Skip to content

Zeroisation#67

Draft
mberry wants to merge 13 commits intomasterfrom
zeroisation
Draft

Zeroisation#67
mberry wants to merge 13 commits intomasterfrom
zeroisation

Conversation

@mberry
Copy link
Member

@mberry mberry commented Mar 14, 2023

This is an unfinished baseline for full zeroisation of secrets. Transient data like the secretkey polynomials are zeroed.

For now it just does the internals and requires Pin to ensure the same behaviour regardless of the copy on return semantics of platforms/compilers.

mberry added 13 commits January 29, 2023 17:51
@mberry
Remove: Tasks Done
cfc91be
@mberry
Replace: RNG for benchmarking to stabilise results
f60717d 
Now uses deterministic buffers.
Was causing undesirable fluctuation in keypair and encapsulation benches
Fix: lint
Rename: redundant function postfixes
@mberry
Add: 90s-fixslice feature
e7e7d8a 
This uses Rustcrypto's fixslice AES256 implementation in
big-endian 32bit counter mode.
Better side-channel resistance, especially on embedded devices.
Recommend benchmarking before switching to measure any tradeoffs .
Ref: https://eprint.iacr.org/2020/1123.pdf
@mberry
Fix: Conditional compile code duplication
6fc9ee5
@mberry
Merge branch 'master' into rustcrypto-aes256ctr
3a0428e
@mberry
Fix: Conditional compile dependency
70fbac6
@mberry
Merge branch 'rustcrypto-aes256ctr' of https://github.com/Argyle-Soft…
69e3590 
…ware/kyber into rustcrypto-aes256ctr
@mberry
Modify: MSRV from 1.46 -> 1.57
aa6492c 
This is due to the AES dependency used in 90s-fixslice
@mberry
Remove: arm-linux-androideabi tests
a8c43eb 
Add: 90s-fixslice tests
@mberry
Fix: lints
e9b5a60 
Fix: spelling
@mberry
* Add: Zeroize for Keypair
7997c72 
 Basic implementation, doesn't account for move on return behaviour
 Can still leak on certain architectures due to how they manage RVO
 Compliers can also change the semantics of copy elision
 Zeroes out on x86_64 with GCC
 Needs `Pin` and/or `Box` version to ensure correctness across platforms
Zeroises intermediate/transient secrets and coins
* Modify: secret key visibility
* Add: `expose_secret()`, make secret usage explicit
* Modify: Keypair Debug impl to elide secret key
* Add: impl Hash for Keypair, omits secret key
* Add impl Eq/PartialEq for Keypair, omits secret key, non-constant time
* Add: `zeroize!()` macro for code brevity
Removes repeated `#[cfg(feature="zeroize")]` lines
@mberry
Fix: Drop impl only on feature
3b5c7be
@mberry
Move: Zeroing macro
7d7e51d 
Now imported from pqc_core
@mberry mberry changed the base branch from master to rustcrypto-aes256ctr March 14, 2023 04:13
@mberry mberry changed the base branch from rustcrypto-aes256ctr to master March 14, 2023 04:13
@mberry mberry mentioned this pull request Mar 14, 2023
Open
@mberry
Copy link
Member Author

mberry commented Mar 14, 2023

Due to a squash and merge policy never playing well with github this has a lot of already mainlined code.

The meaningful changes are in:

  • api
  • indcpa
  • poly
  • polyvec
  • symmetric (has been hammered by the diff)

zero is a helper macro to remove all the conditional compilation clutter that was building up:

macro_rules! zero {
  ($target: ident) => {
    #[cfg(feature = "zeroize")]
    $target.zeroize(); 
  };
}

@mberry mberry mentioned this pull request Mar 14, 2023
Open
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mberry