Argyle-Software/kyber

Potential compiler introduced timing leak

zugzwang opened this issue · 2 comments

zugzwang commented

I haven't confirmed but it looks like this library is also vulnerable to https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hqbtIGFKIpU

See

kyber/src/reference/poly.rs

Line 291 in 476e22c

r.coeffs[8 * i + j] = (mask & ((KYBER_Q + 1) / 2) as u16) as i16;

and the fix in the reference implementation pq-crystals/kyber@9b8d306

conradludgate commented

As a slight reassurance, godbolt doesn't demonstrate such a branch in the current rust code on x86_64, although still good to ensure that it won't in a future update to LLVM.

O3 - https://godbolt.org/z/jdT4dnvEr
Os - https://godbolt.org/z/YTsojG5xo

bwesterb commented

Fixed in the safe_pqc_kyber 0.6.3+.