sharpetronics/liboqs
1
0
Fork 0
mirror of https://github.com/open-quantum-safe/liboqs.git synced 2025-10-04 00:02:01 -04:00
Code Issues Projects Releases Wiki Activity

Fix BIKE constant-time errors (#1632)

Browse Source 
* Document BIKE CT issues

* Document / fix BIKE constant-time errors

* Revert "< 64" comparison change

* Add and use secure_cmpeq64_mask function

* Remove unnecessary static_assert
This commit is contained in:
Spencer Wilson 2024-01-02 09:40:34 -05:00 committed by GitHub
parent 6982f4c28f
commit acac4e998a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 24 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/kem/bike/additional_r4/decode_portable.c
View File

@ -37,7 +37,6 @@ rotr_big(OUT syndrome_t *out, IN const syndrome_t *in, IN size_t qw_num)
_INLINE_ void
rotr_small(OUT syndrome_t *out, IN const syndrome_t *in, IN const size_t bits)
{
bike_static_assert(bits < 64, rotr_small_err);
bike_static_assert(sizeof(*out) > (8 * R_QWORDS), rotr_small_qw_err);
// Convert |bits| to 0/1 by using !!bits; then create a mask of 0 or

17
src/kem/bike/additional_r4/gf2x_mul_base_portable.c
View File

@ -41,14 +41,23 @@ void gf2x_mul_base_port(OUT uint64_t *c,
u[7] = u[6] ^ b0m;
// Step 2: Multiply two elements in parallel in positions i, i+s
l = u[LSB3(a0)] ^ (u[LSB3(a0 >> 3)] << 3);
h = (u[LSB3(a0 >> 3)] >> 61);
for (size_t i = 0; i < 8; ++i) {
// use a mask for secret-independent memory access
l ^= u[i] & secure_cmpeq64_mask(LSB3(a0), i);
l ^= (u[i] << 3) & secure_cmpeq64_mask(LSB3(a0 >> 3), i);
h ^= (u[i] >> 61) & secure_cmpeq64_mask(LSB3(a0 >> 3), i);
}
for(size_t i = (2 * s); i < w; i += (2 * s)) {
const size_t i2 = (i + s);
g1 = u[LSB3(a0 >> i)];
g2 = u[LSB3(a0 >> i2)];
g1 = 0;
g2 = 0;
for (size_t j = 0; j < 8; ++j) {
// use a mask for secret-independent memory access
g1 ^= u[j] & secure_cmpeq64_mask(LSB3(a0 >> i), j);
g2 ^= u[j] & secure_cmpeq64_mask(LSB3(a0 >> i2), j);
}
l ^= (g1 << i) ^ (g2 << i2);
h ^= (g1 >> (w - i)) ^ (g2 >> (w - i2));

5
src/kem/bike/additional_r4/utilities.h
View File

@ -138,6 +138,11 @@ _INLINE_ uint32_t secure_l32_mask(IN const uint32_t v1, IN const uint32_t v2)
#endif
}
// Return (-1) if v1 == v2, 0 otherwise
_INLINE_ uint64_t secure_cmpeq64_mask(IN const uint64_t v1, IN const uint64_t v2) {
return -(1 - ((uint64_t)((v1-v2) | (v2-v1)) >> 63));
}
// bike_memcpy avoids the undefined behaviour of memcpy when byte_len=0
_INLINE_ void *bike_memcpy(void *dst, const void *src, size_t byte_len)
{

6
tests/constant_time/kem/passes/bike
View File

@ -16,3 +16,9 @@
fun:_mm256_srli_epi64
fun:OQS_KEM_bike_*_rotate256_small
}
{
Setting bits in a secret error vector
Memcheck:Cond
src:sampling_portable.c:44 # fun:OQS_KEM_bike_*_secure_set_bits_port
}