Skip to content

std.crypto.kem.kyber: mitigate KyberSlash #18316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 22, 2023
Merged

std.crypto.kem.kyber: mitigate KyberSlash #18316

merged 1 commit into from
Dec 22, 2023

Conversation

jedisct1
Copy link
Contributor

On some architectures, including AMD Zen CPUs, dividing a secret by a constant denominator may not be a constant-time operation.

And most Kyber implementations, including ours, could leak the hamming weight of the shared secret because of this. See:

https://kyberslash.cr.yp.to

Multiplications aren't guaranteed to be constant-time either, but at least on the CPUs we support, they are.

@jedisct1
Copy link
Contributor Author

/cc @bwesterb

@andrewrk
Copy link
Member

Note that, while unlikely, this still permits the compiler to detect that the code is equivalent to a division, and lower to a division.

Proper solution will be #1776. Although we don't have a fully specified proposal, I have marked that issue as "accepted" meaning that implementing such a feature blocks the release of Zig 1.0.

andrewrk
andrewrk requested changes Dec 19, 2023
View reviewed changes
Copy link
Member

@andrewrk andrewrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you should also introduce a comment explaining why it is doing this instead of the more straightforward division operation, lest someone come in and simplify the logic, blissfully unaware of the mitigation that is in place.

@jedisct1 jedisct1 requested a review from andrewrk December 19, 2023 21:47
andrewrk
andrewrk approved these changes Dec 19, 2023
View reviewed changes
Copy link
Member

@andrewrk andrewrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

bwesterb
bwesterb reviewed Dec 20, 2023
View reviewed changes
@bwesterb
Copy link
Contributor

lgtm, thanks.

@jedisct1
std.crypto.kem.kyber: mitigate KyberSlash
4f14429 
On some architectures, including AMD Zen CPUs, dividing a secret
by a constant denominator may not be a constant-time operation.

And most Kyber implementations, including ours, could leak the
hamming weight of the shared secret because of this. See:

https://kyberslash.cr.yp.to

Multiplications aren't guaranteed to be constant-time either, but
at least on the CPUs we currently support, it is.
@jedisct1 jedisct1 enabled auto-merge (squash) December 20, 2023 10:52
@jedisct1 jedisct1 merged commit 21ae648 into ziglang:master Dec 22, 2023
@jedisct1 jedisct1 deleted the kyberslash branch December 22, 2023 21:31
RossComputerGuy pushed a commit to ExpidusOS-archive/zig that referenced this pull request Jan 6, 2024
@jedisct1 @RossComputerGuy
std.crypto.kem.kyber: mitigate KyberSlash (ziglang#18316)
c31df17 
On some architectures, including AMD Zen CPUs, dividing a secret
by a constant denominator may not be a constant-time operation.

And most Kyber implementations, including ours, could leak the
hamming weight of the shared secret because of this. See:

https://kyberslash.cr.yp.to

Multiplications aren't guaranteed to be constant-time either, but
at least on the CPUs we currently support, it is.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwesterb bwesterb bwesterb left review comments

@andrewrk andrewrk andrewrk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jedisct1 @andrewrk @bwesterb