Skip to content

Commit 90a2202

Browse files
mkannwischermkannwischer
committed
verify stack usage: reuse z/cp buffer
crypto_sign_verify_internal stack: 13568/18720/25120 Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
1 parent 5c3053b commit 90a2202

File tree

1 file changed

+15
-10
lines changed

1 file changed

+15
-10
lines changed

mldsa/src/sign.c

Lines changed: 15 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -786,9 +786,13 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen,
786786
MLD_ALIGN uint8_t mu[MLDSA_CRHBYTES];
787787
MLD_ALIGN uint8_t c[MLDSA_CTILDEBYTES];
788788
MLD_ALIGN uint8_t c2[MLDSA_CTILDEBYTES];
789-
mld_polyvecl z;
790-
mld_poly cp;
791789
mld_polyveck w1;
790+
union
791+
{
792+
mld_polyvecl z;
793+
mld_poly cp;
794+
} zcp;
795+
792796
union
793797
{
794798
mld_polymat mat;
@@ -806,8 +810,8 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen,
806810
/* unpack rho part from public key */
807811
mld_memcpy(rho, pk, MLDSA_SEEDBYTES);
808812

809-
mld_unpack_sig(c, &z, sig);
810-
if (mld_polyvecl_chknorm(&z, MLDSA_GAMMA1 - MLDSA_BETA))
813+
mld_unpack_sig(c, &zcp.z, sig);
814+
if (mld_polyvecl_chknorm(&zcp.z, MLDSA_GAMMA1 - MLDSA_BETA))
811815
{
812816
res = -1;
813817
goto cleanup;
@@ -831,18 +835,19 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen,
831835
}
832836

833837
/* Matrix-vector multiplication; compute Az - c2^dt1 */
834-
mld_polyvecl_ntt(&z);
838+
mld_polyvecl_ntt(&zcp.z);
835839
mld_polyvec_matrix_expand(&mathtmpt1.mat, rho);
836-
mld_polyvec_matrix_pointwise_montgomery(&w1, &mathtmpt1.mat, &z);
840+
mld_polyvec_matrix_pointwise_montgomery(&w1, &mathtmpt1.mat, &zcp.z);
837841

838-
mld_poly_challenge(&cp, c);
839-
mld_poly_ntt(&cp);
842+
mld_poly_challenge(&zcp.cp, c);
843+
mld_poly_ntt(&zcp.cp);
840844

841845
/* unpack t1 part of public key */
842846
mld_unpack_pk(rho, &mathtmpt1.t1, pk);
843847
mld_polyveck_shiftl(&mathtmpt1.t1);
844848
mld_polyveck_ntt(&mathtmpt1.t1);
845-
mld_polyveck_pointwise_poly_montgomery(&mathtmpt1.tmp, &cp, &mathtmpt1.t1);
849+
mld_polyveck_pointwise_poly_montgomery(&mathtmpt1.tmp, &zcp.cp,
850+
&mathtmpt1.t1);
846851
mld_polyveck_sub(&w1, &mathtmpt1.tmp);
847852
mld_polyveck_reduce(&w1);
848853
mld_polyveck_invntt_tomont(&w1);
@@ -892,7 +897,7 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen,
892897
mld_zeroize(c, sizeof(c));
893898
mld_zeroize(c2, sizeof(c2));
894899
mld_zeroize(&mathtmpt1, sizeof(mathtmpt1));
895-
mld_zeroize(&z, sizeof(z));
900+
mld_zeroize(&zcp, sizeof(zcp));
896901
mld_zeroize(&w1, sizeof(w1));
897902
return res;
898903
}

0 commit comments

Comments
 (0)