From e6c650c2efe70d78924d50286f5c8d3a9c877df8 Mon Sep 17 00:00:00 2001 From: Pravek Sharma Date: Mon, 18 Sep 2023 13:04:41 -0400 Subject: [PATCH] Document Falcon constant time errors (#1552) * Document Falcon constant time errors. * Update McEliece docs. * Update Falcon YML to include aarch64 implementation * Correct Falcon docs. --------- Co-authored-by: Spencer Wilson --- docs/algorithms/kem/classic_mceliece.yml | 60 ++++++++++---------- docs/algorithms/sig/falcon.md | 10 ++-- docs/algorithms/sig/falcon.yml | 32 +++++++++-- docs/cbom.json | 70 +++++++++++++++++++++--- tests/constant_time/sig/issues.json | 4 +- tests/constant_time/sig/issues/falcon | 15 +++++ 6 files changed, 144 insertions(+), 47 deletions(-) create mode 100644 tests/constant_time/sig/issues/falcon diff --git a/docs/algorithms/kem/classic_mceliece.yml b/docs/algorithms/kem/classic_mceliece.yml index 3430bb29e3..a5fcf751fc 100644 --- a/docs/algorithms/kem/classic_mceliece.yml +++ b/docs/algorithms/kem/classic_mceliece.yml @@ -42,8 +42,8 @@ parameter-sets: common-crypto: - AES: liboqs - SHA3: liboqs - no-secret-dependent-branching-claimed: true - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - upstream-id: avx2 @@ -59,7 +59,7 @@ parameter-sets: - AES: liboqs - SHA3: liboqs no-secret-dependent-branching-claimed: false - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - name: Classic-McEliece-348864f @@ -76,8 +76,8 @@ parameter-sets: common-crypto: - AES: liboqs - SHA3: liboqs - no-secret-dependent-branching-claimed: true - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - upstream-id: avx2 @@ -94,7 +94,7 @@ parameter-sets: - AES: liboqs - SHA3: liboqs no-secret-dependent-branching-claimed: false - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - name: Classic-McEliece-460896 @@ -111,8 +111,8 @@ parameter-sets: common-crypto: - AES: liboqs - SHA3: liboqs - no-secret-dependent-branching-claimed: true - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - upstream-id: avx2 @@ -128,7 +128,7 @@ parameter-sets: - AES: liboqs - SHA3: liboqs no-secret-dependent-branching-claimed: false - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - name: Classic-McEliece-460896f @@ -145,8 +145,8 @@ parameter-sets: common-crypto: - AES: liboqs - SHA3: liboqs - no-secret-dependent-branching-claimed: true - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - upstream-id: avx2 @@ -163,7 +163,7 @@ parameter-sets: - AES: liboqs - SHA3: liboqs no-secret-dependent-branching-claimed: false - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - name: Classic-McEliece-6688128 @@ -180,8 +180,8 @@ parameter-sets: common-crypto: - AES: liboqs - SHA3: liboqs - no-secret-dependent-branching-claimed: true - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - upstream-id: avx2 @@ -197,7 +197,7 @@ parameter-sets: - AES: liboqs - SHA3: liboqs no-secret-dependent-branching-claimed: false - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - name: Classic-McEliece-6688128f @@ -214,8 +214,8 @@ parameter-sets: common-crypto: - AES: liboqs - SHA3: liboqs - no-secret-dependent-branching-claimed: true - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - upstream-id: avx2 @@ -232,7 +232,7 @@ parameter-sets: - AES: liboqs - SHA3: liboqs no-secret-dependent-branching-claimed: false - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - name: Classic-McEliece-6960119 @@ -249,8 +249,8 @@ parameter-sets: common-crypto: - AES: liboqs - SHA3: liboqs - no-secret-dependent-branching-claimed: true - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - upstream-id: avx2 @@ -266,7 +266,7 @@ parameter-sets: - AES: liboqs - SHA3: liboqs no-secret-dependent-branching-claimed: false - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - name: Classic-McEliece-6960119f @@ -283,8 +283,8 @@ parameter-sets: common-crypto: - AES: liboqs - SHA3: liboqs - no-secret-dependent-branching-claimed: true - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - upstream-id: avx2 @@ -301,7 +301,7 @@ parameter-sets: - AES: liboqs - SHA3: liboqs no-secret-dependent-branching-claimed: false - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - name: Classic-McEliece-8192128 @@ -318,8 +318,8 @@ parameter-sets: common-crypto: - AES: liboqs - SHA3: liboqs - no-secret-dependent-branching-claimed: true - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - upstream-id: avx2 @@ -335,7 +335,7 @@ parameter-sets: - AES: liboqs - SHA3: liboqs no-secret-dependent-branching-claimed: false - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - name: Classic-McEliece-8192128f @@ -352,8 +352,8 @@ parameter-sets: common-crypto: - AES: liboqs - SHA3: liboqs - no-secret-dependent-branching-claimed: true - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream - upstream-id: avx2 @@ -370,7 +370,7 @@ parameter-sets: - AES: liboqs - SHA3: liboqs no-secret-dependent-branching-claimed: false - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: true upstream: primary-upstream auxiliary-submitters: [] diff --git a/docs/algorithms/sig/falcon.md b/docs/algorithms/sig/falcon.md index d1d200f1c6..101ffa9a98 100644 --- a/docs/algorithms/sig/falcon.md +++ b/docs/algorithms/sig/falcon.md @@ -22,8 +22,9 @@ | Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage?‡ | |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------| -| [Primary Source](#primary-source) | clean | All | All | None | True | True | False | -| [Primary Source](#primary-source) | avx2 | x86\_64 | All | AVX2 | True | True | False | +| [Primary Source](#primary-source) | clean | All | All | None | False | False | False | +| [Primary Source](#primary-source) | avx2 | x86\_64 | All | AVX2 | False | False | False | +| [Primary Source](#primary-source) | aarch64 | ARM64\_V8 | Linux,Darwin | None | False | False | False | Are implementations chosen based on runtime CPU feature detection? **Yes**. @@ -33,8 +34,9 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**. | Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? | |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------| -| [Primary Source](#primary-source) | clean | All | All | None | True | True | False | -| [Primary Source](#primary-source) | avx2 | x86\_64 | All | AVX2 | True | True | False | +| [Primary Source](#primary-source) | clean | All | All | None | False | False | False | +| [Primary Source](#primary-source) | avx2 | x86\_64 | All | AVX2 | False | False | False | +| [Primary Source](#primary-source) | aarch64 | ARM64\_V8 | Linux,Darwin | None | False | False | False | Are implementations chosen based on runtime CPU feature detection? **Yes**. diff --git a/docs/algorithms/sig/falcon.yml b/docs/algorithms/sig/falcon.yml index cb6b4d8f4d..cf98b1fd18 100644 --- a/docs/algorithms/sig/falcon.yml +++ b/docs/algorithms/sig/falcon.yml @@ -47,8 +47,20 @@ parameter-sets: - avx2 common-crypto: - SHA3: liboqs - no-secret-dependent-branching-claimed: true - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false + large-stack-usage: false + - upstream: primary-upstream + upstream-id: aarch64 + supported-platforms: + - architecture: ARM64_V8 + operating_systems: + - Linux + - Darwin + common-crypto: + - SHA3: liboqs + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: false - name: Falcon-1024 claimed-nist-level: 5 @@ -74,6 +86,18 @@ parameter-sets: - avx2 common-crypto: - SHA3: liboqs - no-secret-dependent-branching-claimed: true - no-secret-dependent-branching-checked-by-valgrind: true + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false + large-stack-usage: false + - upstream: primary-upstream + upstream-id: aarch64 + supported-platforms: + - architecture: ARM64_V8 + operating_systems: + - Linux + - Darwin + common-crypto: + - SHA3: liboqs + no-secret-dependent-branching-claimed: false + no-secret-dependent-branching-checked-by-valgrind: false large-stack-usage: false diff --git a/docs/cbom.json b/docs/cbom.json index c207414336..5767f36b77 100644 --- a/docs/cbom.json +++ b/docs/cbom.json @@ -1,23 +1,23 @@ { "bomFormat": "CBOM", "specVersion": "1.4-cbom-1.0", - "serialNumber": "urn:uuid:76fbea76-f6a8-441a-9ad0-4f3df1b91d3c", + "serialNumber": "urn:uuid:c2efdd72-2a86-4ba2-ad1b-870e67bdcdab", "version": 