PQC: Classic McEliece #3883
PQC: Classic McEliece #3883
Conversation
FAlbertDev
force-pushed
the
pqc/classic_mceliece
branch
4 times, most recently
from
f73829f
to
e505390
Compare
atreiber94
force-pushed
the
pqc/classic_mceliece
branch
2 times, most recently
from
04b9314
to
190261d
Compare
This comment was marked as resolved.
This comment was marked as resolved.
reneme
force-pushed
the
pqc/classic_mceliece
branch
6 times, most recently
from
7662592
to
2a3e60f
Compare
This comment was marked as resolved.
This comment was marked as resolved.
| // TODO: Only for test instances. Remove on final PR | ||
| size_t m = Classic_McEliece_GF::log_q_from_mod(mod); | ||
|
|
||
| for(int i = static_cast<int>(m) - 2; i >= 0; --i) { | ||
| x ^= CT::Mask<uint32_t>::expand((uint32_t(1) << (i + m)) & x) | ||
| .if_set_return(static_cast<uint32_t>(mod.get()) << i); | ||
| } | ||
|
|
||
| return GF_Elem(static_cast<uint16_t>(x)); |
There was a problem hiding this comment.
Don't forget to remove (and probably replace by some exception?)
| Code_Word Classic_McEliece_Matrix::mul(const Classic_McEliece_Parameters& params, const Error_Vector& e) const { | ||
| auto s = e.subvector(0, params.pk_no_rows()); | ||
| auto e_T = e.subvector(params.pk_no_rows()); | ||
| auto pk_slicer = BufferSlicer(m_mat_bytes); | ||
|
|
||
| for(size_t i = 0; i < params.pk_no_rows(); ++i) { | ||
| auto pk_current_bytes = pk_slicer.take(params.pk_row_size_bytes()); | ||
| auto row = secure_bitvector(pk_current_bytes, params.n() - params.pk_no_rows()); | ||
| row &= e_T; | ||
| s.at(i) = s.at(i) ^ row.has_odd_hamming_weight(); | ||
| } | ||
|
|
||
| BOTAN_ASSERT_NOMSG(pk_slicer.empty()); | ||
| return s.as<Code_Word>(); | ||
| } |
There was a problem hiding this comment.
This produces quite a few copies and allocations. If that's in the implementation's hot path, we should probably want to have another look. Here's which (I believe cause allocations/copies):
.subvector()always creates a newbitvectorand copies the content into a newly allocated buffer,- the c'tor of
bitvectorcopies the passed-in buffer (particularlypk_current_bytes .as<>produces a copy of thebitvectorwith a new type
For (3): This could already be the right type using e.subvector<Code_Word>(), no?
There was a problem hiding this comment.
Some context: This function is called once per encapsulation. Also, e and s are pretty small, while m_mat_bytes is gigantic. Therefore, 1) and 3) are not critical; I'll apply your suggestion for 3) anyway. I don't know how we can prevent 2) without having something like a bitvector view or dropping the bitvector altogether.
There was a problem hiding this comment.
I think I'll have a timeboxed look into a bitvector that doesn't own its underlying storage. Perhaps that isn't too hard to achieve, especially when we can limit it to byte-aligned subvectors.
| /// Reduced instances for side channel analysis (Self-created test instance with | ||
| /// m=8, n=128, t=8, f(z)=z^8+z^7+z^2+z+1, F(y)=y^8+y^4+y^3+y^2+1) | ||
| /// Minimal instance without semi-systematic matrix creation and no plaintext confirmation | ||
| test, | ||
| /// Minimal instance with semi-systematic matrix creation and no plaintext confirmation | ||
| testf, | ||
| /// Minimal instance without semi-systematic matrix creation and with plaintext confirmation | ||
| testpc, | ||
| /// Minimal instance with semi-systematic matrix creation and with plaintext confirmation | ||
| testpcf |
There was a problem hiding this comment.
TODO: remove before merging
| /** | ||
| * @returns ceil(n/d) | ||
| * TODO: Remove once LMS is merged | ||
| */ | ||
| constexpr size_t ceil_div(size_t n, size_t d) { | ||
| return (n + d - 1) / d; | ||
| } |
There was a problem hiding this comment.
Re-evaluate before merging this.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Thanks a lot for your extensive review, @reneme! I addressed your suggestions and am optimistic that this PR is ready to drop its Draft status 🎉. Note that some suggestions that depend on other PRs are still open, which are not critical, though. Also, note that an extensive side-channel analysis is still in progress. |
src/lib/utils/bitvector.h
Outdated
| constexpr bitref& operator^=(bool other) noexcept { return assign(this->is_set() ^ other); } | ||
|
|
||
| private: | ||
| constexpr bitref& assign(bool bit) noexcept { return (bit) ? set() : unset(); } |
There was a problem hiding this comment.
As discussed, DATA identified this line as a leakage during our SCA review.
Due to the ? operator, a control-flow difference is observed based on the boolean input bit variable.
The assign() routine is used within the push_back() routine, which in turn is used within the decode() routine. This may allow an adversary to observe the error vector e and, hence recover the shared secret.
