search

RustCrypto / crypto-bigint

Cryptography-oriented big integer library with constant-time, stack-allocated (no_std-friendly) implementations of modern formulas
Apache License 2.0
167 stars 45 forks source link

vartime Safety - guardrails & static analysis by design #592

Open pinkforest opened 2 months ago

pinkforest commented 2 months ago

Some algorithms have vartime components on non-secret data requiring associated use of vartime functionality.

e.g. where the vartime use is associated with non-secret dependant data.

This could be treated similarly to Rust borrow checker and unsafe { .. }

Marking data as VarTime safe - e.g. hinting it's public could be done via a macro:

#[vartime(public)]
pub struct PublicData {
  pub(crate) public_field: SomeOtherData,
}

Then in functions guard input to vartime functions via the generated wrapper VarTime<PublicData> type

/// VARTIME SAFETY: PublicData is not secret
#[vartime_guard]
pub fn some_vartime_thing(VarTime<PublicData>, SecretData) { .. }

This would enable borrow check type static analysis - ctgrind but in static - so that secret data does not end up in vartime.

I've also looked into doing static analysis off MIR for CI check but having type-level guardrails could help safety.

Also we can enable check to ensure no use of "vartime safety undocumented" vartime gets undocumented.

Relevant Cryptography

Prior art

Dudect requires carefully crafted datasets (I adapted rozbb's vec eq example to ct/vartime memcmp) to illustrate.

tarcieri commented 2 months ago

One problem is we use *_vartime if any of the parameters lead to variable-time behavior, however often in practice we will call these *_vartime methods on a secret input but where they're variable-time only with respect to an rhs parameter which is fixed/constant, generally noting the overall result is constant-time with a comment.