Remove potentially vartime (due to cache side-channel attacks) table …

…access in dalek-ff-group and minimal-ed448
serai-dex · Oct 27, 2024 · d0201cf · d0201cf
1 parent f3d20e6
commit d0201cf
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 5 deletions.
diff --git a/LICENSE b/LICENSE
@@ -5,4 +5,4 @@ a full copy of the AGPL-3.0 License is included in the root of this repository
 as a reference text. This copy should be provided with any distribution of a
 crate licensed under the AGPL-3.0, as per its terms.
 
-The GitHub actions (`.github/actions`) are licensed under the MIT license.
+The GitHub actions/workflows (`.github`) are licensed under the MIT license.
diff --git a/crypto/dalek-ff-group/src/field.rs b/crypto/dalek-ff-group/src/field.rs
@@ -244,7 +244,16 @@ impl FieldElement {
             res *= res;
           }
         }
-        res *= table[usize::from(bits)];
+
+        let mut scale_by = FieldElement::ONE;
+        #[allow(clippy::needless_range_loop)]
+        for i in 0 .. 16 {
+          #[allow(clippy::cast_possible_truncation)] // Safe since 0 .. 16
+          {
+            scale_by = <_>::conditional_select(&scale_by, &table[i], bits.ct_eq(&(i as u8)));
+          }
+        }
+        res *= scale_by;
         bits = 0;
       }
     }

diff --git a/crypto/dalek-ff-group/src/lib.rs b/crypto/dalek-ff-group/src/lib.rs
@@ -208,7 +208,16 @@ impl Scalar {
             res *= res;
           }
         }
-        res *= table[usize::from(bits)];
+
+        let mut scale_by = Scalar::ONE;
+        #[allow(clippy::needless_range_loop)]
+        for i in 0 .. 16 {
+          #[allow(clippy::cast_possible_truncation)] // Safe since 0 .. 16
+          {
+            scale_by = <_>::conditional_select(&scale_by, &table[i], bits.ct_eq(&(i as u8)));
+          }
+        }
+        res *= scale_by;
         bits = 0;
       }
     }

diff --git a/crypto/ed448/src/backend.rs b/crypto/ed448/src/backend.rs
@@ -161,7 +161,16 @@ macro_rules! field {
                 res *= res;
               }
             }
-            res *= table[usize::from(bits)];
+
+            let mut scale_by = $FieldName(Residue::ONE);
+            #[allow(clippy::needless_range_loop)]
+            for i in 0 .. 16 {
+              #[allow(clippy::cast_possible_truncation)] // Safe since 0 .. 16
+              {
+                scale_by = <_>::conditional_select(&scale_by, &table[i], bits.ct_eq(&(i as u8)));
+              }
+            }
+            res *= scale_by;
             bits = 0;
           }
         }

diff --git a/crypto/ed448/src/point.rs b/crypto/ed448/src/point.rs
@@ -242,7 +242,16 @@ impl Mul<Scalar> for Point {
             res = res.double();
           }
         }
-        res += table[usize::from(bits)];
+
+        let mut add_by = Point::identity();
+        #[allow(clippy::needless_range_loop)]
+        for i in 0 .. 16 {
+          #[allow(clippy::cast_possible_truncation)] // Safe since 0 .. 16
+          {
+            add_by = <_>::conditional_select(&add_by, &table[i], bits.ct_eq(&(i as u8)));
+          }
+        }
+        res += add_by;
         bits = 0;
       }
     }