[PATCH 04/10] kyber: harden mask generation against branch optimization
Jussi Kivilinna
jussi.kivilinna at iki.fi
Sat Sep 27 09:54:13 CEST 2025
* cipher/kyber-kdep.c (polyvec_compress, polyvec_compress): Generate
mask with const-time helper function.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna at iki.fi>
---
cipher/kyber-kdep.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/cipher/kyber-kdep.c b/cipher/kyber-kdep.c
index e97e0c45..2fc0ea7b 100644
--- a/cipher/kyber-kdep.c
+++ b/cipher/kyber-kdep.c
@@ -571,7 +571,7 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a)
for(j=0;j<KYBER_N/8;j++) {
for(k=0;k<8;k++) {
t[k] = a->vec[i].coeffs[8*j+k];
- t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
+ t[k] += ct_ulong_gen_mask((uint16_t)t[k] >> 15) & KYBER_Q;
/* t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q/2)/KYBER_Q) & 0x7ff; */
d0 = t[k];
d0 <<= 11;
@@ -602,7 +602,7 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a)
for(j=0;j<KYBER_N/4;j++) {
for(k=0;k<4;k++) {
t[k] = a->vec[i].coeffs[4*j+k];
- t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
+ t[k] += ct_ulong_gen_mask((uint16_t)t[k] >> 15) & KYBER_Q;
/* t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; */
d0 = t[k];
d0 <<= 10;
--
2.48.1
More information about the Gcrypt-devel
mailing list