Remove potentially vartime (due to cache side-channel attacks) table access in dalek-ff-group and minimal-ed448

2025-12-08 04:09:23 +00:00 · 2024-10-27 08:51:19 -04:00
parent f3d20e60b3
commit d0201cf2e5
5 changed files with 41 additions and 5 deletions
--- a/crypto/dalek-ff-group/src/field.rs
+++ b/crypto/dalek-ff-group/src/field.rs
@@ -244,7 +244,16 @@ impl FieldElement {
            res *= res;
          }
        }
-        res *= table[usize::from(bits)];
+
+        let mut scale_by = FieldElement::ONE;
+        #[allow(clippy::needless_range_loop)]
+        for i in 0 .. 16 {
+          #[allow(clippy::cast_possible_truncation)] // Safe since 0 .. 16
+          {
+            scale_by = <_>::conditional_select(&scale_by, &table[i], bits.ct_eq(&(i as u8)));
+          }
+        }
+        res *= scale_by;
        bits = 0;
      }
    }
--- a/crypto/dalek-ff-group/src/lib.rs
+++ b/crypto/dalek-ff-group/src/lib.rs
@@ -208,7 +208,16 @@ impl Scalar {
            res *= res;
          }
        }
-        res *= table[usize::from(bits)];
+
+        let mut scale_by = Scalar::ONE;
+        #[allow(clippy::needless_range_loop)]
+        for i in 0 .. 16 {
+          #[allow(clippy::cast_possible_truncation)] // Safe since 0 .. 16
+          {
+            scale_by = <_>::conditional_select(&scale_by, &table[i], bits.ct_eq(&(i as u8)));
+          }
+        }
+        res *= scale_by;
        bits = 0;
      }
    }
--- a/crypto/ed448/src/backend.rs
+++ b/crypto/ed448/src/backend.rs
@@ -161,7 +161,16 @@ macro_rules! field {
                res *= res;
              }
            }
-            res *= table[usize::from(bits)];
+
+            let mut scale_by = $FieldName(Residue::ONE);
+            #[allow(clippy::needless_range_loop)]
+            for i in 0 .. 16 {
+              #[allow(clippy::cast_possible_truncation)] // Safe since 0 .. 16
+              {
+                scale_by = <_>::conditional_select(&scale_by, &table[i], bits.ct_eq(&(i as u8)));
+              }
+            }
+            res *= scale_by;
            bits = 0;
          }
        }
--- a/crypto/ed448/src/point.rs
+++ b/crypto/ed448/src/point.rs
@@ -242,7 +242,16 @@ impl Mul<Scalar> for Point {
            res = res.double();
          }
        }
-        res += table[usize::from(bits)];
+
+        let mut add_by = Point::identity();
+        #[allow(clippy::needless_range_loop)]
+        for i in 0 .. 16 {
+          #[allow(clippy::cast_possible_truncation)] // Safe since 0 .. 16
+          {
+            add_by = <_>::conditional_select(&add_by, &table[i], bits.ct_eq(&(i as u8)));
+          }
+        }
+        res += add_by;
        bits = 0;
      }
    }