AIMer software recommendations

171 views
Skip to first unread message

D. J. Bernstein

unread,
May 2, 2024, 12:51:48 PMMay 2
to kpqc-b...@googlegroups.com
I've looked more closely at the AIMer software, and now have a series of
patches that I recommend to the AIMer package. These patches resolve all
TIMECOP complaints that I'm aware of for the AIMer software, although so
far I've checked only aimer128f and haven't tested on ARM. The patches
are included in

https://cr.yp.to/2024/20240502/kpqc-supercop.tar.gz

and are for the following purposes:

* patch-AIMer-1-reveal: eliminate variable index in nodes[index ^ 1]
as covered in my 16 Apr 2024 23:29:09 +0200 message. I think this
is public data, meaning that there's no security issue, but
changing this to pass TIMECOP makes security review easier.

* patch-AIMer-2-poly64: rewrite poly64_mul() to eliminate variable
indices. This is presumably a security issue for the original
reference and optimized code. This patch doesn't affect the avx2
code, which uses PCLMULQDQ.

* patch-AIMer-3-htole: replace htole64() and le64toh() with byte
computations. These functions aren't always constant-time, and in
general casting byte pointers to uint64_t pointers can crash.

* patch-AIMer-4-loadstore: in the avx2 code, replace _load_ and
_store_ with _loadu_ and _storeu_. The _load_ and _store_ functions
can crash when inputs aren't aligned.

* patch-AIMer-5-square: rewrite SQR_LOW and SQR_HIGH to eliminate
variable indices. This is presumably a security issue for the
original reference and optimized code.

* patch-AIMer-6-selfaddmask: eliminate a variable branch on
GF_getbit(a_, i). I haven't checked if this is public data.

* patch-AIMer-7-commits: eliminate the variable indexing in
commits[rep][i_bar]. I think this is public data.

* patch-AIMer-8-alpha: eliminate the variable indexing in
alpha_v_shares[rep][0][i_bar] and alpha_v_shares[rep][i_bar][0].
I think this is public data.

* patch-AIMer-9-initialize: clear some avx2 buffers that valgrind
was saying have uninitialized data. This could reflect a bug in the
original software.

For software development, I had mentioned that the options

-g -fsanitize=address -Wall -Wextra

for gcc and clang are useful for catching bugs (although -Wall and
-Wextra very often have false positives); the option

-fsanitize=undefined

can also be useful.

---D. J. Bernstein
signature.asc

D. J. Bernstein

unread,
May 2, 2024, 1:03:59 PMMay 2
to kpqc-b...@googlegroups.com
signature.asc

Sangyub Lee

unread,
May 10, 2024, 6:34:52 AMMay 10
to KpqC-bulletin
Thank you for your suggestions on implementing AIMer.

We're working on an updated version based on your patch, focusing on minimizing performance loss during signature generation while ensuring compatibility with TIMECOP.

The updates will be as follows:

- Instead of using patches patch-AIMer-1-reveal, patch-AIMer-7-commits, and patch-AIMer-8-alpha, we'll utilize 'crypto_declassify' on 'indices' in the 'aimer_sign' function in aimer.c since it's a public variable.

- We'll employ the constant-time version of squaring on the entire reference and optimized implementation (as outlined in patch-AIMer-2-poly64).

- Similarly, we'll use the constant-time multiplication method for entire key generation but for signing we'll use it selectively on critical data for the performance (also from patch-AIMer-2-poly64).

Updated version will be available in AIMer Signature (aimer-signature.org) and we will post when it is ready.

Best regards,
Sangyub Lee

2024년 5월 3일 금요일 오전 2시 3분 59초 UTC+9에 D. J. Bernstein님이 작성:
Reply all
Reply to author
Forward
0 new messages