIKE_SS_BYTESZ],
// secret data. It's size must be maximum of 64, // secret data. It's size must be maximum of 64,
// SIKE_MSG_BYTESZ and SIDH_PRV_A_BITSZ in bytes. // SIKE_MSG_BYTESZ and SIDH_PRV_A_BITSZ in bytes.
uint8_t secret[32]; // OZAPTF, why? uint8_t secret[32]; // OZAPTF, why?
uint8_t j[SIDH_JINV_BYTESZ]; uint8_t j[SIDH_JINV_BYTESZ] = {0};
uint8_t temp[SIKE_MSG_BYTESZ + SIKE_CT_BYTESZ]; uint8_t temp[SIKE_MSG_BYTESZ + SIKE_CT_BYTESZ];
shake256incctx ctx; shake256incctx ctx;
@ -460,9 +460,9 @@ void SIKE_decaps(uint8_t out_shared_key[SIKE_SS_BYTESZ],
// secret data. It's size must be maximum of 64, // secret data. It's size must be maximum of 64,
// SIKE_MSG_BYTESZ and SIDH_PRV_A_BITSZ in bytes. // SIKE_MSG_BYTESZ and SIDH_PRV_A_BITSZ in bytes.
uint8_t secret[32]; uint8_t secret[32];
uint8_t j[SIDH_JINV_BYTESZ]; uint8_t j[SIDH_JINV_BYTESZ] = {0};
uint8_t c0[SIKE_PUB_BYTESZ]; uint8_t c0[SIKE_PUB_BYTESZ] = {0};
uint8_t temp[SIKE_MSG_BYTESZ]; uint8_t temp[SIKE_MSG_BYTESZ] = {0};
shake256incctx ctx; shake256incctx ctx;
// Recover m // Recover m