tst

Signed-off-by: Matthias J. Kannwischer <[email protected]>

Author: mkannwischer

.github/actions/ct-test/action.yml

@@ -41,4 +41,4 @@ runs:
       - shell: ${{ env.SHELL }}
         run: |
           make clean
-          tests func --exec-wrapper="valgrind --error-exitcode=1 ${{ inputs.valgrind_flags }}" --cflags="-DMLD_CONFIG_CT_TESTING_ENABLED -DNTESTS=5 ${{ inputs.cflags }}"
+          tests func --exec-wrapper="valgrind --error-exitcode=1 ${{ inputs.valgrind_flags }}" --cflags="-DMLD_CONFIG_CT_TESTING_ENABLED -DNTESTS=5 ${{ inputs.cflags }} -flto"

mldsa/rounding.c

@@ -24,7 +24,7 @@ void mld_decompose(int32_t *a0, int32_t *a1, int32_t a)
   *a1 = (*a1 * 11275 + (1 << 23)) >> 24;
   cassert(*a1 >= 0 && *a1 <= 44);
 
-  *a1 = mld_ct_sel_int32(0, *a1, mld_ct_cmask_neg_i32(43 - *a1));
+  *a1 ^= ((43 - *a1) >> 31) & *a1;
   cassert(*a1 >= 0 && *a1 <= 43);
 #else /* MLDSA_MODE == 2 */
   *a1 = (*a1 * 1025 + (1 << 21)) >> 22;
@@ -36,8 +36,7 @@ void mld_decompose(int32_t *a0, int32_t *a1, int32_t a)
 #endif /* MLDSA_MODE != 2 */
 
   *a0 = a - *a1 * 2 * MLDSA_GAMMA2;
-  *a0 = mld_ct_sel_int32(*a0 - MLDSA_Q, *a0,
-                         mld_ct_cmask_neg_i32((MLDSA_Q - 1) / 2 - *a0));
+  *a0 -= (((MLDSA_Q - 1) / 2 - *a0) >> 31) & MLDSA_Q;
 }
 
 unsigned int mld_make_hint(int32_t a0, int32_t a1)

mldsa/sign.c

@@ -316,7 +316,7 @@ __contract__(
   uint8_t challenge_bytes[MLDSA_CTILDEBYTES];
   unsigned int n;
   mld_polyvecl y, z;
-  mld_polyveck w2, w1, w0, h;
+  mld_polyveck w1, w0, h;
   mld_poly cp;
   uint32_t z_invalid, w0_invalid, h_invalid;
 
@@ -332,8 +332,8 @@ __contract__(
 
   /* Decompose w and call the random oracle */
   mld_polyveck_caddq(&w1);
-  mld_polyveck_decompose(&w2, &w0, &w1);
-  mld_polyveck_pack_w1(sig, &w2);
+  mld_polyveck_decompose(&w1, &w0, &w1);
+  mld_polyveck_pack_w1(sig, &w1);
 
   mld_H(challenge_bytes, MLDSA_CTILDEBYTES, mu, MLDSA_CRHBYTES, sig,
         MLDSA_K * MLDSA_POLYW1_PACKEDBYTES, NULL, 0);
@@ -364,7 +364,6 @@ __contract__(
     mld_zeroize(challenge_bytes, MLDSA_CTILDEBYTES);
     mld_zeroize(&y, sizeof(y));
     mld_zeroize(&z, sizeof(z));
-    mld_zeroize(&w2, sizeof(w2));
     mld_zeroize(&w1, sizeof(w1));
     mld_zeroize(&w0, sizeof(w0));
     mld_zeroize(&h, sizeof(h));
@@ -395,7 +394,6 @@ __contract__(
     mld_zeroize(challenge_bytes, sizeof(challenge_bytes));
     mld_zeroize(&y, sizeof(y));
     mld_zeroize(&z, sizeof(z));
-    mld_zeroize(&w2, sizeof(w2));
     mld_zeroize(&w1, sizeof(w1));
     mld_zeroize(&w0, sizeof(w0));
     mld_zeroize(&h, sizeof(h));
@@ -417,7 +415,6 @@ __contract__(
     mld_zeroize(challenge_bytes, MLDSA_CTILDEBYTES);
     mld_zeroize(&y, sizeof(y));
     mld_zeroize(&z, sizeof(z));
-    mld_zeroize(&w2, sizeof(w2));
     mld_zeroize(&w1, sizeof(w1));
     mld_zeroize(&w0, sizeof(w0));
     mld_zeroize(&h, sizeof(h));
@@ -436,15 +433,14 @@ __contract__(
    * For a more detailed discussion, refer to https://eprint.iacr.org/2022/1406.
    */
   MLD_CT_TESTING_DECLASSIFY(&w0, sizeof(w0));
-  MLD_CT_TESTING_DECLASSIFY(&w2, sizeof(w2));
-  n = mld_polyveck_make_hint(&h, &w0, &w2);
+  MLD_CT_TESTING_DECLASSIFY(&w1, sizeof(w1));
+  n = mld_polyveck_make_hint(&h, &w0, &w1);
   if (n > MLDSA_OMEGA)
   {
     /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
     mld_zeroize(challenge_bytes, MLDSA_CTILDEBYTES);
     mld_zeroize(&y, sizeof(y));
     mld_zeroize(&z, sizeof(z));
-    mld_zeroize(&w2, sizeof(w2));
     mld_zeroize(&w1, sizeof(w1));
     mld_zeroize(&w0, sizeof(w0));
     mld_zeroize(&h, sizeof(h));
@@ -463,7 +459,6 @@ __contract__(
   mld_zeroize(challenge_bytes, MLDSA_CTILDEBYTES);
   mld_zeroize(&y, sizeof(y));
   mld_zeroize(&z, sizeof(z));
-  mld_zeroize(&w2, sizeof(w2));
   mld_zeroize(&w1, sizeof(w1));
   mld_zeroize(&w0, sizeof(w0));
   mld_zeroize(&h, sizeof(h));