ntru: Add constant time operations

1- constan time division
2- constant time `if x i< 0` & `if x == 0`
2- constant time bitonic sort

Signed-off-by: Ahmed <>

Author: Ahmed

ntru/src/const_time/masks.rs

@@ -0,0 +1,42 @@
+/// return -1 if x!=0; else return 0
+#[must_use]
+pub const fn i16_nonzero_mask(x: i16) -> i32 {
+    let u: u16 = x as u16;
+    let mut v: u32 = u as u32;
+    v = (!v).wrapping_add(1); // in reference code they did v = -v;
+    v >>= 31;
+    ((!v).wrapping_add(1)) as i32
+}
+
+/// return -1 if x<0; otherwise return 0
+#[must_use]
+pub const fn i16_negative_mask(x: i16) -> i32 {
+    let mut u: u16 = x as u16;
+    u >>= 15;
+    -(u as i32)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_i16_nonzero_mask_exhaust() {
+        assert_eq!(i16_nonzero_mask(0), 0);
+        for i in 1..i16::MAX {
+            assert_eq!(i16_nonzero_mask(i), -1);
+        }
+        for i in i16::MIN..-1 {
+            assert_eq!(i16_nonzero_mask(i), -1);
+        }
+    }
+    #[test]
+    fn test_i16_negative_mask() {
+        for i in 0..i16::MAX {
+            assert_eq!(i16_negative_mask(i), 0);
+        }
+        for i in i16::MIN..-1 {
+            assert_eq!(i16_negative_mask(i), -1);
+        }
+    }
+}

ntru/src/const_time/mod.rs

@@ -0,0 +1,7 @@
+mod num;
+mod sort;
+mod masks;
+
+pub use num::*;
+pub use sort::*;
+pub use masks::*;

ntru/src/const_time/num.rs

@@ -0,0 +1,81 @@
+//! best effort constant time divide
+
+/// this function is optimized out at release mode
+const fn debug_checks(m: u32, v: u32, x: u32) {
+    debug_assert!(m > 0);
+    debug_assert!(m < 16384);
+    debug_assert!(v * m <= u32::pow(2, 31));
+    debug_assert!(u32::pow(2, 31) < v * m + m);
+    let x = x as u64;
+    let m = m as u64;
+    let v = v as u64;
+    debug_assert!(x * v * m <= u64::pow(2, 31) * x);
+    debug_assert!(u64::pow(2, 31) * x <= x * v * (m) + x * (m - 1));
+}
+
+/// constant time division
+/// this function returns quotient and remainder
+/// this function is problemetic according to original implmentation:
+///     CPU division instruction typically takes time depending on x.
+///     This software is designed to take time independent of x.
+///     Time still varies depending on m; user must ensure that m is constant.
+///     Time also varies on CPUs where multiplication is variable-time.
+///     There could be more CPU issues.
+///     There could also be compiler issues.
+#[must_use]
+pub const fn u32_divmod_u14(mut x: u32, m: u16) -> (u32, u16) {
+    let m = m as u32;
+    let mut v = 0x8000_0000_u32;
+    v /= m;
+    // the following asserts must be guaranteed by th caller of divmod
+    debug_checks(m, v, x);
+    let mut q = 0;
+    let mut qpart = (((x as u64) * (v as u64)) >> 31) as u32;
+    x -= qpart * m;
+    q += qpart;
+    debug_assert!(x < 49146);
+
+    qpart = (((x as u64) * (v as u64)) >> 31) as u32;
+    x -= qpart * m;
+    q += qpart;
+
+    x = x.wrapping_sub(m);
+    q += 1;
+    let mask = (!(x >> 31)).wrapping_add(1);
+    x = x.wrapping_add(mask & m);
+    q = q.wrapping_add(mask);
+    debug_assert!(x <= m);
+    (q, x as u16)
+}
+
+#[must_use]
+pub const fn u32_div_u14(x: u32, m: u16) -> u32 {
+    u32_divmod_u14(x, m).0
+}
+
+#[must_use]
+pub const fn u32_mod_u14(x: u32, m: u16) -> u16 {
+    u32_divmod_u14(x, m).1
+}
+
+#[must_use]
+pub const fn i32_divmod_u14(x: i32, m: u16) -> (i32, u16) {
+    let (mut uq, mut ur) = u32_divmod_u14(0x8000_0000_u32.wrapping_add(x as u32), m);
+    let (uq2, ur2) = u32_divmod_u14(0x8000_0000, m);
+    ur = ur.wrapping_sub(ur2);
+    uq = uq.wrapping_sub(uq2);
+    let mask = (!((ur >> 15) as u32)).wrapping_add(1);
+    ur = ur.wrapping_add(mask as u16 & m);
+    uq = uq.wrapping_add(mask);
+    (uq as i32, ur)
+}
+
+#[must_use]
+pub const fn i32_div_u14(x: i32, m: u16) -> i32 {
+    i32_divmod_u14(x, m).0
+}
+
+#[must_use]
+pub const fn i32_mod_u14(x: i32, m: u16) -> u16 {
+    i32_divmod_u14(x, m).1
+}

