From c39acb84ac19a97e2e5e91e9ba377b4443cd6a4a Mon Sep 17 00:00:00 2001
From: Peter Dettman <peter.dettman@bouncycastle.org>
Date: Tue, 21 Mar 2023 13:15:17 +0700
Subject: BIKE: address side-channel vulnerability in ConvertToCompact()

---
 crypto/src/pqc/crypto/bike/BikeEngine.cs | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/crypto/src/pqc/crypto/bike/BikeEngine.cs b/crypto/src/pqc/crypto/bike/BikeEngine.cs
index e96a38d3a..22559fb03 100644
--- a/crypto/src/pqc/crypto/bike/BikeEngine.cs
+++ b/crypto/src/pqc/crypto/bike/BikeEngine.cs
@@ -608,10 +608,14 @@ namespace Org.BouncyCastle.Pqc.Crypto.Bike
                     if ((i * 8 + j) == this.r)
                         break;
 
-                    if (((h[i] >> j) & 1) == 1)
-                    {
-                        compactVersion[count++] = i * 8 + j;
-                    }
+                    int mask = (h[i] >> j) & 1;
+
+                    // if mask == 1 compactVersion = (i * 8 + j)
+                    // if mask == 0 compactVersion = compactVersion
+                    compactVersion[count] = (i * 8 + j) & -mask | compactVersion[count] & ~-mask;
+
+                    count += mask - hw;
+                    count += (count >> 31) & hw;
                 }
             }
         }
-- 
cgit 1.4.1