We suggest to perform both the set() and unset() functions with the input as a mask, for example:
private:
constexpr bitref& assign(bool bit) noexcept {
const block_type assign_mask = 0 - static_cast<block_type>(bit);
this->m_block |= (this->m_mask & assign_mask);
this->m_block &= ~(this->m_mask & ~assign_mask);
return *this;
}
In our case, this results in the following instructions - without any conditional branch based on the input:
[ ... ]
const block_type assign_mask = 0 - static_cast<block_type>(bit);
41d397: 41 f7 dc neg %r12d
[ ... ]
this->m_block |= (this->m_mask & assign_mask);
41d3ab: 44 89 e1 mov %r12d,%ecx
41d3ae: 21 c1 and %eax,%ecx
this->m_block &= ~(this->m_mask & ~assign_mask);
41d3b0: f7 d0 not %eax
this->m_block |= (this->m_mask & assign_mask);
41d3b2: 0a 0a or (%rdx),%cl
this->m_block &= ~(this->m_mask & ~assign_mask);
41d3b4: 44 09 e0 or %r12d,%eax
41d3b7: 21 c8 and %ecx,%eax
[ ... ]
There was a problem hiding this comment.
Thanks for your analysis and your report! I applied your fix using Botan's constant-time helper class (7a0fe59)
| @@ -1,6 +1,8 @@ | |||
| /* | |||
| * An abstraction for an arbitrarily large bitvector that can | |||
There was a problem hiding this comment.
@reneme the code still contains some artefacts for varying the underlying data type that we'd ideally want to get rid of.
FAlbertDev
force-pushed
the
pqc/classic_mceliece
branch
from
5f0efcc
to
54395c2
Compare
src/lib/utils/bit_ops.h
Outdated
| x = (x + (x >> 4)) & 0xF0F0F0F0F0F0F0F; | ||
| return (x * 0x101010101010101) >> 56; | ||
| } else { | ||
| static_assert(!std::unsigned_integral<T>, "T is not a suitable unsigned integer value"); |
There was a problem hiding this comment.
I don’t understand this static_assert - shouldn’t the concept check on T already prevent this? It feels like this is intended to catch the case where T > 64 bits but that doesn’t necesarily apply if the compiler considers a 128 bit integer type to be unsigned_integral (maybe C++20 prohibits this, idk)
Perhaps instead starting the function with
static_assert(sizeof(T) <= 8, “T is not …”)
which anyway seems like a more clear statement of requirement?
There was a problem hiding this comment.
I think you are right. @reneme?
| } | ||
|
|
||
| size_t Classic_McEliece_PublicKey::key_length() const { | ||
| return m_public->matrix().bytes().size(); |
There was a problem hiding this comment.
a) Is it really necessary to encode the matrix (with memory allocation etc) just to determine the key length
b) Is the byte size of the matrix really the best value to return here? Returning the integer encoding of {n}{t} would be just as meaningul (ie, an arbitrary integer that goes upwards as the key gets stronger) while allowing some plausible method of mapping it back to a parameter set.
There was a problem hiding this comment.
a) The matrix object stores the matrix bytes as a member. The method bytes only returns a const reference to these bytes. No new memory is allocated here.
b) Yeah, I got confused by the meaning of the method key length. I assumed it was the size of the public key in bytes without looking into the description. Thanks for mentioning this.
I think the most sensible value is
|
Thanks very much for your initial review 🚀 I'll look into it. |
FAlbertDev
force-pushed
the
pqc/classic_mceliece
branch
from
e431972
to
ddd8094
Compare
|
I rebased to master (which removes the --no-stdout flag commit). |
FAlbertDev
force-pushed
the
pqc/classic_mceliece
branch
2 times, most recently
from
9a5ad0b
to
f6333fd
Compare
|
Lets have another look at the tests. Especially the coverage build time suffers quite a bit from the new tests. Presumably, because it runs an extended test set. This is summing up to a few minutes, though.
|
Yeah.
IMHO, running |
FAlbertDev
force-pushed
the
pqc/classic_mceliece
branch
from
f6333fd
to
3df2804
Compare
|
Rebased to master + commit with some left-over suggestions. |
I applied this and decreased the total time for CMCE long tests from 81 sec to 17 sec. |
Thanks!
I do agree, but then we should move away from running such tests for every push (like we actually do in the "sanitizer" and "coverage" builds, currently). If we wanted to have such long-running tests, we should outsource them to a nightly, to keep CI times manageable for interactive use cases. |
|
@FAlbertDev This needs another rebase. Also, with #3985 merged, it'll need to implement the new method |
- constant time conditional swap with mask - floor_log2 Co-Authored-By: Amos Treiber <amos.treiber@rohde-schwarz.com>
This is an implementation of the Classic McEliece KEM according to the NIST Round 4 submission and the ISO draft 20230419. Co-Authored-By: Amos Treiber <amos.treiber@rohde-schwarz.com>
FAlbertDev
force-pushed
the
pqc/classic_mceliece
branch
from
8271956
to
393f698
Compare
FAlbertDev
force-pushed
the
pqc/classic_mceliece
branch
from
393f698
to
8804b64
Compare
Done! @reneme Do you still want to reduce the test times further for the |
This PR relates to the Classic McEliece KEM as specified in this ISO draft. It also contains the instances defined in the NIST Round 4 submission. The test cases were generated using the NIST submissions reference implementation. Note that Classic McEliece (module
cmce) is not the original McEliece Algorithm that is implemented in Botan'smcemodule. See the Classic McEliece homepage, for a brief comparison.TODO Tracker
Use uint8_t as bitvector return type(see: PQC: Classic McEliece #3883 (comment))