zuc: constant time & correct lazy mod

2025-04-26 12:16:20 +08:00 · 2022-08-10 13:52:44 +08:00 · 2022-08-10 13:52:44 +08:00 · b299ca46f2
commit b299ca46f2
parent b7cc21a055
3 changed files with 18 additions and 41 deletions
--- a/zuc/core.go
+++ b/zuc/core.go
@ -118,32 +118,20 @@ func add31(x, y uint32) uint32 {
 }

 func (s *zucState32) enterInitMode(w uint32) {
-	v := uint64(s.lfsr[15])<<15 + uint64(s.lfsr[13])<<17 + uint64(s.lfsr[10])<<21 + uint64(s.lfsr[4])<<20 + uint64(s.lfsr[0])<<8 + uint64(s.lfsr[0])
+	v := uint64(s.lfsr[15])<<15 + uint64(s.lfsr[13])<<17 + uint64(s.lfsr[10])<<21 + uint64(s.lfsr[4])<<20 + uint64(s.lfsr[0])<<8 + uint64(s.lfsr[0]) + uint64(w)
 	v = (v & 0x7FFFFFFF) + (v >> 31)
-	t := add31(uint32(v), w)
-
-	if t == 0 {
-		t = 0x7FFFFFFF
-	}
-	var temp [16]uint32
-	copy(temp[:], s.lfsr[1:])
-	copy(s.lfsr[:], temp[:])
-	s.lfsr[15] = t
-}
-
-func (s *zucState32) enterWorkMode() {
-	v := uint64(s.lfsr[15])<<15 + uint64(s.lfsr[13])<<17 + uint64(s.lfsr[10])<<21 + uint64(s.lfsr[4])<<20 + uint64(s.lfsr[0])<<8 + uint64(s.lfsr[0])
 	v = (v & 0x7FFFFFFF) + (v >> 31)

-	if v == 0 {
-		v = 0x7FFFFFFF
-	}
 	var temp [16]uint32
 	copy(temp[:], s.lfsr[1:])
 	copy(s.lfsr[:], temp[:])
 	s.lfsr[15] = uint32(v)
 }

+func (s *zucState32) enterWorkMode() {
+	s.enterInitMode(uint32(0))
+}
+
 func makeFieldValue3(a, b, c uint32) uint32 {
 	return (a << 23) | (b << 8) | c
 }
--- a/zuc/eia.go
+++ b/zuc/eia.go
@ -102,9 +102,7 @@ func blockGeneric(m *ZUC128Mac, p []byte) {
 			k64 = uint64(m.k0[i])<<32 | uint64(m.k0[i+1])
 			w := binary.BigEndian.Uint32(p[i*4:])
 			for j := 0; j < 32; j++ {
-				if w&0x80000000 == 0x80000000 {
-					t64 ^= k64
-				}
+				t64 ^= ^(uint64(w>>31) - 1) & k64
 				w <<= 1
 				k64 <<= 1
 			}
@ -156,9 +154,7 @@ func (m *ZUC128Mac) checkSum(additionalBits int, b byte) [4]byte {
 			k64 = uint64(m.k0[i])<<32 | uint64(m.k0[i+1])
 			w := binary.BigEndian.Uint32(m.x[i*4:])
 			for j := 0; j < 32; j++ {
-				if w&0x80000000 == 0x80000000 {
-					t64 ^= k64
-				}
+				t64 ^= ^(uint64(w>>31) - 1) & k64
 				w <<= 1
 				k64 <<= 1
 			}
@ -169,9 +165,7 @@ func (m *ZUC128Mac) checkSum(additionalBits int, b byte) [4]byte {
 			k64 = uint64(m.k0[kIdx])<<32 | uint64(m.k0[kIdx+1])
 			w := binary.BigEndian.Uint32(m.x[(words-1)*4:])
 			for j := 0; j < nRemainBits; j++ {
-				if w&0x80000000 == 0x80000000 {
-					t64 ^= k64
-				}
+				t64 ^= ^(uint64(w>>31) - 1) & k64
 				w <<= 1
 				k64 <<= 1
 			}
--- a/zuc/eia256.go
+++ b/zuc/eia256.go
@ -98,19 +98,16 @@ func block256Generic(m *ZUC256Mac, p []byte) {
 			case 4:
 				k64 = uint64(m.k0[l])<<32 | uint64(m.k0[l+1])
 				for j := 0; j < 32; j++ {
-					if w&0x80000000 == 0x80000000 {
-						t64 ^= k64
-					}
+					t64 ^= ^(uint64(w>>31) - 1) & k64
 					w <<= 1
 					k64 <<= 1
 				}
 			default:
 				k1 := m.k0[tagWords+l]
 				for i := 0; i < 32; i++ {
-					if w&0x80000000 == 0x80000000 {
-						for j := 0; j < tagWords; j++ {
-							m.t[j] ^= m.k0[j]
-						}
+					wBit := ^(w>>31 - 1)
+					for j := 0; j < tagWords; j++ {
+						m.t[j] ^= wBit & m.k0[j]
 					}
 					w <<= 1
 					var j int
@ -170,10 +167,9 @@ func (m *ZUC256Mac) checkSum(additionalBits int, b byte) []byte {
 			w := binary.BigEndian.Uint32(m.x[l*4:])
 			k1 := m.k0[m.tagSize/4+l]
 			for i := 0; i < 32; i++ {
-				if w&0x80000000 == 0x80000000 {
-					for j := 0; j < m.tagSize/4; j++ {
-						m.t[j] ^= m.k0[j]
-					}
+				wBit := ^(w>>31 - 1)
+				for j := 0; j < m.tagSize/4; j++ {
+					m.t[j] ^= wBit & m.k0[j]
 				}
 				w <<= 1
 				var j int
@ -189,10 +185,9 @@ func (m *ZUC256Mac) checkSum(additionalBits int, b byte) []byte {
 		if nRemainBits > 0 {
 			w := binary.BigEndian.Uint32(m.x[(words-1)*4:])
 			for i := 0; i < nRemainBits; i++ {
-				if w&0x80000000 == 0x80000000 {
-					for j := 0; j < m.tagSize/4; j++ {
-						m.t[j] ^= m.k0[j+kIdx]
-					}
+				wBit := ^(w>>31 - 1)
+				for j := 0; j < m.tagSize/4; j++ {
+					m.t[j] ^= wBit & m.k0[j+kIdx]
 				}
 				w <<= 1
 				var j int