Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix BIKE constant-time errors #1632

Merged
merged 5 commits into from
Jan 2, 2024
Merged

Fix BIKE constant-time errors #1632

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4a21adc
Document BIKE CT issues
SWilson4 Dec 18, 2023
2b41b24
Document / fix BIKE constant-time errors
SWilson4 Dec 18, 2023
8639f31
Revert "< 64" comparison change
SWilson4 Dec 19, 2023
156e719
Add and use secure_cmpeq64_mask function
SWilson4 Dec 20, 2023
36072f7
Remove unnecessary static_assert
SWilson4 Dec 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion src/kem/bike/additional_r4/decode_portable.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@ rotr_big(OUT syndrome_t *out, IN const syndrome_t *in, IN size_t qw_num)
_INLINE_ void
rotr_small(OUT syndrome_t *out, IN const syndrome_t *in, IN const size_t bits)
{
bike_static_assert(bits < 64, rotr_small_err);
bike_static_assert(sizeof(*out) > (8 * R_QWORDS), rotr_small_qw_err);

// Convert |bits| to 0/1 by using !!bits; then create a mask of 0 or
Expand Down
17 changes: 13 additions & 4 deletions src/kem/bike/additional_r4/gf2x_mul_base_portable.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,14 +41,23 @@ void gf2x_mul_base_port(OUT uint64_t *c,
u[7] = u[6] ^ b0m;

// Step 2: Multiply two elements in parallel in positions i, i+s
l = u[LSB3(a0)] ^ (u[LSB3(a0 >> 3)] << 3);
h = (u[LSB3(a0 >> 3)] >> 61);
for (size_t i = 0; i < 8; ++i) {
// use a mask for secret-independent memory access
l ^= u[i] & secure_cmpeq64_mask(LSB3(a0), i);
l ^= (u[i] << 3) & secure_cmpeq64_mask(LSB3(a0 >> 3), i);
h ^= (u[i] >> 61) & secure_cmpeq64_mask(LSB3(a0 >> 3), i);
}

for(size_t i = (2 * s); i < w; i += (2 * s)) {
const size_t i2 = (i + s);

g1 = u[LSB3(a0 >> i)];
g2 = u[LSB3(a0 >> i2)];
g1 = 0;
g2 = 0;
for (size_t j = 0; j < 8; ++j) {
// use a mask for secret-independent memory access
g1 ^= u[j] & secure_cmpeq64_mask(LSB3(a0 >> i), j);
g2 ^= u[j] & secure_cmpeq64_mask(LSB3(a0 >> i2), j);
}

l ^= (g1 << i) ^ (g2 << i2);
h ^= (g1 >> (w - i)) ^ (g2 >> (w - i2));
Expand Down
5 changes: 5 additions & 0 deletions src/kem/bike/additional_r4/utilities.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,11 @@ _INLINE_ uint32_t secure_l32_mask(IN const uint32_t v1, IN const uint32_t v2)
#endif
}

// Return (-1) if v1 == v2, 0 otherwise
_INLINE_ uint64_t secure_cmpeq64_mask(IN const uint64_t v1, IN const uint64_t v2) {
return -(1 - ((uint64_t)((v1-v2) | (v2-v1)) >> 63));
}

// bike_memcpy avoids the undefined behaviour of memcpy when byte_len=0
_INLINE_ void *bike_memcpy(void *dst, const void *src, size_t byte_len)
{
Expand Down
6 changes: 6 additions & 0 deletions tests/constant_time/kem/passes/bike
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,9 @@
fun:_mm256_srli_epi64
fun:OQS_KEM_bike_*_rotate256_small
}

{
Setting bits in a secret error vector
Memcheck:Cond
src:sampling_portable.c:44 # fun:OQS_KEM_bike_*_secure_set_bits_port
}
Loading