-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added FIPS 204 documentation, cleanse intermediate values #2017
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2017 +/- ##
==========================================
+ Coverage 78.62% 78.67% +0.05%
==========================================
Files 596 598 +2
Lines 103012 103350 +338
Branches 14661 14692 +31
==========================================
+ Hits 80989 81313 +324
- Misses 21373 21385 +12
- Partials 650 652 +2 ☔ View full report in Codecov by Sentry. |
@@ -15,6 +15,8 @@ that initialize a given structure with values corresponding to a parameter set. | |||
- `reduce.c`: a small fix to documentation has been made on the bounds of `reduce32`. | |||
- `poly.c`: a small fix to documentation has been made on the bounds of `poly_reduce`. | |||
- `polyvec.c`: a small fix to documentation has been made on the bounds of `polyveck_reduce`. | |||
- Documentation has been added to `ntt.c`, `packing.c`, `poly.c`, `polyvec.c`, and `reduce.c` that outlines the algorithm specification (including algorithm number) in FIPS 204. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Refers to reduce.c
instead of rounding.c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice spot! fixed 0f43f79
/* FIPS 204. Section 3.6.3 Destruction of intermediate values. */ | ||
OPENSSL_cleanse(seedbuf, sizeof(seedbuf)); | ||
OPENSSL_cleanse(tr, sizeof(tr)); | ||
OPENSSL_cleanse(&rho, SEEDBYTES); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This still doesn't seem right. You're passing in the address of rho (which is pointer type whose size is sizeof(uint_8*) and clearing SEEDBYTES from that address. I believe this is a buffer overrun on the stack frame. Can someone check my work? I think what you want is to either not do any cleansing at all and assume that the pointer values are not sensitive, or you want to replace SEEDBYTES with sizeof(rho) to basically set the pointer to 0. Same goes for the other pointers here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahh I see you are correct. For reference, check what we did for ML-KEM for the same requirement, I was following this same methodology: #1883
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed the cleansing of pointers in dafaa7e
general comment: please try to do one thing per PR. For example, this PR should be 3 separate ones:
|
Thank for you that feedback! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only thing that concerns me here is the treatment of signs
. I'm indifferent on the topic of clearing pointer values.
OPENSSL_cleanse(&rho, sizeof(rho)); | ||
OPENSSL_cleanse(&rhoprime, sizeof(rhoprime)); | ||
OPENSSL_cleanse(&key, sizeof(key)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pointer values are no more sensitive than integer offsets. Don't think we need these anymore.
OPENSSL_cleanse(&rho, sizeof(rho)); | ||
OPENSSL_cleanse(&tr, sizeof(tr)); | ||
OPENSSL_cleanse(&key, sizeof(key)); | ||
OPENSSL_cleanse(&mu, sizeof(mu)); | ||
OPENSSL_cleanse(&rhoprime, sizeof(rhoprime)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comment above on pointer values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! I agree with you on signs, cleansed in 015ccd6. To be consistant wit ML-KEM I'll leave the cleansing of the pointers in to see what other reviewers think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gerardo talks about these
uint8_t *rho, *tr, *key, *mu, *rhoprime;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! Just wanted your perspective before making the change! fixed in a8777cd
* coefficients are in [-eta, eta]. | ||
* | ||
* Arguments: - ml_dsa_params: parameter struct | ||
* - polyvecl v: pointer to input vector |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* - polyvecl v: pointer to input vector | |
* - polyvecl v: pointer to output vector |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed in a8777cd
* coefficients are in [-gamma1 + 1, gamma1]. | ||
* | ||
* Arguments: - ml_dsa_params: parameter struct | ||
* - polyvecl v: pointer to input vector |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* - polyvecl v: pointer to input vector | |
* - polyvecl v: pointer to output vector |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed in a8777cd
* coefficients are in [-eta, eta]. | ||
* | ||
* Arguments: - ml_dsa_params: parameter struct | ||
* - polyveck v: pointer to input vector |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* - polyveck v: pointer to input vector | |
* - polyveck v: pointer to output vector |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed in a8777cd
OPENSSL_cleanse(&rho, sizeof(rho)); | ||
OPENSSL_cleanse(&tr, sizeof(tr)); | ||
OPENSSL_cleanse(&key, sizeof(key)); | ||
OPENSSL_cleanse(&mu, sizeof(mu)); | ||
OPENSSL_cleanse(&rhoprime, sizeof(rhoprime)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gerardo talks about these
uint8_t *rho, *tr, *key, *mu, *rhoprime;
Issues:
Resolves CryptoAlg-2799
Description of changes:
This PR addresses the following:
Documentation:
Clean up:
poly.c
has been removed.New addition intermediate value cleanse:
xi
generated in step 1 ofML-DSA.KeyGen (Algorithm 1)
can be stored for the purpose of later expansion. As it can be used to generate the private key, it shall be treated with the same safeguards as a private key.\hat{A}
generated in step 3 ofML-DSA.KeyGen_internal (Algorithm 6)
can be stored so that it need not be recomputed in later operations. Likewise, the matrix\hat{A}
generated in step 5 ofML-DSA.Verify_internal(Algorithm 8)
. This data is public and can be derived from the public key.Callouts:
crypto_sign_signature_internal
namely,uint8_t *rho, *tr, *key, *mu, *rhoprime;
have pointer addresses cleansed.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.