Use array ct_eq from subtle instead of writing our own

rozbb · rozbb · commit b3d1fc84df05 · 2024-07-30T01:50:57.000-04:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -10,7 +10,7 @@ categories = ["cryptography", "no-std"]
 [dependencies]
 rand_core = "0.6.4"
 sha3 = { version = "0.10.8", default-features = false }
-subtle = { version = "2.5.0", default-features = false }
+subtle = { version = "2.6.0", default-features = false, features = ["const-generics"] }
 zeroize = { version = "1.8.1", default-features = false, features = ["derive"] }
 
 [dev-dependencies]
diff --git a/src/kem.rs b/src/kem.rs
@@ -225,10 +225,7 @@ pub fn decap<const L: usize, const MU: usize, const MODULUS_T_BITS: usize>(
 
     // k_or_z = k if reconstruction matched, else z. We do this in constant time using `subtle`
     let reconstruction_matched = reconstructed_ct.ct_eq(ciphertext);
-    let mut k_or_z = [0u8; 32];
-    for ((z_byte, k_byte), k_or_z_byte) in sk.z.iter().zip(k.iter()).zip(k_or_z.iter_mut()) {
-        *k_or_z_byte = u8::conditional_select(z_byte, k_byte, reconstruction_matched);
-    }
+    let k_or_z = <[u8; 32]>::conditional_select(&sk.z, &k, reconstruction_matched);
 
     // session key = SHA3-256(k_or_z || r')
     // The spec has the hash input order switched, but we're following the reference impl
