fixed decoder and sparse multiplication, added forceful zeroize to buffer

Author: alexrow

CHANGELOG

@@ -1,3 +1,13 @@
+Version 1.0.2 (tag v1.0.2)
+
+* Fixed decoding bug, unelicited by submission parameters.
+
+* Fixed sparse multiplication bug, unelicited by submission parameters.
+
+* Added forced zero filling for the memory area which subsequently holds 
+  the data to be hashed whenever a decoding failure takes place.
+
+----------------------------
 Version 1.0.1 (tag v1.0.1)
 
 * Added the secret key to the hash which generates the pseudorandom value

Reference_Implementation/KEM/Makefile

@@ -56,7 +56,7 @@ endif
   CFLAGS = -DCATEGORY=$(SL) -DN0=$(N0) -DCPU_WORD_BITS=64 \
            -std=c99 -Wall -pedantic -Wmaybe-uninitialized -Wuninitialized \
 	   -march=native -O3
-  LDFLAGS = -lm 
+  LDFLAGS =  
   INCLUDES = -I./include
   SRCDIR = library
   OBJDIR = bin

Reference_Implementation/KEM/include/gf2x_arith_mod_xPplusOne.h

@@ -90,10 +90,6 @@
 
 /*----------------------------------------------------------------------------*/
 
-
-
-/*----------------------------------------------------------------------------*/
-
 static inline void gf2x_copy(DIGIT dest[], const DIGIT in[])
 {
    for (int i = NUM_DIGITS_GF2X_ELEMENT-1; i >= 0; i--)

Reference_Implementation/KEM/library/bf_decoding.c

@@ -2,7 +2,7 @@
  *
  * <bf_decoding.c>
  *
- * @version 1.0 (September 2017)
+ * @version 1.0.2 (September 2018)
  *
  * Reference ISO-C99 Implementation of LEDAkem cipher" using GCC built-ins.
  *
@@ -84,7 +84,7 @@ int bf_decoding(DIGIT out[], // N0 polynomials
             int correlation =0;
 
             for (int blockIdx = 0; blockIdx < N0; blockIdx++) {
-               endQblockIdx += qBlockWeights[i][blockIdx];
+               endQblockIdx += qBlockWeights[blockIdx][i];
                for (; currQoneIdx < endQblockIdx; currQoneIdx++) {
                   currQ_pos[currQoneIdx] = ((QtrPosOnes[i][currQoneIdx]+j) % P) + blockIdx*P;
                   correlation += upc[currQ_pos[currQoneIdx]];

Reference_Implementation/KEM/library/gf2x_arith_mod_xPplusOne.c

@@ -2,7 +2,7 @@
  *
  * <gf2x_arith_mod_xPplusOne.c>
  *
- * @version 1.0 (September 2017)
+ * @version 1.0.2 (September 2018)
  *
  * Reference ISO-C99 Implementation of LEDAkem cipher" using GCC built-ins.
  *
@@ -372,9 +372,9 @@ int gf2x_mod_inverse(DIGIT out[], const DIGIT in[])     /* in^{-1} mod x^P-1 */
    int i;
    long int delta = 0;
    DIGIT u[NUM_DIGITS_GF2X_ELEMENT] = {0},
-                                      v[NUM_DIGITS_GF2X_ELEMENT] = {0},
-                                            s[NUM_DIGITS_GF2X_MODULUS] = {0},
-                                                  f[NUM_DIGITS_GF2X_MODULUS] = {0};
+         v[NUM_DIGITS_GF2X_ELEMENT] = {0},
+         s[NUM_DIGITS_GF2X_MODULUS] = {0},
+         f[NUM_DIGITS_GF2X_MODULUS] = {0};
 
