Open Bug 1900430 Opened 1 year ago Updated 8 months ago

Add defenses against compiler-introduced timing leak in Kyber's poly_frommsg and similar functions

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: jschanck, Assigned: jschanck)

References

(Blocks 1 open bug)

Details

Antoon Purnal from PQShield has found that recent versions of Clang will replace a loop such as

for (j = 0; j < 8; j++) {
    mask = -(int16_t)((msg[i] >> j) & 1);
    r->coeffs[8 * i + j] = mask & ((KYBER_Q + 1) / 2);
}

with

for (j = 0; j < 8; j++) {
    if ((msg[i] >> j) & 1)
        r->coeffs[8 * i + j] = (KYBER_Q + 1) / 2);
    else
        r->coeffs[8 * i + j] = 0;
}

This example is from Kyber's poly_frommsg, but it represents a common pattern in "constant time" C code. We should implement a systematic countermeasure. I do not believe that the patch submitted to the pq-crystals repository will work in Firefox unified builds. So we will likely have to use a value barrier.

You need to log in before you can comment on or make changes to this bug.