Removed "/KYBER_Q" in poly_compress and polyvec_compress; thanks to Prasanna Ravi and Matthias Kannwischer for pointing out that a DIV instruction could turn into a plaintext-checking oracle

cryptojedi · cryptojedi · commit 272125f6acc8 · 2023-12-30T06:37:10.000+01:00
diff --git a/ref/poly.c b/ref/poly.c
@@ -19,6 +19,7 @@ void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a)
 {
   unsigned int i,j;
   int16_t u;
+  uint32_t d0;
   uint8_t t[8];
 
 #if (KYBER_POLYCOMPRESSEDBYTES == 128)
@@ -27,7 +28,12 @@ void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a)
       // map to positive standard representatives
       u  = a->coeffs[8*i+j];
       u += (u >> 15) & KYBER_Q;
-      t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15;
+/*    t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; */
+      d0 = u << 4;
+      d0 += 1665;
+      d0 *= 80635;
+      d0 >>= 28;
+      t[j] = d0 & 0xf;
     }
 
     r[0] = t[0] | (t[1] << 4);
@@ -42,7 +48,12 @@ void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a)
       // map to positive standard representatives
       u  = a->coeffs[8*i+j];
       u += (u >> 15) & KYBER_Q;
-      t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31;
+/*      t[j] = ((((uint32_t)u << 5) + KYBER_Q/2)/KYBER_Q) & 31; */
+      d0 = u << 5;
+      d0 += 1664;
+      d0 *= 40318;
+      d0 >>= 27;
+      t[j] = d0 & 0x1f;
     }
 
     r[0] = (t[0] >> 0) | (t[1] << 5);
diff --git a/ref/polyvec.c b/ref/polyvec.c
@@ -15,6 +15,7 @@
 void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a)
 {
   unsigned int i,j,k;
+  uint64_t d0;
 
 #if (KYBER_POLYVECCOMPRESSEDBYTES == (KYBER_K * 352))
   uint16_t t[8];
@@ -23,7 +24,13 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a)
       for(k=0;k<8;k++) {
         t[k]  = a->vec[i].coeffs[8*j+k];
         t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
-        t[k]  = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff;
+/*      t[k]  = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; */
+        d0 = t[k];
+        d0 <<= 11;
+        d0 += 1664;
+        d0 *= 645084;
+        d0 >>= 31;
+        t[k] = d0 & 0x7ff;
       }
 
       r[ 0] = (t[0] >>  0);
@@ -47,7 +54,13 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a)
       for(k=0;k<4;k++) {
         t[k]  = a->vec[i].coeffs[4*j+k];
         t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
-        t[k]  = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff;
+/*      t[k]  = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; */
+        d0 = t[k];
+        d0 <<= 10;
+        d0 += 1665;
+        d0 *= 1290167;
+        d0 >>= 32;
+        t[k] = d0 & 0x3ff;
       }
 
       r[0] = (t[0] >> 0);
diff --git a/ref/test_kyber.c b/ref/test_kyber.c
@@ -6,7 +6,7 @@
 
 #define NTESTS 1000
 
-static int test_keys()
+static int test_keys(void)
 {
   uint8_t pk[CRYPTO_PUBLICKEYBYTES];
   uint8_t sk[CRYPTO_SECRETKEYBYTES];
@@ -31,7 +31,7 @@ static int test_keys()
   return 0;
 }
 
-static int test_invalid_sk_a()
+static int test_invalid_sk_a(void)
 {
   uint8_t pk[CRYPTO_PUBLICKEYBYTES];
   uint8_t sk[CRYPTO_SECRETKEYBYTES];
@@ -59,7 +59,7 @@ static int test_invalid_sk_a()
   return 0;
 }
 
-static int test_invalid_ciphertext()
+static int test_invalid_ciphertext(void)
 {
   uint8_t pk[CRYPTO_PUBLICKEYBYTES];
   uint8_t sk[CRYPTO_SECRETKEYBYTES];
diff --git a/ref/test_speed.c b/ref/test_speed.c
@@ -16,7 +16,7 @@
 uint64_t t[NTESTS];
 uint8_t seed[KYBER_SYMBYTES] = {0};
 
-int main()
+int main(void)
 {
   unsigned int i;
   uint8_t pk[CRYPTO_PUBLICKEYBYTES];
diff --git a/runtests.sh b/runtests.sh
@@ -11,13 +11,13 @@ fi
 
 if [ "$ARCH" = "amd64" -o "$ARCH" = "arm64" ]; then
   export CC="clang"
-  export CFLAGS="-fsanitize=address,undefined ${CFLAGS}"
+#  export CFLAGS="-fsanitize=address,undefined ${CFLAGS}"
 fi
 
 for dir in $DIRS; do
   make -j$(nproc) -C $dir
   for alg in 512 768 1024 512-90s 768-90s 1024-90s; do
-    #valgrind --vex-guest-max-insns=25 ./$dir/test_kyber$alg
+    valgrind --vex-guest-max-insns=25 ./$dir/test_kyber$alg
     ./$dir/test_kyber$alg &
     PID1=$!
     ./$dir/test_kex$alg &

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`
`7`	`7`	`#define NTESTS 1000`
`8`	`8`
`9`		`-static int test_keys()`
	`9`	`+static int test_keys(void)`
`10`	`10`	`{`
`11`	`11`	`uint8_t pk[CRYPTO_PUBLICKEYBYTES];`
`12`	`12`	`uint8_t sk[CRYPTO_SECRETKEYBYTES];`
`@@ -31,7 +31,7 @@ static int test_keys()`
`31`	`31`	`return 0;`
`32`	`32`	`}`
`33`	`33`
`34`		`-static int test_invalid_sk_a()`
	`34`	`+static int test_invalid_sk_a(void)`
`35`	`35`	`{`
`36`	`36`	`uint8_t pk[CRYPTO_PUBLICKEYBYTES];`
`37`	`37`	`uint8_t sk[CRYPTO_SECRETKEYBYTES];`
`@@ -59,7 +59,7 @@ static int test_invalid_sk_a()`
`59`	`59`	`return 0;`
`60`	`60`	`}`
`61`	`61`
`62`		`-static int test_invalid_ciphertext()`
	`62`	`+static int test_invalid_ciphertext(void)`
`63`	`63`	`{`
`64`	`64`	`uint8_t pk[CRYPTO_PUBLICKEYBYTES];`
`65`	`65`	`uint8_t sk[CRYPTO_SECRETKEYBYTES];`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`	`uint64_t t[NTESTS];`
`17`	`17`	`uint8_t seed[KYBER_SYMBYTES] = {0};`
`18`	`18`
`19`		`-int main()`
	`19`	`+int main(void)`
`20`	`20`	`{`
`21`	`21`	`unsigned int i;`
`22`	`22`	`uint8_t pk[CRYPTO_PUBLICKEYBYTES];`