Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Constant-time operations / side-channel attack resistance #2

Closed
mratsim opened this issue Jul 30, 2018 · 2 comments
Closed

Constant-time operations / side-channel attack resistance #2

mratsim opened this issue Jul 30, 2018 · 2 comments
Labels
security upstream

Comments

@mratsim
Copy link
Contributor

mratsim commented Jul 30, 2018
edited
Loading

Context

AMCL v3.1. claims that critical calculations are performed in constant-time:

Version 3.1 is a major "under the hood" upgrade. Field arithmetic is
performed using ideas from http://eprint.iacr.org/2017/437 to ensure
that critical calculations are performed in constant time. This strongly
mitigates against side-channel attacks. Exception-free formulae are
now used for Weierstrass elliptic curves. A new standardised script
builds for the same set of curves across all languages.

Obviously the calculation involving private keys must be constant-time, but not having everything constant-time might leave users open to other clever exploits.

Current implementation

For example comparison to zero or one is not constant time and key length can be deduced from it:

https://github.com/status-im/nim-milagro-crypto/blob/4add8c3441802b9962c966d023b629dcfb207640/src/generated/big_384_29.c#L34-L51

Modular inversion uses a lot of if statement, which cannot be constant time as due to cache/prediction misses we can deduce which branches were taken:

https://github.com/status-im/nim-milagro-crypto/blob/4add8c3441802b9962c966d023b629dcfb207640/src/generated/big_384_29.c#L1398-L1459

There is also no tests to count clock cycles for the AMCL library.

Others

This is not an isolated issue, even OpenSSL does not have complete constant-time arithmetics see openssl/openssl#6078, and had successful side-channel attacks against it for RSA (CacheBleed), AES, ECDSA

Testing/implementing constant-time

Wishlist

  • Having a Nim macro that throws a compiler error if something is not implemented in a constant-time manner or at least, use a secret variable as a conditional.

Updated overview

https://github.com/status-im/nim-constantine/wiki/Constant-time-arithmetics
@cheatfate
Copy link
Contributor

cheatfate commented Jul 30, 2018
edited
Loading

Some more links about constant-time:
https://bearssl.org/constanttime.html
https://bearssl.org/ctmul.html

This was referenced Jul 31, 2018
Closed
Closed
@mratsim
Copy link
Contributor Author

mratsim commented Sep 4, 2020

Solved by #66 and #68 and detailed investigative work in https://notes.status.im/nim-bls-curve-backends

@mratsim mratsim closed this as completed Sep 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cheatfate @mratsim