sphincs · sfluhrer · Mar 26, 2021 · Mar 26, 2021 · Mar 26, 2021 · Mar 27, 2021
diff --git a/Makefile b/Makefile
@@ -22,7 +22,7 @@ OBJECTS =         $(subst .cpp,.o,$(SOURCES))
 HEADERS =         api.h internal.h mgf1_8x.h sha256avx.h xn_internal.h \
                   fips202.h fips202x4.h
 TEST_SOURCES =    test_sphincs.cpp test_keygen.cpp test_sign.cpp \
-		  test_verify.cpp test_thread.cpp test_testvector.cpp \
+		  test_verify.cpp test_thread.cpp test_testvector.cpp test_fault.cpp \
 		  test_sha512.cpp
 
 TESTS = test PQCgenKAT_sign test_sphincs

diff --git a/README.md b/README.md
@@ -8,4 +8,8 @@ The specific features that this implements (that the reference code doesn't):
 
 - It can support multiple parameter sets at once
 
+- Optional detection of fault attacks
+
 It does assume that you have the AVX2 and AES_NI instructions available, as well as the Posix multithreading API - if not, well, I'll refer you to the Sphincs+ reference code...
+
+The fault detection works by the simple expedient of 'computing (most) everything twice; compare results'; we do try to ensure that the two computations are isolated (either by time, or being done by different threads)
diff --git a/api.h b/api.h
@@ -146,6 +146,8 @@ class key {
                            //<! signing.  We allow the application to tell
                            //<! us what this should be
 
+    bool detect_fault;     // Are we in fault detection mode?
+
     size_t initialize_geometry(struct signature_geometry& geo);
     void hash_message(struct signature_geometry& geo,
            const unsigned char *r,
@@ -528,6 +530,7 @@ class key {
     /// @param[in] n Try to use n threads.  This count includes the parent
     ///             thread
     void set_num_thread(unsigned n) { num_thread = n; }
+    void set_fault_detection(bool flag) { detect_fault = flag; }
 
     virtual ~key(void);
 };

diff --git a/internal.h b/internal.h
@@ -44,6 +44,9 @@ const unsigned default_thread = 4; //<! If the application doesn't tell us
 const unsigned max_thread = 16; //<! No matter what the application says,
                             //<! don't use more than 16 threads
 
+const bool default_detect_fault = false; //<! Turn off fault detected by
+                            //<! default (it's expensive)
+
 //<! Offsets of objects within a private key (figure 12 of the Sphincs+ spec)
 //<! These are implicitly multiplied by n to get the byte offset
 enum {

diff --git a/read.me b/read.me
@@ -97,6 +97,11 @@ Here is how this package is used:
     - signer.set_num_thread(4) sets the number of threads we attempt to use
       while generating a signature; passing a 1 signifies that we shouldn't
       spawn any child threads; it is also subject to a sane maximum.
+
+    - signer.set_fault_detection(true) tells the Sphincs+ code to
+      automatically detect fault attacks (and fail the signer process if
+      detected); this does slow the signing process by perhaps a factor
+      of two.
 
     - All key classes (such as key_sha256_128s_simple) are subclasses of
       a master sphincs_plus::key class, this logic works as expected: