I've been recently carrying out code analysis for some of the KEM
implementations submitted to SUPERCOP. In the case of kyber*/ref, I
noticed various "/KYBER_Q" occurrences with variable inputs. In at least
one case, line 190 of crypto_kem/kyber768/ref/poly.c, this is clearly a
secret input. I'd expect measurable, possibly exploitable, timing
variations, very much as in the graph here:
https://www.imperialviolet.org/2013/02/04/luckythirteen.html
Sometimes C compilers will convert divisions to multiplications, but
this depends very much on compiler options. Within available tools to
scan for variable-time instructions, a few (e.g., saferewrite) know how
to check for divisions but most don't.
Side note: As far as I can tell, this sort of security issue is outside
the scope of NIST's draft (see, e.g., "Equivalent implementations" and
the comment "The pseudocode is agnostic regarding how an integer modulo
m is represented in actual implementations or how modular reduction is
computed"). However, occasionally the draft dives into implementation
issues for some unclear reason. I'd suggest deleting the sentence
"Floating-point computations should not be used":
* In context, floating-point computations are no harder to test than
integer computations.
* Maybe floating-point implementations will be variable-time, but the
same is (obviously) true of integer implementations. (Hard to tell
at this point whether the risk is higher or lower; I'd think that
people writing floating-point code are more likely to multiply by a
precomputed constant/q where people writing integer code would use
divisions, and maybe they'll use variable-time floating-point
rounding methods less often than variable-time integer reduction.)
* Having this line about floating-point computations undermines the
draft's consistency in staying away from implementation issues.
Hopefully readers won't think that floating-point is the only Kyber
implementation issue to worry about!
I realize this is past the deadline for comments on the draft, but this
is a very easy change.
---D. J. Bernstein