FrodoKEM: Fix bug in the output of the ct_verify function (#367)
* Fix bug in the output of the ct_verify function
A bug in the CCA transformation was reported on the pqc-forum on 2020-12-10
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/kSUKzDNc5ME
It was fixed today in 669522db63
.
This commit ports that fix to PQClean
* add note to SECURITY.md
* update upstream commit in META.yml
This commit is contained in:
bovenliggende
f1c917abb8
commit
1eb8fbe8d3
@ -24,6 +24,9 @@ Use at your own risk.
|
||||
### 2019-XX-XX
|
||||
-->
|
||||
|
||||
### 2020-12-11
|
||||
* The fix of the timing leak in the CCA transform of FrodoKEM in [PR #303](https://github.com/PQClean/PQClean/pull/303) was ineffective. The FrodoKEM team released another [fix](https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db) which was ported to PQClean in [PR #367](https://github.com/PQClean/PQClean/pull/367).
|
||||
|
||||
### 2020-06-19
|
||||
* A potential timing leak was present in the FrodoKEM decapsulation routine, as identified by [Guo, Johansson, and Nilsson](https://eprint.iacr.org/2020/743). This was fixed in [PR #303](https://github.com/PQClean/PQClean/pull/303).
|
||||
|
||||
|
@ -23,6 +23,6 @@ auxiliary-submitters:
|
||||
- Brian LaMacchia, Microsoft Research
|
||||
implementations:
|
||||
- name: clean
|
||||
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
|
||||
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
|
||||
- name: opt
|
||||
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
|
||||
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
|
||||
|
@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM1344AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
|
||||
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
|
||||
return (int8_t)r;
|
||||
}
|
||||
|
||||
|
@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM1344AES_OPT_ct_verify(const uint16_t *a, const uint16_t *
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
|
||||
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
|
||||
return (int8_t)r;
|
||||
}
|
||||
|
||||
|
@ -23,6 +23,6 @@ auxiliary-submitters:
|
||||
- Brian LaMacchia, Microsoft Research
|
||||
implementations:
|
||||
- name: clean
|
||||
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
|
||||
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
|
||||
- name: opt
|
||||
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
|
||||
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
|
||||
|
@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
|
||||
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
|
||||
return (int8_t)r;
|
||||
}
|
||||
|
||||
|
@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM1344SHAKE_OPT_ct_verify(const uint16_t *a, const uint16_t
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
|
||||
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
|
||||
return (int8_t)r;
|
||||
}
|
||||
|
||||
|
@ -23,6 +23,6 @@ auxiliary-submitters:
|
||||
- Brian LaMacchia, Microsoft Research
|
||||
implementations:
|
||||
- name: clean
|
||||
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
|
||||
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
|
||||
- name: opt
|
||||
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
|
||||
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
|
||||
|
@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM640AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
|
||||
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
|
||||
return (int8_t)r;
|
||||
}
|
||||
|
||||
|
@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM640AES_OPT_ct_verify(const uint16_t *a, const uint16_t *b
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
|
||||
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
|
||||
return (int8_t)r;
|
||||
}
|
||||
|
||||
|
@ -23,6 +23,6 @@ auxiliary-submitters:
|
||||
- Brian LaMacchia, Microsoft Research
|
||||
implementations:
|
||||
- name: clean
|
||||
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
|
||||
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
|
||||
- name: opt
|
||||
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
|
||||
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
|
||||
|
@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
|
||||
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
|
||||
return (int8_t)r;
|
||||
}
|
||||
|
||||
|
@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM640SHAKE_OPT_ct_verify(const uint16_t *a, const uint16_t
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
|
||||
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
|
||||
return (int8_t)r;
|
||||
}
|
||||
|
||||
|
@ -23,6 +23,6 @@ auxiliary-submitters:
|
||||
- Brian LaMacchia, Microsoft Research
|
||||
implementations:
|
||||
- name: clean
|
||||
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
|
||||
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
|
||||
- name: opt
|
||||
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
|
||||
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
|
||||
|
@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM976AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
|
||||
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
|
||||
return (int8_t)r;
|
||||
}
|
||||
|
||||
|
@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM976AES_OPT_ct_verify(const uint16_t *a, const uint16_t *b
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
|
||||
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
|
||||
return (int8_t)r;
|
||||
}
|
||||
|
||||
|
@ -23,6 +23,6 @@ auxiliary-submitters:
|
||||
- Brian LaMacchia, Microsoft Research
|
||||
implementations:
|
||||
- name: clean
|
||||
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
|
||||
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
|
||||
- name: opt
|
||||
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
|
||||
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
|
||||
|
@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
|
||||
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
|
||||
return (int8_t)r;
|
||||
}
|
||||
|
||||
|
@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM976SHAKE_OPT_ct_verify(const uint16_t *a, const uint16_t
|
||||
r |= a[i] ^ b[i];
|
||||
}
|
||||
|
||||
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
|
||||
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
|
||||
return (int8_t)r;
|
||||
}
|
||||
|
||||
|
Laden…
Verwijs in nieuw issue
Block a user