SLH-DSA: add comments about side channel issue

Signed-off-by: Stephan Mueller <smueller@chronox.de>

Author: smuellerDD

slh-dsa/src/sphincs_sign.c

@@ -276,6 +276,19 @@ LC_INTERFACE_FUNCTION(int, lc_sphincs_sign_ctx, struct lc_sphincs_sig *sig,
 	CKINT(f_ctx->fors_sign(sig->sigfors, ws->root, ws->mhash, &ctx_int,
 			       ws->wots_addr));
 
+	/*
+	 * Timecop:
+	 *
+	 * According to the original authors of the Sphincs+ code, ws->root
+	 * is a public information (see
+	 * https://github.com/sphincs/sphincsplus/issues/63#issuecomment-2694902727). This would imply we could call
+	 * unpoison(ws->root, sizeof(ws->root)); at this point which would
+	 * remove the Valgrind side channel complaints in the wots_gen_leaf
+	 * functions. However, we try to err on the conservative side and
+	 * do want to have as little side channels as possible. This implies
+	 * that conditional code dependent on the ws->root is replaced.
+	 */
+
 	for (i = 0; i < LC_SPX_D; i++) {
 		set_layer_addr(ws->tree_addr, i);
 		set_tree_addr(ws->tree_addr, ws->tree);

slh-dsa/src/sphincs_wotsx1.c

@@ -85,10 +85,25 @@ void wots_gen_leafx1(unsigned char *dest, const spx_ctx *ctx, uint32_t leaf_idx,
 
 		/* Iterate down the WOTS chain */
 		for (k = 0;; k++) {
-			/* Check if this is the value that needs to be saved as a */
-			/* part of the WOTS signature */
+			/*
+			 *Check if this is the value that needs to be saved as
+			 * a part of the WOTS signature.
+			 */
+
+			/*
+			 * The memcpy code path is from upstream but it is not
+			 * side-channel-free - it has side channels on the
+			 * ws->root (see lc_sphincs_sign_ctx).
+			 */
+#if 0
+			if (k == wots_k) {
+				memcpy(info->wots_sig + i * LC_SPX_N,
+				       buffer, LC_SPX_N);
+			}
+#else
 			cmov(info->wots_sig + i * LC_SPX_N, buffer, LC_SPX_N,
 			     k == wots_k);
+#endif
 
 			/* Check if we hit the top of the chain */
 			if (k == LC_SPX_WOTS_W - 1)