Revision 7514870c4d84ec29840454cd29a8e6c2117ce40b authored by leonbotros on 30 September 2019, 11:58:39 UTC, committed by Matthias J. Kannwischer on 30 September 2019, 11:58:39 UTC
* fix inlined comparison * update documentation of indcpa_enc_cmp The `cmov` that is used in `crypto_kem_dec` to either derive the shared secret from the pre-key or the random `z` expects the `fail` input to be either 0 (if re-encryped ciphertext was the same as input ciphertext) or 1 (otherwise). We've inlined the comparison that used to be done by `verify` into `indcpa_enc` (renamed to `indcpa_enc_cmp`) to reduce the stack footprint. We made a small mistake in there so that it returned 0 in case of no failure and some other byte otherwise. This means that in case of a mismatch, cmov would write a mix of the pre-key and `z`. As this is hashed together with the ciphertext later this will still result in some shared secret different from the correct one, but this is not what you want.
1 parent b4fea3f
| File | Mode | Size |
|---|---|---|
| common | ||
| crypto_kem | ||
| crypto_sign | ||
| hostside | ||
| ldscripts | ||
| libopencm3 @ 8b1ac58 | ||
| mupq @ 7f6ec39 | ||
| .gitignore | -rw-r--r-- | 77 bytes |
| .gitmodules | -rw-r--r-- | 168 bytes |
| Makefile | -rw-r--r-- | 5.2 KB |
| README.md | -rw-r--r-- | 19.6 KB |
| benchmarks.csv | -rw-r--r-- | 37.4 KB |
| benchmarks.md | -rw-r--r-- | 58.9 KB |
| benchmarks.py | -rwxr-xr-x | 696 bytes |
| build_everything.py | -rwxr-xr-x | 232 bytes |
| convert_benchmarks.py | -rwxr-xr-x | 417 bytes |
| interface.py | -rw-r--r-- | 2.8 KB |
| requirements.txt | -rw-r--r-- | 14 bytes |
| test.py | -rwxr-xr-x | 228 bytes |
| testvectors.py | -rwxr-xr-x | 228 bytes |
Computing file changes ...
