implement true constant-time cmov() for ref10 implementation

Author: ivmaykov

src/net/i2p/crypto/eddsa/math/FieldElement.java

@@ -70,5 +70,7 @@ public FieldElement divide(FieldElement val) {
 
     public abstract FieldElement pow22523();
 
+    public abstract FieldElement cmov(FieldElement g, final int b);
+
     // Note: concrete subclasses must implement hashCode() and equals()
 }

src/net/i2p/crypto/eddsa/math/GroupElement.java

@@ -811,19 +811,10 @@ static byte[] toRadix16(final byte[] a) {
      *
      * @param u The group element to return if b == 1.
      * @param b in {0, 1}
-     * @return u if b == 1; this if b == 0; null otherwise.
+     * @return u if b == 1; this if b == 0. Results undefined if b is not in {0, 1}.
      */
     GroupElement cmov(final GroupElement u, final int b) {
-        GroupElement ret = null;
-        for (int i = 0; i < b; i++) {
-            // Only for b == 1
-            ret = u;
-        }
-        for (int i = 0; i < 1-b; i++) {
-            // Only for b == 0
-            ret = this;
-        }
-        return ret;
+        return precomp(curve, X.cmov(u.X, b), Y.cmov(u.Y, b), Z.cmov(u.Z, b));
     }
 
     /**

src/net/i2p/crypto/eddsa/math/bigint/BigIntegerFieldElement.java

@@ -104,6 +104,13 @@ public FieldElement pow22523(){
         return pow(f.getQm5d8());
     }
 
+    @Override
+    public FieldElement cmov(FieldElement g, int b) {
+        // Not constant-time, but it doesn't really matter because none of the underlying BigInteger operations
+        // are either, so there's not much point in trying hard here ...
+        return b == 0 ? this : g;
+    }
+
     @Override
     public int hashCode() {
         return bi.hashCode();

src/net/i2p/crypto/eddsa/math/ed25519/Ed25519FieldElement.java

@@ -942,6 +942,77 @@ public FieldElement pow22523() {
         return multiply(t0);
     }
 
+    /**
+     * Constant-time conditional move. Well, actually it is a conditional copy.
+     * Logic is taken from the SUPERCOP implementation at:
+     *   https://github.com/floodyberry/supercop/blob/master/crypto_sign/ed25519/ref10/fe_cmov.c
+     *
+     * @param g the other field element.
+     * @param b must be 0 or 1, otherwise results are undefined.
+     * @return a copy of this if b == 0, or a copy of g if b == 1.
+     */
+    @Override
+    public FieldElement cmov(FieldElement g, int b) {
+        Ed25519FieldElement that = (Ed25519FieldElement) g;
+        // f0 ... f9 are a copy of this.t
+        int f0 = this.t[0];
+        int f1 = this.t[1];
+        int f2 = this.t[2];
+        int f3 = this.t[3];
+        int f4 = this.t[4];
+        int f5 = this.t[5];
+        int f6 = this.t[6];
+        int f7 = this.t[7];
+        int f8 = this.t[8];
+        int f9 = this.t[9];
+        // g0 ... g9 are a copy of that.t
+        int g0 = that.t[0];
+        int g1 = that.t[1];
+        int g2 = that.t[2];
+        int g3 = that.t[3];
+        int g4 = that.t[4];
+        int g5 = that.t[5];
+        int g6 = that.t[6];
+        int g7 = that.t[7];
+        int g8 = that.t[8];
+        int g9 = that.t[9];
+        // x0 ... x9 are XORs of this.t and that.t
+        int x0 = f0 ^ g0;
+        int x1 = f1 ^ g1;
+        int x2 = f2 ^ g2;
+        int x3 = f3 ^ g3;
+        int x4 = f4 ^ g4;
+        int x5 = f5 ^ g5;
+        int x6 = f6 ^ g6;
+        int x7 = f7 ^ g7;
+        int x8 = f8 ^ g8;
+        int x9 = f9 ^ g9;
+        b = -b;
+        // turn x0 ... x9 into 0s if b is 0, otherwise keep unchanged
+        x0 &= b;
+        x1 &= b;
+        x2 &= b;
+        x3 &= b;
+        x4 &= b;
+        x5 &= b;
+        x6 &= b;
+        x7 &= b;
+        x8 &= b;
+        x9 &= b;
+        // turn f0 ... f9 into a copy of this.t if b is 0, or a copy of that.t if b is 1
+        f0 ^= x0;
+        f1 ^= x1;
+        f2 ^= x2;
+        f3 ^= x3;
+        f4 ^= x4;
+        f5 ^= x5;
+        f6 ^= x6;
+        f7 ^= x7;
+        f8 ^= x8;
+        f9 ^= x9;
+        return new Ed25519FieldElement(f, new int[]{ f0, f1, f2, f3, f4, f5, f6, f7, f8, f9});
+    }
+
     @Override
     public int hashCode() {
         return Arrays.hashCode(t);