Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make libjade use DOIT instructions on secrets #108

Merged
merged 16 commits into from
May 23, 2024
Merged

Make libjade use DOIT instructions on secrets #108

merged 16 commits into from
May 23, 2024

Conversation

J08nY
Copy link
Collaborator

@J08nY J08nY commented Feb 27, 2024
edited
Loading

This ties in to the effort in jasmin-lang/jasmin#736.

  • crypto_hash
    • Removed BSWAP from SHA2. Replaced with direct byte moves as it only occured when loading and storing the inputs/results.
    • Replaced ROLs in Keccak with an implementation that uses two shifts and an OR.
  • crypto_xof
    • Replaced VMOVLPD/VMOVHPD with ordinary 64bit moves and a shift in shake128/256 AVX2 4x version used.
  • crypto_stream
    • Replaced ROLs in ChaCha and Salsa20 with an implementation that uses two shifts and an OR. This required an auxilliary register that was not available, as the Chacha/Salsa20 states fully saturate the registers in the implementation. Spilling of two additional registers was necessary for ChaCha and Salsa20.
    • Also, the change above had the side effect that the AVX(2) versions of XSalsa20 require compilation with -lazy-regalloc.
  • crypto_kem
    • Added declassifications for publicseed, necessary to make the CT checker pass even without DOIT.
    • No other changes necessary, but implemented a DOIT POPCNT32 and POPCNT64.
  • crypto_onetimeauth
    • Replaced SHRD in avx/avx2 implementations of Poly1305 with two shifts and an OR.
  • crypto_scalarmult
    • Replaced SHLD and SHRD with two shifts and an OR.
  • crypto_secretbox
    • Added declassifications for the tag verification result, necessary to make the CT checker pass even without DOIT.
    • Made the same fixes to the included xsalsa20 implementations as to the ones in crypto_stream.
  • crypto_sign
    • Replaced ROLs in Keccak. Otherwise unchanged and does not verify with CT checker (even in current state).

@J08nY
Copy link
Collaborator Author

J08nY commented Feb 27, 2024

Good points, thanks. Though this is only a draft, worth looking at after some more work.

@J08nY J08nY force-pushed the feature/doit branch 4 times, most recently from 9d7bb27 to d45a434 Compare March 7, 2024 14:54
@J08nY J08nY marked this pull request as ready for review March 8, 2024 15:26
@J08nY
Copy link
Collaborator Author

J08nY commented Mar 8, 2024

Alright, this is ready for some review now.

I used something like:

env JASMIN="jasminc -checkCT -checkCTafter=propagate -doit -infer -nowarning" make 2>&1 | grep -E "(Entering|line |constant)"

to check that all implementations pass the CT checker as expected.

@J08nY J08nY force-pushed the feature/doit branch 2 times, most recently from 141114f to d59b920 Compare March 15, 2024 16:46
J08nY added 15 commits May 8, 2024 15:23
@J08nY
Move to grep.
5edf1fa 
egrep is deprecated.
@J08nY
Make crypto_hash CT on DOIT.
6a3da1a
@J08nY
Introduce doit common include file. Use inlines from there.
20f1c51
@J08nY
Remove unused variables from sha256.
5a8da25
@J08nY
Fix chacha to use DOIT.
92557ae 
This spills some more registers to the stack in the reference chacha core. This comes at a significant performance cost. Further experimentation should be done with register packing instead.
@J08nY
Make crypto_stream DOIT.
dd906fb 
But at what cost?!?
@J08nY
Protect utility rotate functions with checks on the rotate amount.
8fbd90d 
The rotate instruction just ignores these, but the ">>=" operators complain.
@J08nY
Remove non-DOIT VMOVLPD and VMOVHPD.
c3f5fb5
@J08nY
Add DOIT POPCNT.
be794f3
@J08nY
Declassify publicseed in Kyber.
4315ad5
@J08nY
Remove SHRD use in Poly1305 impls.
f5c1a4c
@J08nY
Make crypto_secretbox CT on DOIT.
a28c27b 
Fix xsalsa20poly1305 by swapping its xsalsa20 with the DOIT one.

Adds declassifies into xsalsa20poly1305.
This declassifies the result of tag verification, which leaks via
a branch (decryption is not done if tag does not verify).
@J08nY
Make crypto_scalarmult CT on DOIT.
e874ab0
@J08nY
Fix non-doit ROLs in Keccak in Dilithium.
27b5e77
@J08nY
Add WIP of benchmark plotting.
1b7cf84
@tfaoliveira-sb tfaoliveira-sb changed the base branch from main to feature/doit May 23, 2024 15:23
@tfaoliveira-sb tfaoliveira-sb merged commit 5778485 into formosa-crypto:feature/doit May 23, 2024
@tfaoliveira-sb tfaoliveira-sb mentioned this pull request May 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vbgl vbgl vbgl left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@J08nY @vbgl @tfaoliveira-sb