Skip to content

Commit 0dd40db

Browse files
bremoranmkannwischer
bremoran
authored and
mkannwischer
committed
Avoid calling keccak_absorb with partial lanes
Signed-off-by: Brendan Moran <[email protected]>
1 parent efe03f9 commit 0dd40db

File tree

1 file changed

+48
-10
lines changed

1 file changed

+48
-10
lines changed

mldsa/sign.c

Lines changed: 48 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,44 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk)
231231
return result;
232232
}
233233

234+
static void shake256_absorb_with_residual(
235+
keccak_state *state, const uint8_t *in, size_t inlen,
236+
uint8_t *residual, size_t *pos)
237+
__contract__(
238+
requires(0 <= *pos && pos <= 8)
239+
requires(memory_no_alias(state, sizeof(uint64_t) * MLD_KECCAK_LANES))
240+
requires(in == NULL || memory_no_alias(in, inlen))
241+
requires(memory_no_alias(residual, 8))
242+
assigns(memory_slice(state, sizeof(uint64_t) * MLD_KECCAK_LANES))
243+
assigns(memory_slice(residual, 8))
244+
assigns(*pos)
245+
)
246+
{
247+
size_t nb;
248+
if(in){
249+
if (*pos) {
250+
nb = inlen < 8 - *pos ? inlen : 8 - *pos;
251+
memcpy(residual + *pos, in, nb);
252+
inlen -= nb;
253+
in += nb;
254+
*pos += nb;
255+
if (*pos == 8) {
256+
shake256_absorb(state, residual, 8U);
257+
}
258+
}
259+
nb = inlen & ~7UL;
260+
if (nb) {
261+
shake256_absorb(state, in, nb);
262+
in += nb;
263+
inlen -= nb;
264+
}
265+
if (inlen) {
266+
memcpy(residual, in, inlen);
267+
*pos = inlen;
268+
}
269+
}
270+
}
271+
234272
/*************************************************
235273
* Name: mld_H
236274
*
@@ -268,23 +306,23 @@ __contract__(
268306
assigns(memory_slice(out, outlen))
269307
)
270308
{
271-
mld_shake256ctx state;
272-
mld_shake256_init(&state);
273-
mld_shake256_absorb(&state, in1, in1len);
274-
if (in2 != NULL)
275-
{
276-
mld_shake256_absorb(&state, in2, in2len);
277-
}
278-
if (in3 != NULL)
279-
{
280-
mld_shake256_absorb(&state, in3, in3len);
309+
keccak_state state;
310+
uint8_t buf[8];
311+
size_t pos=0;
312+
shake256_init(&state);
313+
shake256_absorb_with_residual(&state, in1, in1len, buf, &pos);
314+
shake256_absorb_with_residual(&state, in2, in2len, buf, &pos);
315+
shake256_absorb_with_residual(&state, in3, in3len, buf, &pos);
316+
if(pos) {
317+
shake256_absorb(&state, buf, pos);
281318
}
282319
mld_shake256_finalize(&state);
283320
mld_shake256_squeeze(out, outlen, &state);
284321
mld_shake256_release(&state);
285322

286323
/* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
287324
mld_zeroize(&state, sizeof(state));
325+
mld_zeroize(&buf, sizeof(buf));
288326
}
289327

290328
/* Reference: The reference implementation does not explicitly */

0 commit comments

Comments
 (0)