Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Constant-time divisors #617

Merged
merged 11 commits into from
Sep 24, 2024
Merged

Constant-time divisors #617

merged 11 commits into from
Sep 24, 2024

Conversation

kayabaNerve
Copy link
Member

This is 9.6x slower yet ensures timing analysis of the divisor calculation doesn't leak any information about the secret key.

@kayabaNerve
WIP constant-time implementation of the ec-divisors library
0aa5245
@kayabaNerve
Fix misc logic errors in poly.rs
2bfc04f
@kayabaNerve
Remove accidentally committed test statements
72c2c08
@kayabaNerve
Fix ConstantTimeEq for CoefficientIndex
c3638dc
@kayabaNerve
Correct the iterations formula
98131a6 
x**3 / (0 y + x**1) would prior be considered indivisible with iterations = 0.
It is divisible however. The amount of iterations should be the amount of
coefficients within the numerator *excluding the coefficient for y**0 x**0*.
@kayabaNerve
Poly PartialEq, conditional_select_poly which checks poly structure e…
1fe57cd 
…quivalence

If the first passed argument is smaller than the latter, it's padded to the
necessary length.

Also adds code to trim the remainder as the remainder is the value modulo, so
it's very important it remains concise and workable.
@kayabaNerve
Fix the line function
fb59f21 
It selected the case if both were identity before selecting the case if either
were identity, the latter overwriting the former.
@kayabaNerve
Final fixes re: ct_get
1be9084 
1) Our quotient structure does need to be of size equal to the numerator
   entirely to prevent out-of-bounds reads on it
2) We need to get from yx_coefficients if of length >=, so if the length is 1
   we can read y_pow=1 from it. If y_pow=0, and its length is 0 so it has no
   inner Vecs, we need to fall back with the guard y_pow != 0.
@kayabaNerve
Add a trim algorithm to lib.rs to prevent Polys from becoming unbeara…
1ea7cb8 
…bly gigantic

Our Poly algorithm is incredibly leaky. While it presumably should be improved,
we can take advantage of our known structure while constructing divisors (and
the small modulus) to simply trim out the zero coefficients leaked. This
maintains Polys in a manageable size.
@kayabaNerve
Move constant-time scalar mul gadget divisor creation from dkg to ec-…
0fbc8e7 
…divisors

Anyone creating a divisor for the scalar mul gadget should use constant time
code, so this code should at least be in the EC gadgets crate It's of
non-trivial complexity to deal with otherwise.
@kayabaNerve
Remove unsafe, cache timing attacks from ec-divisors
c5201fa
@kayabaNerve kayabaNerve added improvement This could be better cryptography An issue involving cryptography/a cryptographic library labels Sep 24, 2024
@kayabaNerve kayabaNerve merged commit 251a6e9 into next Sep 24, 2024
4 of 18 checks passed
@kayabaNerve kayabaNerve deleted the constant-time-divisors branch September 24, 2024 21:27
@kayabaNerve
Copy link
Member Author

Thanks to @Boog900 for reviewing my initial ct_* functions and helping improve then to what they are now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
cryptography An issue involving cryptography/a cryptographic library improvement This could be better
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kayabaNerve