FrodoKEM: Fix bug in the output of the ct_verify function (#367)

* Fix bug in the output of the ct_verify function

A bug in the CCA transformation was reported on the pqc-forum on 2020-12-10
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/kSUKzDNc5ME

It was fixed today in 669522db63.
This commit ports that fix to PQClean

* add note to SECURITY.md

* update upstream commit in META.yml
Cette révision appartient à :
Matthias J. Kannwischer 2020-12-14 16:39:10 +01:00 révisé par Kris Kwiatkowski
Parent f1c917abb8
révision 1eb8fbe8d3
19 fichiers modifiés avec 27 ajouts et 24 suppressions

Voir le fichier

@ -24,6 +24,9 @@ Use at your own risk.
### 2019-XX-XX
-->
### 2020-12-11
* The fix of the timing leak in the CCA transform of FrodoKEM in [PR #303](https://github.com/PQClean/PQClean/pull/303) was ineffective. The FrodoKEM team released another [fix](https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db) which was ported to PQClean in [PR #367](https://github.com/PQClean/PQClean/pull/367).
### 2020-06-19
* A potential timing leak was present in the FrodoKEM decapsulation routine, as identified by [Guo, Johansson, and Nilsson](https://eprint.iacr.org/2020/743). This was fixed in [PR #303](https://github.com/PQClean/PQClean/pull/303).

Voir le fichier

@ -23,6 +23,6 @@ auxiliary-submitters:
- Brian LaMacchia, Microsoft Research
implementations:
- name: clean
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
- name: opt
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db

Voir le fichier

@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM1344AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t
r |= a[i] ^ b[i];
}
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}

Voir le fichier

@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM1344AES_OPT_ct_verify(const uint16_t *a, const uint16_t *
r |= a[i] ^ b[i];
}
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}

Voir le fichier

@ -23,6 +23,6 @@ auxiliary-submitters:
- Brian LaMacchia, Microsoft Research
implementations:
- name: clean
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
- name: opt
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db

Voir le fichier

@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16
r |= a[i] ^ b[i];
}
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}

Voir le fichier

@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM1344SHAKE_OPT_ct_verify(const uint16_t *a, const uint16_t
r |= a[i] ^ b[i];
}
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}

Voir le fichier

@ -23,6 +23,6 @@ auxiliary-submitters:
- Brian LaMacchia, Microsoft Research
implementations:
- name: clean
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
- name: opt
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db

Voir le fichier

@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM640AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t
r |= a[i] ^ b[i];
}
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}

Voir le fichier

@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM640AES_OPT_ct_verify(const uint16_t *a, const uint16_t *b
r |= a[i] ^ b[i];
}
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}

Voir le fichier

@ -23,6 +23,6 @@ auxiliary-submitters:
- Brian LaMacchia, Microsoft Research
implementations:
- name: clean
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
- name: opt
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db

Voir le fichier

@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_
r |= a[i] ^ b[i];
}
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}

Voir le fichier

@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM640SHAKE_OPT_ct_verify(const uint16_t *a, const uint16_t
r |= a[i] ^ b[i];
}
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}

Voir le fichier

@ -23,6 +23,6 @@ auxiliary-submitters:
- Brian LaMacchia, Microsoft Research
implementations:
- name: clean
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
- name: opt
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db

Voir le fichier

@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM976AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t
r |= a[i] ^ b[i];
}
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}

Voir le fichier

@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM976AES_OPT_ct_verify(const uint16_t *a, const uint16_t *b
r |= a[i] ^ b[i];
}
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}

Voir le fichier

@ -23,6 +23,6 @@ auxiliary-submitters:
- Brian LaMacchia, Microsoft Research
implementations:
- name: clean
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db
- name: opt
version: https://github.com/Microsoft/PQCrypto-LWEKE/commit/d5bbd0417ba111b08a959c0042a1dcc65fb14a89
version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db

Voir le fichier

@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_
r |= a[i] ^ b[i];
}
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}

Voir le fichier

@ -238,7 +238,7 @@ int8_t PQCLEAN_FRODOKEM976SHAKE_OPT_ct_verify(const uint16_t *a, const uint16_t
r |= a[i] ^ b[i];
}
r = (-(int16_t)r) >> (8 * sizeof(uint16_t) -1);
r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}