ntru/src/const_time/sort.rs

@@ -0,0 +1,144 @@
+//! sorting with data independent timing behavior
+
+/// returns a tuple of two sorted elements such
+/// that the first is always less or equal to the
+/// second
+fn minmax(xi: u32, yi: u32) -> (u32, u32) {
+    let xy = xi ^ yi;
+    let mut c = yi.wrapping_sub(xi);
+    c ^= xy & (c ^ yi ^ 0x8000_0000);
+    c >>= 31;
+    c = (!c).wrapping_add(1);
+    c &= xy;
+    (xi ^ c, yi ^ c)
+}
+
+/// This function sorts a list in place taking the same
+/// amount of time only depending on the size of the list.
+pub fn crypto_sort_u32(list: &mut [u32]) {
+    let n = list.len() as i32;
+    if n < 2 {
+        return;
+    }
+    let mut top = 1i32;
+    while top < n.wrapping_sub(top) {
+        top += top;
+    }
+    let mut p = top;
+    while p > 0 {
+        for i in 0..n.wrapping_sub(p) {
+            if i & p == 0 {
+                let (xi, yi) = minmax(list[i as usize], list[(i + p) as usize]);
+                list[i as usize] = xi;
+                list[(i + p) as usize] = yi;
+            }
+        }
+        let mut q = top;
+        while q > p {
+            for i in 0..n.wrapping_sub(q) {
+                if i & p == 0 {
+                    let (xi, yi) = minmax(list[(i + p) as usize], list[(i + q) as usize]);
+                    list[(i + p) as usize] = xi;
+                    list[(i + q) as usize] = yi;
+                }
+            }
+            q >>= 1;
+        }
+        p >>= 1;
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use super::{crypto_sort_u32, minmax};
+    #[test]
+    fn test_minmax_zero() {
+        assert_eq!(minmax(0, 0), (0, 0));
+    }
+    #[test]
+    fn test_minmax_sorted() {
+        assert_eq!(minmax(1, 2), (1, 2));
+    }
+    #[test]
+    fn test_minmax_unsorted() {
+        assert_eq!(minmax(2, 1), (1, 2));
+    }
+    #[test]
+    fn test_minmax_identical() {
+        assert_eq!(minmax(1, 1), (1, 1));
+    }
+    #[test]
+    fn test_minmax_large_sorted() {
+        assert_eq!(minmax(u32::MAX - 1, u32::MAX), (u32::MAX - 1, u32::MAX));
+    }
+    #[test]
+    fn test_minmax_large_unsorted() {
+        assert_eq!(minmax(u32::MAX, u32::MAX - 1), (u32::MAX - 1, u32::MAX));
+    }
+    #[test]
+    fn test_minmax_large_identical() {
+        assert_eq!(minmax(u32::MAX, u32::MAX), (u32::MAX, u32::MAX));
+    }
+    #[test]
+    fn test_one_item_sort() {
+        let mut v = vec![1];
+        crypto_sort_u32(&mut v);
+        assert_eq!(v, [1]);
+    }
+    #[test]
+    fn test_minmax_large_small() {
+        assert_eq!(minmax(u32::MAX - 1, 4), (4, u32::MAX - 1));
+    }
+    #[test]
+    fn test_minmax_small_large() {
+        assert_eq!(minmax(4, u32::MAX), (4, u32::MAX));
+    }
+    #[test]
+    fn test_empty_item_sort() {
+        let mut v = vec![];
+        crypto_sort_u32(&mut v);
+        assert_eq!(v, []);
+    }
+
+    #[test]
+    fn test_two_item_sort() {
+        let mut v = vec![1, 2];
+        crypto_sort_u32(&mut v);
+        assert_eq!(v, [1, 2]);
+        let mut v = vec![2, 1];
+        crypto_sort_u32(&mut v);
+        assert_eq!(v, [1, 2]);
+    }
+    #[test]
+    fn test_sort_zeros() {
+        let mut v = vec![0; 100];
+        crypto_sort_u32(&mut v);
+        assert_eq!(v, &[0; 100]);
+    }
+    #[test]
+    fn test_sort_ordered() {
+        let mut v: Vec<_> = (0..100).collect();
+        crypto_sort_u32(&mut v);
+        assert_eq!(v, (0..100).collect::<Vec<u32>>());
+    }
+
+    #[test]
+    fn test_sort_rev() {
+        let mut v: Vec<_> = (0..100).rev().collect();
+        crypto_sort_u32(&mut v);
+        assert_eq!(v, (0..100).collect::<Vec<u32>>());
+    }
+    #[test]
+    fn test_sort_large() {
+        let mut v: Vec<_> = (u32::MAX - 10000..u32::MAX).rev().collect();
+        crypto_sort_u32(&mut v);
+        assert_eq!(v, (u32::MAX - 10000..u32::MAX).collect::<Vec<u32>>());
+    }
+
+    #[test]
+    fn test_sort_long() {
+        let mut v: Vec<_> = (0..1000000).rev().collect();
+        crypto_sort_u32(&mut v);
+        assert_eq!(v, (0..1000000).collect::<Vec<u32>>());
+    }
+}

ntru/src/lib.rs

@@ -17,4 +17,5 @@
     clippy::similar_names,
 )]
 
+pub mod const_time;
 pub mod params;