constant time/side-channel improvements

dghgit · dghgit · commit 00eb3524552e · 2026-04-05T15:13:57.000+10:00
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/bike/BIKEEngine.java b/core/src/main/java/org/bouncycastle/pqc/crypto/bike/BIKEEngine.java
@@ -212,7 +212,7 @@ public void decaps(byte[] k, byte[] h0, byte[] h1, byte[] sigma, byte[] c0, byte
 
         // 3. Compute K
         byte[] wlist = functionH(mPrime);
-        if (Arrays.areEqual(ePrimeBytes, 0, R2_BYTE, wlist, 0, R2_BYTE))
+        if (Arrays.constantTimeAreEqual(R2_BYTE, ePrimeBytes, 0, wlist, 0))
         {
             functionK(mPrime, c0, c1, k);
         }
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/ntruplus/NTRUPlusEngine.java b/core/src/main/java/org/bouncycastle/pqc/crypto/ntruplus/NTRUPlusEngine.java
@@ -930,13 +930,18 @@ public void crypto_kem_dec(byte[] ss, int ssPos, byte[] ct, int ctPos, byte[] sk
         fail |= verify(buf1, buf2, polyBytes);
 
         // Copy shared secret, zeroing on failure
-        if (fail != 0)
-        {
-            Arrays.fill(ss, (byte)0);
-        }
-        else
+        cmov(ss, buf3, ssPos, SSBytes, fail);
+    }
+
+    /* b = 0 means mov, b = 1 means don't mov*/
+    static void cmov(byte[] r, byte[] x, int x_offset, int len, int b)
+    {
+        int i;
+
+        b = (b - 1) & 0xff;
+        for (i = 0; i < len; i++)
         {
-            System.arraycopy(buf3, 0, ss, ssPos, SSBytes);
+            r[i] ^= b & (x[i + x_offset] ^ r[i]);
         }
     }
 }
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/ntruprime/NTRULPRimeKEMExtractor.java b/core/src/main/java/org/bouncycastle/pqc/crypto/ntruprime/NTRULPRimeKEMExtractor.java
@@ -150,7 +150,7 @@ public byte[] extractSecret(byte[] encapsulation)
          * Match Ciphertext ct with input encapsulation
          * Update encR accordingly
          */
-        int mask = (Arrays.areEqual(encapsulation, ct)) ? 0 : -1;
+        int mask = (Arrays.constantTimeAreEqual(encapsulation, ct)) ? 0 : -1;
 
         /*
          * Update encR with Ciphertext diff mask
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/ntruprime/SNTRUPrimeKEMExtractor.java b/core/src/main/java/org/bouncycastle/pqc/crypto/ntruprime/SNTRUPrimeKEMExtractor.java
@@ -125,7 +125,7 @@ public byte[] extractSecret(byte[] encapsulation)
          * Match Ciphertext ct with input encapsulation
          * Update encR accordingly
          */
-        int mask = (Arrays.areEqual(encapsulation, ct)) ? 0 : -1;
+        int mask = (Arrays.constantTimeAreEqual(encapsulation, ct)) ? 0 : -1;
 
         /*
          * Update encR with Ciphertext diff mask

Original file line number	Diff line number	Diff line change
`@@ -212,7 +212,7 @@ public void decaps(byte[] k, byte[] h0, byte[] h1, byte[] sigma, byte[] c0, byte`
`212`	`212`
`213`	`213`	`// 3. Compute K`
`214`	`214`	`byte[] wlist = functionH(mPrime);`
`215`		`- if (Arrays.areEqual(ePrimeBytes, 0, R2_BYTE, wlist, 0, R2_BYTE))`
	`215`	`+ if (Arrays.constantTimeAreEqual(R2_BYTE, ePrimeBytes, 0, wlist, 0))`
`216`	`216`	`{`
`217`	`217`	`functionK(mPrime, c0, c1, k);`
`218`	`218`	`}`
Original file line number	Diff line number	Diff line change
`@@ -930,13 +930,18 @@ public void crypto_kem_dec(byte[] ss, int ssPos, byte[] ct, int ctPos, byte[] sk`
`930`	`930`	`fail \|= verify(buf1, buf2, polyBytes);`
`931`	`931`
`932`	`932`	`// Copy shared secret, zeroing on failure`
`933`		`- if (fail != 0)`
`934`		`- {`
`935`		`- Arrays.fill(ss, (byte)0);`
`936`		`- }`
`937`		`- else`
	`933`	`+ cmov(ss, buf3, ssPos, SSBytes, fail);`
	`934`	`+ }`
	`935`	`+`
	`936`	`+ /* b = 0 means mov, b = 1 means don't mov*/`
	`937`	`+ static void cmov(byte[] r, byte[] x, int x_offset, int len, int b)`
	`938`	`+ {`
	`939`	`+ int i;`
	`940`	`+`
	`941`	`+ b = (b - 1) & 0xff;`
	`942`	`+ for (i = 0; i < len; i++)`
`938`	`943`	`{`
`939`		`- System.arraycopy(buf3, 0, ss, ssPos, SSBytes);`
	`944`	`+ r[i] ^= b & (x[i + x_offset] ^ r[i]);`
`940`	`945`	`}`
`941`	`946`	`}`
`942`	`947`	`}`