diff options
| author | Peter Dettman <peter.dettman@bouncycastle.org> | 2023-03-21 13:15:17 +0700 |
|---|---|---|
| committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2023-03-21 13:15:17 +0700 |
| commit | c39acb84ac19a97e2e5e91e9ba377b4443cd6a4a (patch) | |
| tree | 395745924807bee483fa5d4b10c2569ffde4ebac | |
| parent | Refactor MiscPemGenerator (diff) | |
| download | BouncyCastle.NET-ed25519-c39acb84ac19a97e2e5e91e9ba377b4443cd6a4a.tar.xz | |
BIKE: address side-channel vulnerability in ConvertToCompact()
| -rw-r--r-- | crypto/src/pqc/crypto/bike/BikeEngine.cs | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/crypto/src/pqc/crypto/bike/BikeEngine.cs b/crypto/src/pqc/crypto/bike/BikeEngine.cs index e96a38d3a..22559fb03 100644 --- a/crypto/src/pqc/crypto/bike/BikeEngine.cs +++ b/crypto/src/pqc/crypto/bike/BikeEngine.cs @@ -608,10 +608,14 @@ namespace Org.BouncyCastle.Pqc.Crypto.Bike if ((i * 8 + j) == this.r) break; - if (((h[i] >> j) & 1) == 1) - { - compactVersion[count++] = i * 8 + j; - } + int mask = (h[i] >> j) & 1; + + // if mask == 1 compactVersion = (i * 8 + j) + // if mask == 0 compactVersion = compactVersion + compactVersion[count] = (i * 8 + j) & -mask | compactVersion[count] & ~-mask; + + count += mask - hw; + count += (count >> 31) & hw; } } } |