Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added FIPS 204 documentation, cleanse intermediate values #2017

Merged
merged 8 commits into from
Dec 10, 2024

Conversation

jakemas
Copy link
Contributor

@jakemas jakemas commented Nov 26, 2024

Issues:

Resolves CryptoAlg-2799

Description of changes:

This PR addresses the following:

Documentation:

  • addition of documentation for FIPS 204. To maintain a clearer implementation of the specification, I have added call outs in the function descriptors that describe the respective algorithm identifiers (name and algorithm number) in FIPS 204.
  • For functions that were missing documentation, this has been added.

Clean up:

  • DBENCH internal benchmarking within poly.c has been removed.
  • Migrated the files touched over to AWS-LC style "loop" guidelines, that are encased in brackets.

New addition intermediate value cleanse:

  • FIPS 204 states: "Implementations of ML-DSA shall ensure that any potentially sensitive intermediate data is destroyed as soon as it is no longer needed." Two particular cases in which implementations may refrain from destroying intermediate data are:
    • The seed xi generated in step 1 of ML-DSA.KeyGen (Algorithm 1) can be stored for the purpose of later expansion. As it can be used to generate the private key, it shall be treated with the same safeguards as a private key.
    • The matrix \hat{A} generated in step 3 of ML-DSA.KeyGen_internal (Algorithm 6) can be stored so that it need not be recomputed in later operations. Likewise, the matrix \hat{A} generated in step 5 of ML-DSA.Verify_internal(Algorithm 8). This data is public and can be derived from the public key.

Callouts:

  • Pointers in crypto_sign_signature_internal namely, uint8_t *rho, *tr, *key, *mu, *rhoprime; have pointer addresses cleansed.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@jakemas jakemas requested a review from a team as a code owner November 26, 2024 20:45
@codecov-commenter
Copy link

codecov-commenter commented Nov 26, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.67%. Comparing base (412018d) to head (a8777cd).
Report is 23 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2017      +/-   ##
==========================================
+ Coverage   78.62%   78.67%   +0.05%     
==========================================
  Files         596      598       +2     
  Lines      103012   103350     +338     
  Branches    14661    14692      +31     
==========================================
+ Hits        80989    81313     +324     
- Misses      21373    21385      +12     
- Partials      650      652       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@@ -15,6 +15,8 @@ that initialize a given structure with values corresponding to a parameter set.
- `reduce.c`: a small fix to documentation has been made on the bounds of `reduce32`.
- `poly.c`: a small fix to documentation has been made on the bounds of `poly_reduce`.
- `polyvec.c`: a small fix to documentation has been made on the bounds of `polyveck_reduce`.
- Documentation has been added to `ntt.c`, `packing.c`, `poly.c`, `polyvec.c`, and `reduce.c` that outlines the algorithm specification (including algorithm number) in FIPS 204.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refers to reduce.c instead of rounding.c

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice spot! fixed 0f43f79

crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c Outdated Show resolved Hide resolved
/* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
OPENSSL_cleanse(seedbuf, sizeof(seedbuf));
OPENSSL_cleanse(tr, sizeof(tr));
OPENSSL_cleanse(&rho, SEEDBYTES);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still doesn't seem right. You're passing in the address of rho (which is pointer type whose size is sizeof(uint_8*) and clearing SEEDBYTES from that address. I believe this is a buffer overrun on the stack frame. Can someone check my work? I think what you want is to either not do any cleansing at all and assume that the pointer values are not sensitive, or you want to replace SEEDBYTES with sizeof(rho) to basically set the pointer to 0. Same goes for the other pointers here.

Copy link
Contributor Author

@jakemas jakemas Dec 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh I see you are correct. For reference, check what we did for ML-KEM for the same requirement, I was following this same methodology: #1883

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the cleansing of pointers in dafaa7e

crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c Outdated Show resolved Hide resolved
geedo0
geedo0 previously approved these changes Dec 5, 2024
@dkostic
Copy link
Contributor

dkostic commented Dec 5, 2024

general comment: please try to do one thing per PR. For example, this PR should be 3 separate ones:

  • adding documentation,
  • cleanse intermediate values,
  • refactoring you did (adding {})

@jakemas
Copy link
Contributor Author

jakemas commented Dec 5, 2024

general comment: please try to do one thing per PR. For example, this PR should be 3 separate ones:

  • adding documentation,
  • cleanse intermediate values,
  • refactoring you did (adding {})

Thank for you that feedback!

Copy link
Contributor

@geedo0 geedo0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only thing that concerns me here is the treatment of signs. I'm indifferent on the topic of clearing pointer values.

Comment on lines 76 to 78
OPENSSL_cleanse(&rho, sizeof(rho));
OPENSSL_cleanse(&rhoprime, sizeof(rhoprime));
OPENSSL_cleanse(&key, sizeof(key));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pointer values are no more sensitive than integer offsets. Don't think we need these anymore.

Comment on lines 245 to 249
OPENSSL_cleanse(&rho, sizeof(rho));
OPENSSL_cleanse(&tr, sizeof(tr));
OPENSSL_cleanse(&key, sizeof(key));
OPENSSL_cleanse(&mu, sizeof(mu));
OPENSSL_cleanse(&rhoprime, sizeof(rhoprime));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment above on pointer values.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! I agree with you on signs, cleansed in 015ccd6. To be consistant wit ML-KEM I'll leave the cleansing of the pointers in to see what other reviewers think.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gerardo talks about these
uint8_t *rho, *tr, *key, *mu, *rhoprime;

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Just wanted your perspective before making the change! fixed in a8777cd

geedo0
geedo0 previously approved these changes Dec 6, 2024
* coefficients are in [-eta, eta].
*
* Arguments: - ml_dsa_params: parameter struct
* - polyvecl v: pointer to input vector
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* - polyvecl v: pointer to input vector
* - polyvecl v: pointer to output vector

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed in a8777cd

* coefficients are in [-gamma1 + 1, gamma1].
*
* Arguments: - ml_dsa_params: parameter struct
* - polyvecl v: pointer to input vector
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* - polyvecl v: pointer to input vector
* - polyvecl v: pointer to output vector

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed in a8777cd

* coefficients are in [-eta, eta].
*
* Arguments: - ml_dsa_params: parameter struct
* - polyveck v: pointer to input vector
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* - polyveck v: pointer to input vector
* - polyveck v: pointer to output vector

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed in a8777cd

Comment on lines 245 to 249
OPENSSL_cleanse(&rho, sizeof(rho));
OPENSSL_cleanse(&tr, sizeof(tr));
OPENSSL_cleanse(&key, sizeof(key));
OPENSSL_cleanse(&mu, sizeof(mu));
OPENSSL_cleanse(&rhoprime, sizeof(rhoprime));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gerardo talks about these
uint8_t *rho, *tr, *key, *mu, *rhoprime;

@geedo0 geedo0 merged commit 18cc07d into aws:main Dec 10, 2024
119 of 124 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants