Improve Dilithium, LMS, SPHINCS+'s constant time behavior

cipherboy · cipherboy · commit 467ca1ead29f · 2024-05-30T12:05:40.000-04:00
Signed-off-by: Alexander Scheel &lt;alexander.scheel@keyfactor.com&gt;
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/dilithium/DilithiumEngine.java b/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/dilithium/DilithiumEngine.java
@@ -536,14 +536,7 @@ public boolean signVerify(byte[] sig, int siglen, byte[] msg, int msglen, byte[]
         // Helper.printByteArray(c2);
 
 
-        for (int i = 0; i < DilithiumCTilde; ++i)
-        {
-            if (c[i] != c2[i])
-            {
-                return false;
-            }
-        }
-        return true;
+        return Arrays.constantTimeAreEqual(c, c2);
     }
 
     public boolean signOpen(byte[] msg, byte[] signedMsg, int signedMsglen, byte[] rho, byte[] t1)
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/lms/HSSPublicKeyParameters.java b/core/src/main/java/org/bouncycastle/pqc/crypto/lms/HSSPublicKeyParameters.java
@@ -136,7 +136,7 @@ public LMSContext generateLMSContext(byte[] sigEnc)
 
     public boolean verify(LMSContext context)
     {
-        boolean failed = false;
+        boolean passed = true;
 
         LMSSignedPubKey[] sigKeys = context.getSignedPubKeys();
 
@@ -151,13 +151,10 @@ public boolean verify(LMSContext context)
         {
             LMSSignature sig = sigKeys[i].getSignature();
             byte[] msg = sigKeys[i].getPublicKey().toByteArray();
-            if (!LMS.verifySignature(key, sig, msg))
-            {
-                failed = true;
-            }
+            passed &= LMS.verifySignature(key, sig, msg);
             key = sigKeys[i].getPublicKey();
         }
 
-        return !failed & key.verify(context);
+        return passed & key.verify(context);
     }
 }
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/sphincs/SPHINCS256Signer.java b/core/src/main/java/org/bouncycastle/pqc/crypto/sphincs/SPHINCS256Signer.java
@@ -406,13 +406,12 @@ boolean verify(HashFunctions hs, byte[] m, byte[] sm, byte[] pk)
             smlen -= SPHINCS256Config.SUBTREE_HEIGHT * SPHINCS256Config.HASH_BYTES;
         }
 
+        // Because we use custom offsets on tpk, rather than incurring an
+        // expensive copy, we use a manual constant time comparison.
         boolean verified = true;
         for (i = 0; i < SPHINCS256Config.HASH_BYTES; i++)
         {
-            if (root[i] != tpk[i + Horst.N_MASKS * SPHINCS256Config.HASH_BYTES])
-            {
-                verified = false;
-            }
+            verified &= root[i] == tpk[i + Horst.N_MASKS * SPHINCS256Config.HASH_BYTES];
         }
 
         return verified;

Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,7 @@ public LMSContext generateLMSContext(byte[] sigEnc)`
`136`	`136`
`137`	`137`	`public boolean verify(LMSContext context)`
`138`	`138`	`{`
`139`		`- boolean failed = false;`
	`139`	`+ boolean passed = true;`
`140`	`140`
`141`	`141`	`LMSSignedPubKey[] sigKeys = context.getSignedPubKeys();`
`142`	`142`
`@@ -151,13 +151,10 @@ public boolean verify(LMSContext context)`
`151`	`151`	`{`
`152`	`152`	`LMSSignature sig = sigKeys[i].getSignature();`
`153`	`153`	`byte[] msg = sigKeys[i].getPublicKey().toByteArray();`
`154`		`- if (!LMS.verifySignature(key, sig, msg))`
`155`		`- {`
`156`		`- failed = true;`
`157`		`- }`
	`154`	`+ passed &= LMS.verifySignature(key, sig, msg);`
`158`	`155`	`key = sigKeys[i].getPublicKey();`
`159`	`156`	`}`
`160`	`157`
`161`		`- return !failed & key.verify(context);`
	`158`	`+ return passed & key.verify(context);`
`162`	`159`	`}`
`163`	`160`	`}`
Original file line number	Diff line number	Diff line change
`@@ -406,13 +406,12 @@ boolean verify(HashFunctions hs, byte[] m, byte[] sm, byte[] pk)`
`406`	`406`	`smlen -= SPHINCS256Config.SUBTREE_HEIGHT * SPHINCS256Config.HASH_BYTES;`
`407`	`407`	`}`
`408`	`408`
	`409`	`+ // Because we use custom offsets on tpk, rather than incurring an`
	`410`	`+ // expensive copy, we use a manual constant time comparison.`
`409`	`411`	`boolean verified = true;`
`410`	`412`	`for (i = 0; i < SPHINCS256Config.HASH_BYTES; i++)`
`411`	`413`	`{`
`412`		`- if (root[i] != tpk[i + Horst.N_MASKS * SPHINCS256Config.HASH_BYTES])`
`413`		`- {`
`414`		`- verified = false;`
`415`		`- }`
	`414`	`+ verified &= root[i] == tpk[i + Horst.N_MASKS * SPHINCS256Config.HASH_BYTES];`
`416`	`415`	`}`
`417`	`416`
`418`	`417`	`return verified;`