Improve Dilithium, LMS, SPHINCS+'s constant time behavior

Signed-off-by: Alexander Scheel <[email protected]>
pgpainless · May 30, 2024 · 467ca1e · 467ca1e
1 parent 7f49a54
commit 467ca1e
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 18 deletions.
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/dilithium/DilithiumEngine.java b/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/dilithium/DilithiumEngine.java
@@ -536,14 +536,7 @@ public boolean signVerify(byte[] sig, int siglen, byte[] msg, int msglen, byte[]
         // Helper.printByteArray(c2);
 
 
-        for (int i = 0; i < DilithiumCTilde; ++i)
-        {
-            if (c[i] != c2[i])
-            {
-                return false;
-            }
-        }
-        return true;
+        return Arrays.constantTimeAreEqual(c, c2);
     }
 
     public boolean signOpen(byte[] msg, byte[] signedMsg, int signedMsglen, byte[] rho, byte[] t1)

diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/lms/HSSPublicKeyParameters.java b/core/src/main/java/org/bouncycastle/pqc/crypto/lms/HSSPublicKeyParameters.java
@@ -136,7 +136,7 @@ public LMSContext generateLMSContext(byte[] sigEnc)
 
     public boolean verify(LMSContext context)
     {
-        boolean failed = false;
+        boolean passed = true;
 
         LMSSignedPubKey[] sigKeys = context.getSignedPubKeys();
 
@@ -151,13 +151,10 @@ public boolean verify(LMSContext context)
         {
             LMSSignature sig = sigKeys[i].getSignature();
             byte[] msg = sigKeys[i].getPublicKey().toByteArray();
-            if (!LMS.verifySignature(key, sig, msg))
-            {
-                failed = true;
-            }
+            passed &= LMS.verifySignature(key, sig, msg);
             key = sigKeys[i].getPublicKey();
         }
 
-        return !failed & key.verify(context);
+        return passed & key.verify(context);
     }
 }
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/sphincs/SPHINCS256Signer.java b/core/src/main/java/org/bouncycastle/pqc/crypto/sphincs/SPHINCS256Signer.java
@@ -406,13 +406,12 @@ boolean verify(HashFunctions hs, byte[] m, byte[] sm, byte[] pk)
             smlen -= SPHINCS256Config.SUBTREE_HEIGHT * SPHINCS256Config.HASH_BYTES;
         }
 
+        // Because we use custom offsets on tpk, rather than incurring an
+        // expensive copy, we use a manual constant time comparison.
         boolean verified = true;
         for (i = 0; i < SPHINCS256Config.HASH_BYTES; i++)
         {
-            if (root[i] != tpk[i + Horst.N_MASKS * SPHINCS256Config.HASH_BYTES])
-            {
-                verified = false;
-            }
+            verified &= root[i] == tpk[i + Horst.N_MASKS * SPHINCS256Config.HASH_BYTES];
         }
 
         return verified;