tkn20,kyber,x25519,x448: plug constant-time leaks

In particular leaking z in kyber could be quite damaging: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/SJ31w0QSmIM/m/XgdBgh3wAwAJ The changes to x25519 and x448 are unlikely to be needed, but it's more idiomatic at least.
cloudflare · Mar 14, 2023 · 588a0e8 · 588a0e8
1 parent a5c5796
commit 588a0e8
Show file tree

Hide file tree

Showing 10 changed files with 22 additions and 15 deletions.
diff --git a/abe/cpabe/tkn20/internal/tkn/tk.go b/abe/cpabe/tkn20/internal/tkn/tk.go
@@ -3,7 +3,7 @@
 package tkn
 
 import (
-	"bytes"
+	"crypto/subtle"
 	"encoding/binary"
 	"fmt"
 	"io"
@@ -181,7 +181,8 @@ func (s *SecretParams) UnmarshalBinary(data []byte) error {
 
 func (s *SecretParams) Equal(s2 *SecretParams) bool {
 	return s.a.Equal(s2.a) && s.wtA.Equal(s2.wtA) && s.bstar.Equal(s2.bstar) &&
-		s.bstar12.Equal(s2.bstar12) && s.k.Equal(s2.k) && bytes.Equal(s.prfKey, s2.prfKey)
+		s.bstar12.Equal(s2.bstar12) && s.k.Equal(s2.k) &&
+		subtle.ConstantTimeCompare(s.prfKey, s2.prfKey) == 1
 }
 
 type AttributesKey struct {

diff --git a/dh/x25519/key.go b/dh/x25519/key.go
@@ -22,11 +22,11 @@ func (k *Key) clamp(in *Key) *Key {
 // isValidPubKey verifies if the public key is not a low-order point.
 func (k *Key) isValidPubKey() bool {
 	fp.Modp((*fp.Elt)(k))
-	isLowOrder := false
+	var isLowOrder int
 	for _, P := range lowOrderPoints {
-		isLowOrder = isLowOrder || subtle.ConstantTimeCompare(P[:], k[:]) != 0
+		isLowOrder |= subtle.ConstantTimeCompare(P[:], k[:])
 	}
-	return !isLowOrder
+	return isLowOrder == 0
 }
 
 // KeyGen obtains a public key given a secret key.

diff --git a/dh/x448/key.go b/dh/x448/key.go
@@ -22,11 +22,11 @@ func (k *Key) clamp(in *Key) *Key {
 // isValidPubKey verifies if the public key is not a low-order point.
 func (k *Key) isValidPubKey() bool {
 	fp.Modp((*fp.Elt)(k))
-	isLowOrder := false
+	var isLowOrder int
 	for _, P := range lowOrderPoints {
-		isLowOrder = isLowOrder || subtle.ConstantTimeCompare(P[:], k[:]) != 0
+		isLowOrder |= subtle.ConstantTimeCompare(P[:], k[:])
 	}
-	return !isLowOrder
+	return isLowOrder == 0
 }
 
 // KeyGen obtains a public key given a secret key.

diff --git a/kem/kyber/kyber1024/kyber.go b/kem/kyber/kyber1024/kyber.go
diff --git a/kem/kyber/kyber512/kyber.go b/kem/kyber/kyber512/kyber.go
diff --git a/kem/kyber/kyber768/kyber.go b/kem/kyber/kyber768/kyber.go
diff --git a/kem/kyber/templates/pkg.templ.go b/kem/kyber/templates/pkg.templ.go
diff --git a/pke/kyber/kyber1024/internal/cpapke.go b/pke/kyber/kyber1024/internal/cpapke.go
diff --git a/pke/kyber/kyber512/internal/cpapke.go b/pke/kyber/kyber512/internal/cpapke.go
@@ -1,6 +1,8 @@
 package internal
 
 import (
+	"crypto/subtle"
+
 	"github.com/cloudflare/circl/internal/sha3"
 	"github.com/cloudflare/circl/pke/kyber/internal/common"
 )
@@ -170,5 +172,5 @@ func (sk *PrivateKey) Equal(other *PrivateKey) bool {
 			ret |= sk.sh[i][j] ^ other.sh[i][j]
 		}
 	}
-	return ret == 0
+	return subtle.ConstantTimeEq(int32(ret), 0) == 1
 }
diff --git a/pke/kyber/kyber768/internal/cpapke.go b/pke/kyber/kyber768/internal/cpapke.go