From 274e01f404395a9b4af6b062bbb79b21b0bd9f5e Mon Sep 17 00:00:00 2001
From: William Wang <defund@users.noreply.github.com>
Date: Tue, 13 Apr 2021 17:44:40 -0400
Subject: [PATCH] fix decapsulation failure

---
 kem.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kem.go b/kem.go
index e703515..1ef4d38 100644
--- a/kem.go
+++ b/kem.go
@@ -190,7 +190,7 @@ func KemDecrypt512(
 	ski := Kyber512SKBytes - 2*paramsSymBytes
 	kr := sha3.Sum512(append(buf, privateKey[ski:ski+paramsSymBytes]...))
 	cmp, err := indcpaEncrypt(buf, publicKey, kr[paramsSymBytes:], paramsK)
-	fail := byte(1 - subtle.ConstantTimeCompare(ciphertext[:], cmp))
+	fail := byte(subtle.ConstantTimeCompare(ciphertext[:], cmp) - 1)
 	krh := sha3.Sum256(ciphertext[:])
 	for i := 0; i < paramsSymBytes; i++ {
 		skx := privateKey[:Kyber512SKBytes-paramsSymBytes+i]
@@ -219,7 +219,7 @@ func KemDecrypt768(
 	ski := Kyber768SKBytes - 2*paramsSymBytes
 	kr := sha3.Sum512(append(buf, privateKey[ski:ski+paramsSymBytes]...))
 	cmp, err := indcpaEncrypt(buf, publicKey, kr[paramsSymBytes:], paramsK)
-	fail := byte(1 - subtle.ConstantTimeCompare(ciphertext[:], cmp))
+	fail := byte(subtle.ConstantTimeCompare(ciphertext[:], cmp) - 1)
 	krh := sha3.Sum256(ciphertext[:])
 	for i := 0; i < paramsSymBytes; i++ {
 		skx := privateKey[:Kyber768SKBytes-paramsSymBytes+i]
@@ -248,7 +248,7 @@ func KemDecrypt1024(
 	ski := Kyber1024SKBytes - 2*paramsSymBytes
 	kr := sha3.Sum512(append(buf, privateKey[ski:ski+paramsSymBytes]...))
 	cmp, err := indcpaEncrypt(buf, publicKey, kr[paramsSymBytes:], paramsK)
-	fail := byte(1 - subtle.ConstantTimeCompare(ciphertext[:], cmp))
+	fail := byte(subtle.ConstantTimeCompare(ciphertext[:], cmp) - 1)
 	krh := sha3.Sum256(ciphertext[:])
 	for i := 0; i < paramsSymBytes; i++ {
 		skx := privateKey[:Kyber1024SKBytes-paramsSymBytes+i]