Removing "90s"?
adamierymenko opened this issue · 5 comments
It might make sense to remove "90s" mode at some point since from what I can see on the mailing list it's not going to be standardized and therefore also will not fall under the carte blanche patent grant that only covers the standardized form.
Thanks for the update.
For now, happy to leave it, it's feature gated code so doesn't impact anyone not using it. The HW advantages might benefit someone out there.
Given the recent CVE in the official SHA-3 implementation, I'd err on the side of keeping it in there as an alternative.
Guess I'll have to read up on the patent matter, was under the impression that was resolved a while ago?
Given the recent CVE in the official SHA-3 implementation
This did not affect Kyber's SHA-3 implementation. I'm pretty confident that SHA-3 is easier to implement correctly and safely than the 90s mode.
Sure, but the fact that such a simple exploit existed in XKCP for so many years after standardisation is fair reason for general caution and keeping 90's mode as an alternative widely implemented even on the most low-end devices that can be quickly switched out with nothing more than a cargo feature flag if needed.
SHA3 hardware acceleration is the ideal outcome for everyone yet a slow ongoing process.
This library will aim to maintain 90's mode as specified in round 3 unless there is a security issue from doing so or overwhelming performance regressions compared to using Keccak on most hardware.
The vulnerable code was released in January 2011, so it took well over a decade for this vulnerability to be found. It appears to be difficult to find vulnerabilities in cryptographic implementations, even though they play a critical role in the overall security of a system.
Prudence suggests it's best to leave our 90s feature as a quick and easy drop-in for any surprises with SHA3.
https://mouha.be/sha-3-buffer-overflow/
Unless there is any more discussion I'll close this issue one month from now.
Alright so a bit late to do it but this is getting closed. Yet to see any coherent arguments against keeping it, if there is implementation flaws in the 90s code or an underlying issue please contact via security.md
Everyone should be aware there are benefits and drawbacks of using 90's mode in this repo depending on platform.
Shake and SHA3 (ie not 90s mode) is the default and recommend for basically all use-cases, we have a benchmarking suite for you to easily compare the two on your hardware.