Needs to avoid branching on secret data
kriskwiatkowski opened this issue · 7 comments
I think your code has similar problem as the one described by Qian Guo, Thomas Johansson, Alexander Nilsson. "A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. "
https://eprint.iacr.org/2020/743
The interesting line would be this one:
Line 145 in d2e4b12
But it is intersting stuff.
Kind regards,
Kris Kwiatkowski
Thank you Kris for the review, I will be fixing this as soon as I have a couple of hours. -- Ed
@henrydcase let me know if it is OK for you, so I can close the ticket. -- Thanks
it won't help .you need something like:
a := uint16Equals(Bprime, Bprimeprime)
a &= uint16Equals(C, Cprime)
assuming uint16Equals
is constant time and it returns 0 or 1 instead of bool
In go if you have ( a() && b() )
and a() returns false then b() is not called, which causes a problem here
Sorry. Yes, now it should be constant time ... I was looking at it a bit more at higher level than I should.
@henrydcase I believe last commit should fix it.
just did quick look, but indeed that looks better
Thank you @henrydcase - I will close this ticket and release v1.0.1