mldsa-native icon indicating copy to clipboard operation
mldsa-native copied to clipboard
Published 2 months ago verified publisher icon pq-code-package

verify: Switch to constant-time memcmp

Open mkannwischer opened this issue 2 months ago • 1 comments

In the very end of verify one has to compare the input challenge to the re-computed challenge. If they are equal (and some previous checks on h and z passed), the signature is valid. Currently, our constant-time tests do not declassify the message and we, hence, need to declassify in this final step. Before thi commit, the declassification would happen on the recomputed challenge just before the memcmp. Now that a constant-time memcmp was added in https://github.com/pq-code-package/mldsa-native/pull/714, we might as well use that and declassify only the result on the memcmp which feels a bit more naturual and is easier to justify.

mkannwischer avatar Nov 28 '25 10:11 mkannwischer

I'm not convinced we want to merge it as is. It comes with a noticable performance penalty due to the duplicate mask computation in the other callsites of mld_ct_sel_int32 (there we are checking for negative values rather than non-zero values).

mkannwischer avatar Dec 01 '25 07:12 mkannwischer