Constant-time GF multiplication

2 files changed, 29 insertions, 39 deletions

diff --git a/crypto/src/crypto/digests/DSTU7564Digest.cs b/crypto/src/crypto/digests/DSTU7564Digest.cs

index 3531bf589..c3b027a17 100644
--- a/crypto/src/crypto/digests/DSTU7564Digest.cs
+++ b/crypto/src/crypto/digests/DSTU7564Digest.cs
@@ -17,7 +17,6 @@ namespace Org.BouncyCastle.Crypto.Digests
     public class Dstu7564Digest : IDigest, IMemoable
     {
         private const int ROWS = 8;
-        private const int REDUCTION_POLYNOMIAL = 0x011d;
         private const int BITS_IN_BYTE = 8;
 
         private const int NB_512 = 8;  //Number of 8-byte words in state for <=256-bit hash code.
@@ -316,28 +315,24 @@ namespace Org.BouncyCastle.Crypto.Digests
 
         private static byte MultiplyGF(byte x, byte y)
         {
-            int i;
-            byte r = 0;
-            byte hbit = 0;
-            for (i = 0; i < BITS_IN_BYTE; ++i)
-            {
-                if ((y & 0x1) == 1)
-                {
-                    r ^= x;
-                }
+            // REDUCTION_POLYNOMIAL = 0x011d; /* x^8 + x^4 + x^3 + x^2 + 1 */
 
-                hbit = (byte)(x & 0x80);
+            uint u = x, v = y;
+            uint r = u & (0U - (v & 1));
 
-                x <<= 1;
+            for (int i = 1; i < BITS_IN_BYTE; i++)
+            {
+                u <<= 1;
+                v >>= 1;
+                r ^= u & (0U - (v & 1));
+            }
 
-                if (hbit == 0x80)
-                {
-                    x = (byte)((int)x ^ REDUCTION_POLYNOMIAL);
-                }
+            uint hi = r & 0xFF00U;
+            r ^= hi ^ (hi >> 4) ^ (hi >> 5) ^ (hi >> 6) ^ (hi >> 8);
+            hi = r & 0x0F00U;
+            r ^= hi ^ (hi >> 4) ^ (hi >> 5) ^ (hi >> 6) ^ (hi >> 8);
 
-                y >>= 1;
-            }
-            return r;
+            return (byte)r;
         }
 
         private void MixColumns(byte[][] state)
diff --git a/crypto/src/crypto/engines/Dstu7624Engine.cs b/crypto/src/crypto/engines/Dstu7624Engine.cs

index cdb0f50e0..3ae3ef3f8 100644
--- a/crypto/src/crypto/engines/Dstu7624Engine.cs
+++ b/crypto/src/crypto/engines/Dstu7624Engine.cs
@@ -16,8 +16,6 @@ namespace Org.BouncyCastle.Crypto.Engines
         private static readonly int BITS_IN_WORD = 64;
         private static readonly int BITS_IN_BYTE = 8;
 
-        private static readonly int REDUCTION_POLYNOMIAL = 0x011d; /* x^8 + x^4 + x^3 + x^2 + 1 */
-
         private ulong[] internalState;
         private ulong[] workingKey;
         private ulong[][] roundKeys;
@@ -495,29 +493,26 @@ namespace Org.BouncyCastle.Crypto.Engines
             }
         }
 
-        private byte MultiplyGF(byte x, byte y)
+        private static byte MultiplyGF(byte x, byte y)
         {
-            byte r = 0;
-            byte hbit = 0;
+            // REDUCTION_POLYNOMIAL = 0x011d; /* x^8 + x^4 + x^3 + x^2 + 1 */
 
-            for (int i = 0; i < BITS_IN_BYTE; i++)
-            {
-                if ((y & 0x01) == 1)
-                {
-                    r ^= x;
-                }
+            uint u = x, v = y;
+            uint r = u & (0U - (v & 1));
 
-                hbit = (byte)(x & 0x80);
+            for (int i = 1; i < BITS_IN_BYTE; i++)
+            {
+                u <<= 1;
+                v >>= 1;
+                r ^= u & (0U - (v & 1));
+            }
 
-                x <<= 1;
+            uint hi = r & 0xFF00U;
+            r ^= hi ^ (hi >> 4) ^ (hi >> 5) ^ (hi >> 6) ^ (hi >> 8);
+            hi = r & 0x0F00U;
+            r ^= hi ^ (hi >> 4) ^ (hi >> 5) ^ (hi >> 6) ^ (hi >> 8);
 
-                if (hbit == 0x80)
-                {
-                    x = (byte)((int)x ^ REDUCTION_POLYNOMIAL);
-                }
-                y >>= 1;
-            }
-            return r;
+            return (byte)r;
         }
 
         private void SubBytes()