Skip to content

Kyber constant time division#3898

Closed
FAlbertDev wants to merge 10 commits intorandombit:masterfrom
Rohde-Schwarz:kyber-ct-div
Closed

Kyber constant time division#3898
FAlbertDev wants to merge 10 commits intorandombit:masterfrom
Rohde-Schwarz:kyber-ct-div

Conversation

@FAlbertDev
Copy link
Copy Markdown
Collaborator

@FAlbertDev FAlbertDev commented Jan 24, 2024
edited
Loading

Pull request dependencies

This PR adds logic to perform constant-time division by replacing division with a multiplication and right-shift. Instead of using magic numbers for division and right-shift for the specific Kyber constant Q, we compute them on compile time using an algorithm from Hacker's Delight, Chapter 10 - 9.

Also, to ensure the algorithm's correctness, we added a test covering all possible numerators that may occur in Kyber's computation.

Commit:
58a9962

@coveralls
Copy link
Copy Markdown

coveralls commented Jan 24, 2024
edited
Loading

Coverage Status

coverage: 92.006%. remained the same
when pulling 9bbdc6a on Rohde-Schwarz:kyber-ct-div
into 13c7e5f on randombit:master.

This was referenced Jan 25, 2024
Merged
Merged
@reneme
Copy link
Copy Markdown
Collaborator

reneme commented Feb 2, 2024

Perhaps describe the counter measure in side_channel.rst?

@reneme
Copy link
Copy Markdown
Collaborator

reneme commented Feb 16, 2024

Rebased and resolved conflicts after #3874 was merged and #3887 was adapted to it.

@reneme reneme added the enhancement Enhancement or new feature label Feb 22, 2024
@reneme reneme added this to the Botan 3.4.0 milestone Feb 22, 2024
randombit
randombit reviewed Mar 19, 2024
View reviewed changes
Copy link
Copy Markdown
Owner

@randombit randombit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH I don’t see how this helps keep the compiler from turning the multiplication into a div, since the multiplicand will anyway be known at compile time.

One thing I find interesting here is that after the (comple time) computation of pm, the final result is computed using just a multiplication and a single shift. Wheras the current approach uses a multiplication and several shifts, add/sub, etc. If we just took the value that would be computed for pm for the Kyber q and used it directly (return (n * MAGIC) >> MAGIC_SHIFT), is there really any risk of variable time operations being compiled in? I would think no (non-malicous) compiler would convert 2 instructions into a div or jump.

randombit added a commit that referenced this pull request Mar 30, 2024
@randombit
Use a simpler formula for Kyber division by q
8352a22 
Simpler approach than #3898
@randombit randombit mentioned this pull request Mar 30, 2024
Merged
@FAlbertDev
Copy link
Copy Markdown
Collaborator Author

FAlbertDev commented Apr 5, 2024

Closed. See #3959.

@FAlbertDev FAlbertDev closed this Apr 5, 2024
@FAlbertDev FAlbertDev deleted the kyber-ct-div branch April 5, 2024 08:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@randombit randombit randombit left review comments

Assignees

No one assigned

Labels

enhancement Enhancement or new feature

Projects

None yet

Milestone

Botan 3.4.0

Development

Successfully merging this pull request may close these issues.

4 participants

@FAlbertDev @coveralls @reneme @randombit