Skip to content

Commit 1cc936b

Browse files
committed
upstream: Fill entropy in a single operation instead of hundreds.
The sntrup761 code we use from SUPERCOP fills entropy arrays 4 bytes at a time. On some platforms each of these operations has a significant overhead, so instead fill it in a single operation and as a precaution zero that array after it's used. Analysis and code change is from Mike Frysinger via Github PR#621 with feedback from djm@ and sed-ification from me. ok djm@ beck@. This change was submitted by Mike to SUPERCOP upstream so hopefully future versions will already have it. OpenBSD-Commit-ID: 0e85c82f79b1b396facac59e05b288c08048f15c
1 parent a6f8f79 commit 1cc936b

File tree

2 files changed

+30
-16
lines changed

2 files changed

+30
-16
lines changed

sntrup761.c

Lines changed: 7 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
1-
2-
/* $OpenBSD: sntrup761.c,v 1.8 2024/09/16 05:37:05 djm Exp $ */
1+
/* $OpenBSD: sntrup761.c,v 1.9 2026/01/20 22:56:11 dtucker Exp $ */
32

43
/*
54
* Public Domain, Authors:
@@ -1961,27 +1960,20 @@ static void Hash_prefix(unsigned char *out, int b, const unsigned char *in, int
19611960
for (i = 0; i < 32; ++i) out[i] = h[i];
19621961
}
19631962

1964-
static uint32_t urandom32(void) {
1965-
unsigned char c[4];
1966-
uint32_t result = 0;
1967-
int i;
1968-
randombytes(c, 4);
1969-
for (i = 0; i < 4; ++i) result += ((uint32_t)c[i]) << (8 * i);
1970-
return result;
1971-
}
19721963

19731964
static void Short_random(small *out) {
19741965
uint32_t L[p];
1975-
int i;
1976-
for (i = 0; i < p; ++i) L[i] = urandom32();
1966+
randombytes(L, sizeof(L));
19771967
Short_fromlist(out, L);
1968+
explicit_bzero(L, sizeof(L));
19781969
}
1979-
19801970
static void Small_random(small *out) {
19811971
int i;
1982-
for (i = 0; i < p; ++i) out[i] = (((urandom32() & 0x3fffffff) * 3) >> 30) - 1;
1972+
uint32_t L[p];
1973+
randombytes(L, sizeof(L));
1974+
for (i = 0; i < p; ++i) out[i] = (((L[i] & 0x3fffffff) * 3) >> 30) - 1;
1975+
explicit_bzero(L, sizeof(L));
19831976
}
1984-
19851977
static void KeyGen(Fq *h, small *f, small *ginv) {
19861978
small g[p];
19871979
Fq finv[p];

sntrup761.sh

Lines changed: 23 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
#!/bin/sh
2-
# $OpenBSD: sntrup761.sh,v 1.9 2024/09/16 05:37:05 djm Exp $
2+
# $OpenBSD: sntrup761.sh,v 1.10 2026/01/20 22:56:11 dtucker Exp $
33
# Placed in the Public Domain.
44
#
55
AUTHOR="supercop-20240808/crypto_kem/sntrup761/ref/implementors"
@@ -87,6 +87,28 @@ for i in $FILES; do
8787
*/uint32/useint32/sort.c)
8888
sed -e "s/void crypto_sort/void crypto_sort_uint32/g"
8989
;;
90+
# Replace Short_random and Small_random with versions that fetch
91+
# entropy in a single operation, then delete urandom32 as unused.
92+
*/crypto_kem/sntrup761/compact/kem.c)
93+
sed -e '/ uint32_t urandom32/,/^}$/d' \
94+
-e '/ void Short_random/i\
95+
static void Short_random(small *out) {\
96+
uint32_t L[p];\
97+
randombytes(L, sizeof(L));\
98+
Short_fromlist(out, L);\
99+
explicit_bzero(L, sizeof(L));\
100+
}' \
101+
-e '/ void Short_random(/,/^}$/d' \
102+
-e '/ void Small_random/i\
103+
static void Small_random(small *out) {\
104+
int i;\
105+
uint32_t L[p];\
106+
randombytes(L, sizeof(L));\
107+
for (i = 0; i < p; ++i) out[i] = (((L[i] & 0x3fffffff) * 3) >> 30) - 1;\
108+
explicit_bzero(L, sizeof(L));\
109+
}' \
110+
-e '/ void Small_random(/,/^}$/d'
111+
;;
90112
# Remove unused function to prevent warning.
91113
*/crypto_kem/sntrup761/ref/int32.c)
92114
sed -e '/ int32_div_uint14/,/^}$/d'

0 commit comments

Comments
 (0)