Potential compiler introduced timing leak

Argyle-Software / kyber

A rust implementation of the Kyber post-quantum KEM

https://docs.rs/pqc_kyber/

Apache License 2.0

163 stars 37 forks source link

Potential compiler introduced timing leak #112

Open zugzwang opened 3 weeks ago

zugzwang commented 3 weeks ago

I haven't confirmed but it looks like this library is also vulnerable to https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hqbtIGFKIpU

See https://github.com/Argyle-Software/kyber/blob/476e22c1a1ed579f3030e1ae46077036dc384d7f/src/reference/poly.rs#L291

and the fix in the reference implementation https://github.com/pq-crystals/kyber/commit/9b8d30698a3e7449aeb34e62339d4176f11e3c6c

conradludgate commented 3 weeks ago

As a slight reassurance, godbolt doesn't demonstrate such a branch in the current rust code on x86_64, although still good to ensure that it won't in a future update to LLVM.

O3 - https://godbolt.org/z/jdT4dnvEr Os - https://godbolt.org/z/YTsojG5xo

bwesterb commented 1 week ago

Fixed in the safe_pqc_kyber 0.6.3+.