Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kyber constant time division #3898

Closed
wants to merge 10 commits into from
Closed

Kyber constant time division #3898

wants to merge 10 commits into from

Conversation

FAlbertDev
Copy link
Collaborator

@FAlbertDev FAlbertDev commented Jan 24, 2024
edited
Loading

Pull request dependencies

This PR adds logic to perform constant-time division by replacing division with a multiplication and right-shift. Instead of using magic numbers for division and right-shift for the specific Kyber constant Q, we compute them on compile time using an algorithm from Hacker's Delight, Chapter 10 - 9.

Also, to ensure the algorithm's correctness, we added a test covering all possible numerators that may occur in Kyber's computation.

Commit:
58a9962

@coveralls
Copy link

coveralls commented Jan 24, 2024
edited
Loading

Coverage Status

coverage: 92.006%. remained the same
when pulling 9bbdc6a on Rohde-Schwarz:kyber-ct-div
into 13c7e5f on randombit:master.

This was referenced Jan 25, 2024
Merged
Merged
@reneme
Copy link
Collaborator

reneme commented Feb 2, 2024

Perhaps describe the counter measure in side_channel.rst?

@reneme
Copy link
Collaborator

reneme commented Feb 16, 2024

Rebased and resolved conflicts after #3874 was merged and #3887 was adapted to it.

@reneme reneme added the enhancement Enhancement or new feature label Feb 22, 2024
@reneme reneme added this to the Botan 3.4.0 milestone Feb 22, 2024
randombit
randombit reviewed Mar 19, 2024
View reviewed changes
Copy link
Owner

@randombit randombit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH I don’t see how this helps keep the compiler from turning the multiplication into a div, since the multiplicand will anyway be known at compile time.

One thing I find interesting here is that after the (comple time) computation of pm, the final result is computed using just a multiplication and a single shift. Wheras the current approach uses a multiplication and several shifts, add/sub, etc. If we just took the value that would be computed for pm for the Kyber q and used it directly (return (n * MAGIC) >> MAGIC_SHIFT), is there really any risk of variable time operations being compiled in? I would think no (non-malicous) compiler would convert 2 instructions into a div or jump.

randombit added a commit that referenced this pull request Mar 30, 2024
@randombit
Use a simpler formula for Kyber division by q
8352a22 
Simpler approach than #3898
@randombit randombit mentioned this pull request Mar 30, 2024
Merged
@FAlbertDev
Copy link
Collaborator Author

Closed. See #3959.

@FAlbertDev FAlbertDev closed this Apr 5, 2024
@FAlbertDev FAlbertDev deleted the kyber-ct-div branch April 5, 2024 08:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@randombit randombit randombit left review comments

Assignees
No one assigned
Labels
enhancement Enhancement or new feature
Projects
None yet
Milestone
Botan 3.4.0
Development

Successfully merging this pull request may close these issues.
4 participants
@FAlbertDev @coveralls @reneme @randombit