An easy-to-host PDS on the ATProtocol, MacOS. Grandma-approved.
fix(crypto): clarify gf_mul comment in split_secret
It is the random coefficient (coeffs[i]), not the secret byte directly,
that passes through gf_mul. The secret byte only goes through gf_add
(XOR, inherently branchless). Security intent unchanged.
authored by
Tangled
a7a957e2
d845272e
+4
-4
+4
-4
crates/crypto/src/shamir.rs
+4
-4
crates/crypto/src/shamir.rs
···
34
34
// Polynomial: f(x) = secret[i] + coeffs[i]·x in GF(2^8).
35
35
// f(0) = secret[i]. Shares are f(1), f(2), f(3).
36
36
//
37
-
// Secret bytes are in the first argument of gf_mul. The polynomial
38
-
// reduction inside gf_mul is branchless (mask-based), so bit patterns
39
-
// of the secret are not observable through branch timing. The `if b & 1`
40
-
// branch in gf_mul is on the public share index.
37
+
// Secret-bearing coefficient bytes are in the first argument of gf_mul.
38
+
// The polynomial reduction inside gf_mul is branchless (mask-based), so
39
+
// bit patterns of the coefficients are not observable through branch
40
+
// timing. The `if b & 1` branch in gf_mul is on the public share index.
41
41
for i in 0..32 {
42
42
let s = secret[i];
43
43
let a = coeffs[i];