From 1eb8fbe8d36a9a8a73d6d056b9be71ce10e0dee0 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Mon, 14 Dec 2020 16:39:10 +0100 Subject: [PATCH] FrodoKEM: Fix bug in the output of the ct_verify function (#367) * Fix bug in the output of the ct_verify function A bug in the CCA transformation was reported on the pqc-forum on 2020-12-10 https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/kSUKzDNc5ME It was fixed today in https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db. This commit ports that fix to PQClean * add note to SECURITY.md * update upstream commit in META.yml --- SECURITY.md | 3 +++ crypto_kem/frodokem1344aes/META.yml | 4 ++-- crypto_kem/frodokem1344aes/clean/util.c | 2 +- crypto_kem/frodokem1344aes/opt/util.c | 2 +- crypto_kem/frodokem1344shake/META.yml | 4 ++-- crypto_kem/frodokem1344shake/clean/util.c | 2 +- crypto_kem/frodokem1344shake/opt/util.c | 2 +- crypto_kem/frodokem640aes/META.yml | 4 ++-- crypto_kem/frodokem640aes/clean/util.c | 2 +- crypto_kem/frodokem640aes/opt/util.c | 2 +- crypto_kem/frodokem640shake/META.yml | 4 ++-- crypto_kem/frodokem640shake/clean/util.c | 2 +- crypto_kem/frodokem640shake/opt/util.c | 2 +- crypto_kem/frodokem976aes/META.yml | 4 ++-- crypto_kem/frodokem976aes/clean/util.c | 2 +- crypto_kem/frodokem976aes/opt/util.c | 2 +- crypto_kem/frodokem976shake/META.yml | 4 ++-- crypto_kem/frodokem976shake/clean/util.c | 2 +- crypto_kem/frodokem976shake/opt/util.c | 2 +- 19 files changed, 27 insertions(+), 24 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 9575607a..e5beb5d7 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -24,6 +24,9 @@ Use at your own risk. ### 2019-XX-XX --> +### 2020-12-11 +* The fix of the timing leak in the CCA transform of FrodoKEM in [PR #303](https://github.com/PQClean/PQClean/pull/303) was ineffective. The FrodoKEM team released another [fix](https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db) which was ported to PQClean in [PR #367](https://github.com/PQClean/PQClean/pull/367). + ### 2020-06-19 * A potential timing leak was present in the FrodoKEM decapsulation routine, as identified by [Guo, Johansson, and Nilsson](https://eprint.iacr.org/2020/743). This was fixed in [PR #303](https://github.com/PQClean/PQClean/pull/303). diff --git a/crypto_kem/frodokem1344aes/META.yml b/crypto_kem/frodokem1344aes/META.yml index 21fc42df..4f77bf69 100644 --- a/crypto_kem/frodokem1344aes/META.yml +++ b/crypto_kem/frodokem1344aes/META.yml @@ -23,6 +23,6 @@ auxiliary-submitters: - Brian LaMacchia, Microsoft Research implementations: - name: clean - version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89 + version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db - name: opt - version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89 + version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db diff --git a/crypto_kem/frodokem1344aes/clean/util.c b/crypto_kem/frodokem1344aes/clean/util.c index ac291eac..1bf08bc7 100644 --- a/crypto_kem/frodokem1344aes/clean/util.c +++ b/crypto_kem/frodokem1344aes/clean/util.c @@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM1344AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t r |= a[i] ^ b[i]; } - r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1); + r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); return (int8_t)r; } diff --git a/crypto_kem/frodokem1344aes/opt/util.c b/crypto_kem/frodokem1344aes/opt/util.c index c05d1f11..0fdc6757 100644 --- a/crypto_kem/frodokem1344aes/opt/util.c +++ b/crypto_kem/frodokem1344aes/opt/util.c @@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM1344AES_OPT_ct_verify(const uint16_t *a, const uint16_t * r |= a[i] ^ b[i]; } - r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1); + r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); return (int8_t)r; } diff --git a/crypto_kem/frodokem1344shake/META.yml b/crypto_kem/frodokem1344shake/META.yml index 525f9291..4eb08cc9 100644 --- a/crypto_kem/frodokem1344shake/META.yml +++ b/crypto_kem/frodokem1344shake/META.yml @@ -23,6 +23,6 @@ auxiliary-submitters: - Brian LaMacchia, Microsoft Research implementations: - name: clean - version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89 + version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db - name: opt - version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89 + version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db diff --git a/crypto_kem/frodokem1344shake/clean/util.c b/crypto_kem/frodokem1344shake/clean/util.c index 9c1eae62..d7462df6 100644 --- a/crypto_kem/frodokem1344shake/clean/util.c +++ b/crypto_kem/frodokem1344shake/clean/util.c @@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16 r |= a[i] ^ b[i]; } - r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1); + r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); return (int8_t)r; } diff --git a/crypto_kem/frodokem1344shake/opt/util.c b/crypto_kem/frodokem1344shake/opt/util.c index 73cf8df9..04915b41 100644 --- a/crypto_kem/frodokem1344shake/opt/util.c +++ b/crypto_kem/frodokem1344shake/opt/util.c @@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM1344SHAKE_OPT_ct_verify(const uint16_t *a, const uint16_t r |= a[i] ^ b[i]; } - r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1); + r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); return (int8_t)r; } diff --git a/crypto_kem/frodokem640aes/META.yml b/crypto_kem/frodokem640aes/META.yml index 186ab429..b4763752 100644 --- a/crypto_kem/frodokem640aes/META.yml +++ b/crypto_kem/frodokem640aes/META.yml @@ -23,6 +23,6 @@ auxiliary-submitters: - Brian LaMacchia, Microsoft Research implementations: - name: clean - version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89 + version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db - name: opt - version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89 + version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db diff --git a/crypto_kem/frodokem640aes/clean/util.c b/crypto_kem/frodokem640aes/clean/util.c index 84dd0ca0..9889025e 100644 --- a/crypto_kem/frodokem640aes/clean/util.c +++ b/crypto_kem/frodokem640aes/clean/util.c @@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM640AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t r |= a[i] ^ b[i]; } - r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1); + r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); return (int8_t)r; } diff --git a/crypto_kem/frodokem640aes/opt/util.c b/crypto_kem/frodokem640aes/opt/util.c index ef739987..d7b42b00 100644 --- a/crypto_kem/frodokem640aes/opt/util.c +++ b/crypto_kem/frodokem640aes/opt/util.c @@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM640AES_OPT_ct_verify(const uint16_t *a, const uint16_t *b r |= a[i] ^ b[i]; } - r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1); + r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); return (int8_t)r; } diff --git a/crypto_kem/frodokem640shake/META.yml b/crypto_kem/frodokem640shake/META.yml index 75f70a63..3367c19d 100644 --- a/crypto_kem/frodokem640shake/META.yml +++ b/crypto_kem/frodokem640shake/META.yml @@ -23,6 +23,6 @@ auxiliary-submitters: - Brian LaMacchia, Microsoft Research implementations: - name: clean - version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89 + version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db - name: opt - version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89 + version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db diff --git a/crypto_kem/frodokem640shake/clean/util.c b/crypto_kem/frodokem640shake/clean/util.c index 621a3a5c..67be6b76 100644 --- a/crypto_kem/frodokem640shake/clean/util.c +++ b/crypto_kem/frodokem640shake/clean/util.c @@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_ r |= a[i] ^ b[i]; } - r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1); + r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); return (int8_t)r; } diff --git a/crypto_kem/frodokem640shake/opt/util.c b/crypto_kem/frodokem640shake/opt/util.c index 518fd646..0f08df17 100644 --- a/crypto_kem/frodokem640shake/opt/util.c +++ b/crypto_kem/frodokem640shake/opt/util.c @@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM640SHAKE_OPT_ct_verify(const uint16_t *a, const uint16_t r |= a[i] ^ b[i]; } - r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1); + r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); return (int8_t)r; } diff --git a/crypto_kem/frodokem976aes/META.yml b/crypto_kem/frodokem976aes/META.yml index c93376c1..ea9b5811 100644 --- a/crypto_kem/frodokem976aes/META.yml +++ b/crypto_kem/frodokem976aes/META.yml @@ -23,6 +23,6 @@ auxiliary-submitters: - Brian LaMacchia, Microsoft Research implementations: - name: clean - version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89 + version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db - name: opt - version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89 + version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db diff --git a/crypto_kem/frodokem976aes/clean/util.c b/crypto_kem/frodokem976aes/clean/util.c index e440ddef..81e46ca4 100644 --- a/crypto_kem/frodokem976aes/clean/util.c +++ b/crypto_kem/frodokem976aes/clean/util.c @@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM976AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t r |= a[i] ^ b[i]; } - r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1); + r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); return (int8_t)r; } diff --git a/crypto_kem/frodokem976aes/opt/util.c b/crypto_kem/frodokem976aes/opt/util.c index 02191023..f7e62818 100644 --- a/crypto_kem/frodokem976aes/opt/util.c +++ b/crypto_kem/frodokem976aes/opt/util.c @@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM976AES_OPT_ct_verify(const uint16_t *a, const uint16_t *b r |= a[i] ^ b[i]; } - r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1); + r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); return (int8_t)r; } diff --git a/crypto_kem/frodokem976shake/META.yml b/crypto_kem/frodokem976shake/META.yml index 15943f25..6de9a503 100644 --- a/crypto_kem/frodokem976shake/META.yml +++ b/crypto_kem/frodokem976shake/META.yml @@ -23,6 +23,6 @@ auxiliary-submitters: - Brian LaMacchia, Microsoft Research implementations: - name: clean - version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89 + version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db - name: opt - version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89 + version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db diff --git a/crypto_kem/frodokem976shake/clean/util.c b/crypto_kem/frodokem976shake/clean/util.c index 042572b5..a710a1bf 100644 --- a/crypto_kem/frodokem976shake/clean/util.c +++ b/crypto_kem/frodokem976shake/clean/util.c @@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_ r |= a[i] ^ b[i]; } - r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1); + r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); return (int8_t)r; } diff --git a/crypto_kem/frodokem976shake/opt/util.c b/crypto_kem/frodokem976shake/opt/util.c index 3b3e7286..34f86cb3 100644 --- a/crypto_kem/frodokem976shake/opt/util.c +++ b/crypto_kem/frodokem976shake/opt/util.c @@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM976SHAKE_OPT_ct_verify(const uint16_t *a, const uint16_t r |= a[i] ^ b[i]; } - r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1); + r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); return (int8_t)r; }