Closed samuele-andreoli closed 4 years ago
The BIG comparison is not constant time. It should use a constant time implementation. For instance
/* sodium constant time implementation */ int BIG_XXX_comp(BIG_XXX a, BIG_XXX b) { int i; chunk gt=0; chunk eq=1; for (i = NLEN_XXX-1; i>=0; i--) { gt |= ((b[i]-a[i]) >> BASEBITS_XXX) & eq; eq &= ((b[i]^a[i])-1) >> BASEBITS_XXX; } return (int)(gt+gt+eq-1); }
Review the BIG implementation to make sure it is constant time
The BIG comparison is not constant time. It should use a constant time implementation. For instance
Review the BIG implementation to make sure it is constant time