Closed dstebila closed 5 years ago
I'll take a look
I only get errors with the bike2 algs, this is the failing code from src/kem/bike/x86_64/kem.c :
// Check if error weight equals T1:
`if (getHammingWeight(e, 2 R_BITS) != T1)`
I'm investigating to see if it's a problem with the OQS implementation or the call from OpenSSL.
I can only repro the bug with the bike v2 schemes; they fail roughly 50% of the time. I can't repro in OQS alone, so there must be something in the way OpenSSL invokes it (or perhaps a circular dependency from OpenSSL to OQS to OpenSSL?) I reviewed the calls from OpenSSL into OQS, and I can't find an error; per the above comment, the hamming weight seems to be different some times. I don't understand the crypto, so a BIKE dev should look at the input/output to see what is going on.
We can pull the bike2* schemes from the release if we can't fix this this week, and investigate later.
Here are some thoughts for now: Since the problem appeared only with BIKE2 and only on a MAC OS (i.e., what's running is the C reference code and not the assembler), it seems that the issue is with how the BIKE2 keys are handled.
As an algorithm, BIKE2 has a shorter (half size) key compared to BIKE1/BIKE3. For consistency (with the KAT's) the reference code extends (artificially) the keys in the BIKE2 case, and ignores the redundant half. It might be that when linking to OpenSSL, the Hamming weight is counted over the full length.
Need to check this out and fix. We will get back to you on this soon (before the release).
FYI, I encountered the same behavior on Ubuntu 16.04.5 LTS using gcc. Repro steps:
Follow the README.md instructions in the OQS-OpenSSL_1_1_1 branch to:
apps/openssl req -x509 -new -newkey rsa -keyout rsa.key -out rsa.crt -nodes -subj "/CN=oqstest" -days 365 -config apps/openssl.cnf
apps/openssl s_server -cert rsa.crt -key rsa.key -www -tls1_3
apps/openssl s_client -curves bike2l1 -connect localhost:4433
. Repeat this step until failure (occurs ~50% of the time).Thanks for looking into it Shay!
We believe that we found the problem. The short story: it is due to a changed behavior of OpenSSL, between version 1.0.2 to version 1.1.0. Specifically, the function BN_GF2m_mod_inv(a, p) changed its behavior (changes from May 2018).
The detailed explanation: (if you wish to skip the details scroll down to the solution)
void main() { BIGNUM a, m, r; a = BN_new(); r = BN_new(); m = BN_new(); BN_CTX bn_ctx = BN_CTX_new(); BN_hex2bn(&m, "21");
BN_hex2bn(&a, "1");
printf("hhh %d\n",BN_GF2m_mod_inv(r, a, m, bn_ctx)); printf("m: %s\n", BN_bn2hex(m)); printf("a: %s\n", BN_bn2hex(a)); return; }
What to do now? We added a quick fix, and will commit it soon. Basically,
The expected number of times until it succeeds is 2, i.e., we do not expect noticeable timing impact here. Also, we do not care about timing (due to the "if" statements) nor about exposing the number of attempts, because this is a property of the randomized b, thus does not reveal anything confidential.
In the long run, it might be neater to factor x^r+1 = (x+1) * ( x^{r-1} + x^{r-2} + … + x + 1) where the latter polynomial is irreducible. Then use the new BN_GF2m_mod_inv(a, p) function with that polynomial, and subsequently use the CRT. Alternatively, we could simply write the inversion directly and BN_GF2m_mod_inv(a, p) altogether.
For now, the quick fix is fine.
Nir and Shay
Resolved by open-quantum-safe/liboqs#430 and open-quantum-safe/liboqs#431.
Some BIKE ciphersuites (e.g., bike2l1, bike2l3, bike2l5, bike3l1, bike3l3, bike3l5) are not reliable for me in TLS 1.3 on my Mac. About 50% of the time, the connection goes through, and 50% of the time I get the following error:
I'm not sure what the problem is.
Any ideas, @christianpaquin?