divisions in the HAETAE reference code
73 views
Skip to first unread message
D. J. Bernstein
Jun 21, 2024, 9:01:15 PMJun 21
to kpqc-b...@googlegroups.com
The function
int32_t fix_round(int32_t num) {
num += (num >> 31) & (-LN + 1);
num +=
LN /
2; // total \floor(LN / 2) if positive, -\floor(LN / 2) + 1 if negative
return num / LN;
}
in the HAETAE reference code is called on secret inputs and can end up
using division instructions (see, e.g., https://godbolt.org/z/rEEcn89x6
saying "idiv"), presumably allowing timing attacks on some platforms.
For the HAETAE integration into SUPERCOP, I'm changing this to
int32_t fix_round(int32_t num) {
return (num + LNHALF) >> LNBITS;
}
with
#define LNHALF 4096
#define LNBITS 13
in params.h. The C standard doesn't define the behavior of right shifts
on negative integers, but SUPERCOP uses the -fwrapv option for gcc and
clang, and this option guarantees twos-complement right shifts.
---D. J. Bernstein
int32_t fix_round(int32_t num) {
num += (num >> 31) & (-LN + 1);
num +=
LN /
2; // total \floor(LN / 2) if positive, -\floor(LN / 2) + 1 if negative
return num / LN;
}
in the HAETAE reference code is called on secret inputs and can end up
using division instructions (see, e.g., https://godbolt.org/z/rEEcn89x6
saying "idiv"), presumably allowing timing attacks on some platforms.
For the HAETAE integration into SUPERCOP, I'm changing this to
int32_t fix_round(int32_t num) {
return (num + LNHALF) >> LNBITS;
}
with
#define LNHALF 4096
#define LNBITS 13
in params.h. The C standard doesn't define the behavior of right shifts
on negative integers, but SUPERCOP uses the -fwrapv option for gcc and
clang, and this option guarantees twos-complement right shifts.
---D. J. Bernstein
Georg Land
Jun 24, 2024, 8:39:00 AMJun 24
to KpqC-bulletin
Thanks Dan,
we have fixed this internally. Soon, there will be an updated code release that fixes several issues that have been brought up in the past months and brings some additional improvements.
Best,
Georg
Reply all
Reply to author
Forward
0 new messages