Skip to content

Commit

Permalink
Fixed secret-dependent branch in poly_frommsg introduced by recent ve…
Browse files Browse the repository at this point in the history 
…rsions of clang with some flags (Thanks to Antoon Purnal for pointing this out!)
  • Loading branch information
@cryptojedi
cryptojedi committed Jun 3, 2024
1 parent b628ba7 commit 9b8d306
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 3 deletions.
6 changes: 3 additions & 3 deletions ref/poly.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
#include "reduce.h"
#include "cbd.h"
#include "symmetric.h"
#include "verify.h"

/*************************************************
* Name: poly_compress
Expand Down Expand Up @@ -166,16 +167,15 @@ void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES])
void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES])
{
unsigned int i,j;
int16_t mask;

#if (KYBER_INDCPA_MSGBYTES != KYBER_N/8)
#error "KYBER_INDCPA_MSGBYTES must be equal to KYBER_N/8 bytes!"
#endif

for(i=0;i<KYBER_N/8;i++) {
for(j=0;j<8;j++) {
mask = -(int16_t)((msg[i] >> j)&1);
r->coeffs[8*i+j] = mask & ((KYBER_Q+1)/2);
r->coeffs[8*i+j] = 0;
cmov_int16(r->coeffs+8*i+j, ((KYBER_Q+1)/2), (msg[i] >> j)&1);
}
}
}
Expand Down
7 changes: 7 additions & 0 deletions ref/verify.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,10 @@ void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b)
for(i=0;i<len;i++)
r[i] ^= b & (r[i] ^ x[i]);
}


void cmov_int16(int16_t *r, int16_t v, uint16_t b)
{
b = -b;
*r ^= b & ((*r) ^ v);
}
3 changes: 3 additions & 0 deletions ref/verify.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
#define cmov KYBER_NAMESPACE(cmov)
void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);

#define cmov_int16 KYBER_NAMESPACE(cmov_int16)
void cmov_int16(int16_t *r, int16_t v, uint16_t b);

#endif

2 comments on commit 9b8d306

@Masken3
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this be vulnerable to link-time optimizations with -flto?

@cryptojedi
Copy link
Contributor Author

@cryptojedi cryptojedi commented on 9b8d306 Jun 13, 2024 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.