1, "metadata": { - "timestamp": "2023-05-16T14:01:59.927404", + "timestamp": "2023-09-14T13:03:34.914420", "component": { "type": "library", - "bom-ref": "pkg:github/open-quantum-safe/liboqs@3052cb8e01343126bb7eb1de0c9b90f9b9230ed4", + "bom-ref": "pkg:github/open-quantum-safe/liboqs@f6acbec0428a6f6d46b5d55fabfd9192ad63b89c", "name": "liboqs", - "version": "3052cb8e01343126bb7eb1de0c9b90f9b9230ed4" + "version": "f6acbec0428a6f6d46b5d55fabfd9192ad63b89c" } }, "components": [ { "type": "library", - "bom-ref": "pkg:github/open-quantum-safe/liboqs@3052cb8e01343126bb7eb1de0c9b90f9b9230ed4", + "bom-ref": "pkg:github/open-quantum-safe/liboqs@f6acbec0428a6f6d46b5d55fabfd9192ad63b89c", "name": "liboqs", - "version": "3052cb8e01343126bb7eb1de0c9b90f9b9230ed4" + "version": "f6acbec0428a6f6d46b5d55fabfd9192ad63b89c" }, { "type": "crypto-asset", @@ -1279,6 +1279,26 @@ "nistQuantumSecurityLevel": 1 } }, + { + "type": "crypto-asset", + "bom-ref": "alg:Falcon-512:armv8-a", + "name": "Falcon", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "variant": "Falcon-512", + "primitive": "signature", + "implementationLevel": "softwarePlainRam", + "cryptoFunctions": [ + "keygen", + "sign", + "verify" + ], + "implementationPlatform": "armv8-a" + }, + "nistQuantumSecurityLevel": 1 + } + }, { "type": "crypto-asset", "bom-ref": "alg:Falcon-1024:generic", @@ -1319,6 +1339,26 @@ "nistQuantumSecurityLevel": 5 } }, + { + "type": "crypto-asset", + "bom-ref": "alg:Falcon-1024:armv8-a", + "name": "Falcon", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "variant": "Falcon-1024", + "primitive": "signature", + "implementationLevel": "softwarePlainRam", + "cryptoFunctions": [ + "keygen", + "sign", + "verify" + ], + "implementationPlatform": "armv8-a" + }, + "nistQuantumSecurityLevel": 5 + } + }, { "type": "crypto-asset", "bom-ref": "alg:SPHINCS+-SHA2-128f-simple:generic", @@ -1828,7 +1868,7 @@ ], "dependencies": [ { - "ref": "pkg:github/open-quantum-safe/liboqs@3052cb8e01343126bb7eb1de0c9b90f9b9230ed4", + "ref": "pkg:github/open-quantum-safe/liboqs@f6acbec0428a6f6d46b5d55fabfd9192ad63b89c", "dependsOn": [ "alg:BIKE-L1:x86_64", "alg:BIKE-L3:x86_64", @@ -1893,8 +1933,10 @@ "alg:Dilithium5:armv8-a", "alg:Falcon-512:generic", "alg:Falcon-512:x86_64", + "alg:Falcon-512:armv8-a", "alg:Falcon-1024:generic", "alg:Falcon-1024:x86_64", + "alg:Falcon-1024:armv8-a", "alg:SPHINCS+-SHA2-128f-simple:generic", "alg:SPHINCS+-SHA2-128f-simple:x86_64", "alg:SPHINCS+-SHA2-128s-simple:generic", @@ -2395,6 +2437,13 @@ ], "dependencyType": "uses" }, + { + "ref": "alg:Falcon-512:armv8-a", + "dependsOn": [ + "alg:sha3" + ], + "dependencyType": "uses" + }, { "ref": "alg:Falcon-1024:generic", "dependsOn": [ @@ -2409,6 +2458,13 @@ ], "dependencyType": "uses" }, + { + "ref": "alg:Falcon-1024:armv8-a", + "dependsOn": [ + "alg:sha3" + ], + "dependencyType": "uses" + }, { "ref": "alg:SPHINCS+-SHAKE-128f-simple:generic", "dependsOn": [ diff --git a/tests/constant_time/sig/issues.json b/tests/constant_time/sig/issues.json index 286f43223c..9bb7eb81c4 100644 --- a/tests/constant_time/sig/issues.json +++ b/tests/constant_time/sig/issues.json @@ -3,8 +3,8 @@ "Dilithium2": [], "Dilithium3": [], "Dilithium5": [], - "Falcon-1024": [], - "Falcon-512": [], + "Falcon-1024": ["falcon"], + "Falcon-512": ["falcon"], "SPHINCS+-SHA256-128f-robust": ["sphincs"], "SPHINCS+-SHA256-128f-simple": ["sphincs"], "SPHINCS+-SHA256-128s-robust": ["sphincs"], diff --git a/tests/constant_time/sig/issues/falcon b/tests/constant_time/sig/issues/falcon new file mode 100644 index 0000000000..bc5bebe269 --- /dev/null +++ b/tests/constant_time/sig/issues/falcon @@ -0,0 +1,15 @@ +{ + This constant time error has not been studied/analysed. + Memcheck:Cond + src:sign.c:1226 + # fun:PQCLEAN_FALCON*_AVX2_sampler + fun:ffSampling_fft_dyntree +} + +{ + This constant time error has not been studied/analysed. + Memcheck:Cond + src:sign.c:1140 + # fun:BerExp + fun:PQCLEAN_FALCON*_AVX2_sampler +} \ No newline at end of file