From 390826690a51c5a73c94c416d47907274c224b7b Mon Sep 17 00:00:00 2001 From: "Tommaso Gagliardoni (Kudelski Security)" <80652589+tgkudelski@users.noreply.github.com> Date: Wed, 10 Jan 2024 16:12:10 +0100 Subject: [PATCH 1/3] bugfix:Update poly.go to protect against KyberSlash As from issue #19 replace division with fixed-time operators. --- crystals-kyber/poly.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go index c859477..eadaecf 100644 --- a/crystals-kyber/poly.go +++ b/crystals-kyber/poly.go @@ -162,16 +162,22 @@ func polyFromMsg(msg []byte) Poly { return p } -//polyToMsg converts a polynomial to a byte array +//polyToMsg converts a polynomial to a byte array - fixed against https://kyberslash.cr.yp.to/faq.html func polyToMsg(p Poly) []byte { msg := make([]byte, 32) - var t uint16 + //var t uint16 + var t uint32 var tmp byte p.reduce() for i := 0; i < n/8; i++ { tmp = 0 for j := 0; j < 8; j++ { - t = (((uint16(p[8*i+j]) << 1) + uint16(q/2)) / uint16(q)) & 1 + //t = (((uint16(p[8*i+j]) << 1) + uint16(q/2)) / uint16(q)) & 1 + t <<= 1 + t += 1665 + t *= 80635 + t >>= 28 + t &= 1 tmp |= byte(t << j) } msg[i] = tmp From 026dfbcefbaf1e81b6300d0c39c1559d2d3bfc0b Mon Sep 17 00:00:00 2001 From: "Tommaso Gagliardoni (Kudelski Security)" <80652589+tgkudelski@users.noreply.github.com> Date: Wed, 10 Jan 2024 16:35:05 +0100 Subject: [PATCH 2/3] Update poly.go --- crystals-kyber/poly.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go index eadaecf..f2922da 100644 --- a/crystals-kyber/poly.go +++ b/crystals-kyber/poly.go @@ -165,19 +165,19 @@ func polyFromMsg(msg []byte) Poly { //polyToMsg converts a polynomial to a byte array - fixed against https://kyberslash.cr.yp.to/faq.html func polyToMsg(p Poly) []byte { msg := make([]byte, 32) - //var t uint16 - var t uint32 + var t uint16 + //var t uint32 var tmp byte p.reduce() for i := 0; i < n/8; i++ { tmp = 0 for j := 0; j < 8; j++ { - //t = (((uint16(p[8*i+j]) << 1) + uint16(q/2)) / uint16(q)) & 1 - t <<= 1 - t += 1665 - t *= 80635 - t >>= 28 - t &= 1 + t = (((uint16(p[8*i+j]) << 1) + uint16(q/2)) / uint16(q)) & 1 + //t <<= 1 + //t += 1665 + //t *= 80635 + //t >>= 28 + //t &= 1 tmp |= byte(t << j) } msg[i] = tmp From 2c751b9bc9d7677897b667116b45c36638b2c6c3 Mon Sep 17 00:00:00 2001 From: "Tommaso Gagliardoni (Kudelski Security)" <80652589+tgkudelski@users.noreply.github.com> Date: Wed, 10 Jan 2024 16:46:25 +0100 Subject: [PATCH 3/3] Update poly.go --- crystals-kyber/poly.go | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/crystals-kyber/poly.go b/crystals-kyber/poly.go index f2922da..1d19a70 100644 --- a/crystals-kyber/poly.go +++ b/crystals-kyber/poly.go @@ -165,19 +165,20 @@ func polyFromMsg(msg []byte) Poly { //polyToMsg converts a polynomial to a byte array - fixed against https://kyberslash.cr.yp.to/faq.html func polyToMsg(p Poly) []byte { msg := make([]byte, 32) - var t uint16 - //var t uint32 + //var t uint16 + var t uint32 var tmp byte p.reduce() for i := 0; i < n/8; i++ { tmp = 0 for j := 0; j < 8; j++ { - t = (((uint16(p[8*i+j]) << 1) + uint16(q/2)) / uint16(q)) & 1 - //t <<= 1 - //t += 1665 - //t *= 80635 - //t >>= 28 - //t &= 1 + //t = (((uint16(p[8*i+j]) << 1) + uint16(q/2)) / uint16(q)) & 1 + t = uint32(p[8*i+j]) + t <<= 1 + t += 1665 + t *= 80635 + t >>= 28 + t &= 1 tmp |= byte(t << j) } msg[i] = tmp