bhess
commented
1 year ago Could you point to where the uint16_t to uint8_t casts occur in this repository?
It seems that the 16-bit nonces are used independent of endianness.
Closed smuellerDD closed 1 year ago
bhess
commented
1 year ago Could you point to where the uint16_t to uint8_t casts occur in this repository?
It seems that the 16-bit nonces are used independent of endianness.
cryptojedi
commented
1 year ago This is happening in symmetric-shake.c in functions dilithium_shake128_stream_init and dilithium_shake256_stream_init.
bhess
commented
1 year ago This is happening in symmetric-shake.c in functions dilithium_shake128_stream_init and dilithium_shake256_stream_init.
These look ok to me - also on big-endian:
The "leancrypto" library seems to cast the nonce to uint8_t*. The reported issue might apply only there:
smuellerDD
commented
1 year ago You are absolutely correct. The pq-crystals code correctly handles the nonce in the _init functions, i.e. there is no type cast. The leancrypto code requires the byteswap as it type casts it.
Sorry for the false bug report.
When using Dilithium on Big-Endian systems, the following functions perform a type cast from uint16_t to uint8_t. This type cast leads to wrong data and thus to wrong calculations:
polyvec_matrix_expand
polyvecl_uniform_eta
polyvecl_uniform_gamma1
polyveck_uniform_eta
For a fix, please see [1] for a working solution. [2] Shows the success of this change.
[1] https://github.com/smuellerDD/leancrypto/commit/f24f8f462cecef4fd0b31a08827e8f79599d128b
[2] https://build.opensuse.org/project/show/home:smuellerDD