I've looked more closely at the AIMer software, and now have a series of
patches that I recommend to the AIMer package. These patches resolve all
TIMECOP complaints that I'm aware of for the AIMer software, although so
far I've checked only aimer128f and haven't tested on ARM. The patches
are included in
https://cr.yp.to/2024/20240502/kpqc-supercop.tar.gz
and are for the following purposes:
* patch-AIMer-1-reveal: eliminate variable index in nodes[index ^ 1]
as covered in my 16 Apr 2024 23:29:09 +0200 message. I think this
is public data, meaning that there's no security issue, but
changing this to pass TIMECOP makes security review easier.
* patch-AIMer-2-poly64: rewrite poly64_mul() to eliminate variable
indices. This is presumably a security issue for the original
reference and optimized code. This patch doesn't affect the avx2
code, which uses PCLMULQDQ.
* patch-AIMer-3-htole: replace htole64() and le64toh() with byte
computations. These functions aren't always constant-time, and in
general casting byte pointers to uint64_t pointers can crash.
* patch-AIMer-4-loadstore: in the avx2 code, replace _load_ and
_store_ with _loadu_ and _storeu_. The _load_ and _store_ functions
can crash when inputs aren't aligned.
* patch-AIMer-5-square: rewrite SQR_LOW and SQR_HIGH to eliminate
variable indices. This is presumably a security issue for the
original reference and optimized code.
* patch-AIMer-6-selfaddmask: eliminate a variable branch on
GF_getbit(a_, i). I haven't checked if this is public data.
* patch-AIMer-7-commits: eliminate the variable indexing in
commits[rep][i_bar]. I think this is public data.
* patch-AIMer-8-alpha: eliminate the variable indexing in
alpha_v_shares[rep][0][i_bar] and alpha_v_shares[rep][i_bar][0].
I think this is public data.
* patch-AIMer-9-initialize: clear some avx2 buffers that valgrind
was saying have uninitialized data. This could reflect a bug in the
original software.
For software development, I had mentioned that the options
-g -fsanitize=address -Wall -Wextra
for gcc and clang are useful for catching bugs (although -Wall and
-Wextra very often have false positives); the option
-fsanitize=undefined
can also be useful.
---D. J. Bernstein