    DIGIT mask;
    u[NUM_DIGITS_GF2X_ELEMENT-1] = 0x1;
@@ -507,43 +507,48 @@ void gf2x_mod_mul_sparse(int
                          int sizeB, /*number of ones in B*/
                          const POSITION_T B[])
 {
-   for(int i = 0; i< sizeR; i++) {
-      Res[i]= INVALID_POS_VALUE;
-   }
    /* compute all the coefficients, filling invalid positions with P*/
-   unsigned i = 0;
-   for(; i < sizeA  && A[i] != INVALID_POS_VALUE; i++) {
-      unsigned j = 0;
-      for (; j < sizeB && B[j] != INVALID_POS_VALUE; j++) {
-         uint32_t prod = ((uint32_t) A[i]) + ((uint32_t) B[j]);
-         Res[i*sizeB+j] = prod >= P ? prod - P : prod;
-      }
-      for (; j < sizeB ; j++) {
-         Res[i*sizeB+j] = INVALID_POS_VALUE;
-      }
-   }
-
-   for(; i < sizeA; i++) {
-      for (unsigned j = 0; j < sizeB; j++) {
-         Res[i*sizeB+j] = INVALID_POS_VALUE;
-      }
+   unsigned lastFilledPos=0;
+   for(int i = 0 ; i < sizeA ; i++){
+     for(int j = 0 ; j < sizeB ; j++){
+          uint32_t prod = ((uint32_t) A[i]) + ((uint32_t) B[j]);
+          prod = ( (prod >= P) ? prod - P : prod);
+       if ((A[i] != INVALID_POS_VALUE) &&
+           (B[i] != INVALID_POS_VALUE)){
+            Res[lastFilledPos] = prod;
+        } else{
+            Res[lastFilledPos] = INVALID_POS_VALUE;
+        }
+        lastFilledPos++;
+     }
+   }
+   while(lastFilledPos < sizeR){
+        Res[lastFilledPos] = INVALID_POS_VALUE;
+        lastFilledPos++;
    }
    quicksort(Res, sizeR);
    /* eliminate duplicates */
+   POSITION_T lastReadPos = Res[0];
+   int duplicateCount;
    int write_idx = 0;
-   for(unsigned i = 0; i < sizeR-1  && Res[i] != INVALID_POS_VALUE; i++) {
-      if (Res[i] == Res[i+1]) {
-         i++;
-      } else {
-         Res[write_idx] = Res[i];
-         write_idx++;
+   int read_idx = 0;
+   while(read_idx < sizeR  && Res[read_idx] != INVALID_POS_VALUE){
+      lastReadPos = Res[read_idx];
+      read_idx++;
+      duplicateCount=1;
+      while( (Res[read_idx] == lastReadPos) && (Res[read_idx] != INVALID_POS_VALUE)){
+        read_idx++;
+        duplicateCount++;
+      }
+      if (duplicateCount % 2) {
+        Res[write_idx] = lastReadPos;
+        write_idx++;
       }
    }
    /* fill remaining cells with INVALID_POS_VALUE */
    for(; write_idx < sizeR; write_idx++) {
       Res[write_idx] = INVALID_POS_VALUE;
    }
-
 } // end gf2x_mod_mul_sparse
 
 

Reference_Implementation/KEM/library/kem.c

@@ -2,7 +2,7 @@
  *
  * <kem.c>
  *
- * @version 1.0.1 (July 2018)
+ * @version 1.0.2 (September 2018)
  *
  * Reference ISO-C99 Implementation of LEDAkem cipher" using GCC built-ins.
  *
@@ -87,6 +87,7 @@ int crypto_kem_dec( unsigned char *ss,
 {
    DIGIT decoded_error_vector[N0*NUM_DIGITS_GF2X_ELEMENT];
    DIGIT mockup_error_vector[N0*NUM_DIGITS_GF2X_ELEMENT];
+   memset(mockup_error_vector, 0x00, N0*NUM_DIGITS_GF2X_ELEMENT*DIGIT_SIZE_B);
    memcpy(mockup_error_vector, ct, NUM_DIGITS_GF2X_ELEMENT*DIGIT_SIZE_B);
    /* adding the prng seed to the final hash in case of decryption failure
     * to address the official comment by Keita Xagawa */

Reference_Implementation/KEM/library/sha3.c

@@ -314,4 +314,5 @@ void Keccak(      unsigned int rate,
    }
 }
 
-/*----------------------------------------------------------------------------*/
+/*----------------------------------------------------------------------------*/
+