Fixed secret-dependent branch in poly_fromsg (#46)

mkannwischer · web-flow · commit c921ed6f485e · 2024-06-11T18:38:34.000+08:00
See pq-crystals/kyber@9b8d306 See https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hqbtIGFKIpU/m/cnE3pbueBgAJ Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
diff --git a/mlkem/poly.c b/mlkem/poly.c
@@ -6,6 +6,7 @@
 #include "reduce.h"
 #include "cbd.h"
 #include "symmetric.h"
+#include "verify.h"
 
 /*************************************************
 * Name:        poly_compress
@@ -433,16 +434,15 @@ void poly_frombytes_basemul_montgomery(poly *r, const poly *b, const unsigned ch
 **************************************************/
 void poly_frommsg(poly *r, const uint8_t msg[MLKEM_INDCPA_MSGBYTES]) {
     unsigned int i, j;
-    int16_t mask;
 
     #if (MLKEM_INDCPA_MSGBYTES != MLKEM_N/8)
 #error "MLKEM_INDCPA_MSGBYTES must be equal to MLKEM_N/8 bytes!"
     #endif
 
     for (i = 0; i < MLKEM_N / 8; i++) {
         for (j = 0; j < 8; j++) {
-            mask = -(int16_t)((msg[i] >> j) & 1);
-            r->coeffs[8 * i + j] = mask & ((MLKEM_Q + 1) / 2);
+            r->coeffs[8 * i + j] = 0;
+            cmov_int16(r->coeffs + 8 * i + j, ((MLKEM_Q + 1) / 2), (msg[i] >> j) & 1);
         }
     }
 }
diff --git a/mlkem/verify.c b/mlkem/verify.c
@@ -46,3 +46,19 @@ void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) {
         r[i] ^= b & (r[i] ^ x[i]);
     }
 }
+
+/*************************************************
+* Name:        cmov_int16
+*
+* Description: Copy input v to *r if b is 1, don't modify *r if b is 0.
+*              Requires b to be in {0,1};
+*              Runs in constant time.
+*
+* Arguments:   int16_t *r:       pointer to output int16_t
+*              int16_t v:        input int16_t
+*              uint8_t b:        Condition bit; has to be in {0,1}
+**************************************************/
+void cmov_int16(int16_t *r, int16_t v, uint16_t b) {
+    b = -b;
+    *r ^= b & ((*r) ^ v);
+}
diff --git a/mlkem/verify.h b/mlkem/verify.h
@@ -13,4 +13,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
 #define cmov MLKEM_NAMESPACE(cmov)
 void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
 
+#define cmov_int16 MLKEM_NAMESPACE(cmov_int16)
+void cmov_int16(int16_t *r, int16_t v, uint16_t b);
+
 #endif
