Simplify toMsg

1div0 · Jun 6, 2024 · 1217919 · 1217919
1 parent b44ecfe
commit 1217919
Showing 1 changed file with 9 additions and 10 deletions.
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/Poly.java b/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/Poly.java
@@ -261,6 +261,9 @@ public void fromBytes(byte[] inpBytes)
 
     public byte[] toMsg()
     {
+        int LOWER = KyberEngine.KyberQ >>> 2;
+        int UPPER = KyberEngine.KyberQ - LOWER;
+
         byte[] outMsg = new byte[KyberEngine.getKyberIndCpaMsgBytes()];
 
         this.conditionalSubQ();
@@ -270,16 +273,12 @@ public byte[] toMsg()
             outMsg[i] = 0;
             for (int j = 0; j < 8; j++)
             {
-//                short t = (short)(((((short)(this.getCoeffIndex(8 * i + j) << 1) + KyberEngine.KyberQ / 2) / KyberEngine.KyberQ) & 1));
-//                outMsg[i] |= (byte)(t << j);
-                // we've done it like this as there is a chance a division instruction might
-                // get generated introducing a timing signal on the secret input
-                int t = this.getCoeffIndex(8 * i + j) & 0xFFFF;
-                t <<= 1;
-                t += 1665;
-                t *= 80635;
-                t >>= 28;
-                t &= 1;
+                int c_j = this.getCoeffIndex(8 * i + j);
+
+                // KyberSlash: division by Q is not constant time.
+//                int t = (((c_j << 1) + (KyberEngine.KyberQ / 2)) / KyberEngine.KyberQ) & 1;
+                int t = ((LOWER - c_j) & (c_j - UPPER)) >>> 31;
+
                 outMsg[i] |= (byte)(t << j);
             }
         }