diff options
| author | David Hook <dgh@cryptoworkshop.com> | 2023-12-16 14:36:25 +1100 |
|---|---|---|
| committer | David Hook <dgh@cryptoworkshop.com> | 2023-12-16 14:36:25 +1100 |
| commit | b5778051afed26d4ece8e71b23e922fa967b93d7 (patch) | |
| tree | 1b4af678eae3a6384a732417efe44a516088578a | |
| parent | Merge branch 'nuget_license' (diff) | |
| download | BouncyCastle.NET-ed25519-b5778051afed26d4ece8e71b23e922fa967b93d7.tar.xz | |
@cryspan patch from Kyber standard branch - possible timing issue.
| -rw-r--r-- | crypto/src/pqc/crypto/crystals/kyber/Poly.cs | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/crypto/src/pqc/crypto/crystals/kyber/Poly.cs b/crypto/src/pqc/crypto/crystals/kyber/Poly.cs index db996f41a..b724d2cab 100644 --- a/crypto/src/pqc/crypto/crystals/kyber/Poly.cs +++ b/crypto/src/pqc/crypto/crystals/kyber/Poly.cs @@ -215,8 +215,17 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Kyber msg[i] = 0; for (int j = 0; j < 8; j++) { - short t = (short)(((((short)(Coeffs[8 * i + j] << 1) + KyberEngine.Q / 2) / KyberEngine.Q) & 1)); - msg[i] |= (byte)(t << j); + // short t = (short)(((((short)(Coeffs[8 * i + j] << 1) + KyberEngine.Q / 2) / KyberEngine.Q) & 1)); + // msg[i] |= (byte)(t << j); + // we've done it like this as there is a chance a division instruction might + // get generated introducing a timing signal on the secret input + int t = Coeffs[8 * i + j] & 0xFFFF; + t <<= 1; + t += 1665; + t *= 80635; + t >>= 28; + t &= 1; + outMsg[i] |= (byte)(t << j); } } } |