[base/hardened_memory] Add modular reduction support#29752
[base/hardened_memory] Add modular reduction support#29752nasahlpa merged 1 commit intolowRISC:earlgrey_1.0.0from
Conversation
siemen11
requested review from
alees24,
andrea-caforio,
johannheyszl and
nasahlpa
and removed request for
a team and
alees24
| uint32_t temp_sub[word_len]; | ||
| uint32_t borrow = 0; | ||
| size_t count = 0; | ||
| for (; launderw(count) < word_len; count = launderw(count) + 1) { |
There was a problem hiding this comment.
dummy q: this is constant time for sure?
There was a problem hiding this comment.
Counter q, maybe it is better that similar to gcm timing functest, I implement a test to check whether it is?
There was a problem hiding this comment.
I added a simple timing functest. It did catch some non-constant time lines
|
|
||
| count = 0; | ||
| for (; launderw(count) < word_len; count = launderw(count) + 1) { | ||
| dest[count] = (temp_add[count] & mask) | (temp_sub[count] & ~mask); |
There was a problem hiding this comment.
would we need to check assembly to see if this translates to a const time routine as expected?
There was a problem hiding this comment.
I guess this is covered with the test?
There was a problem hiding this comment.
The other option here is to use RISC-V's cmov operation, but that would be using assembly instead of code
siemen11
force-pushed
the
hardened_memory_mod
branch
7 times, most recently
from
facdc57 to
3959c5a
Compare
|
Azure Pipelines: 1 pipeline(s) were filtered out due to trigger conditions. |
siemen11
force-pushed
the
hardened_memory_mod
branch
from
3959c5a to
a6e253e
Compare
johannheyszl
left a comment
johannheyszl
left a comment
There was a problem hiding this comment.
Thanks @siemen11 ! IIUC, the timing is constant LGTM
| } | ||
| HARDENED_CHECK_EQ(j, 2 * word_len); | ||
|
|
||
| uint32_t mask = (borrow == 0) * UINT32_MAX; |
There was a problem hiding this comment.
We could replace this with:
| uint32_t mask = (borrow == 0) * UINT32_MAX; | |
| uint32_t mask = borrow - 1; |
siemen11
force-pushed
the
hardened_memory_mod
branch
from
a6e253e to
5176f80
Compare
nasahlpa
left a comment
nasahlpa
left a comment
There was a problem hiding this comment.
Had again a look, looks good to me.
Maybe @andrea-caforio also can have a look please?
| } | ||
|
|
||
| #ifdef OT_PLATFORM_RV32 | ||
| static inline uint32_t rv32_addc(uint32_t x, uint32_t y, uint32_t *carry) { |
There was a problem hiding this comment.
Can you please add a header and some comments similar to rv32_sel.
| return (status_t){.value = (int32_t)launder32((uint32_t)OTCRYPTO_OK.value)}; | ||
| } | ||
|
|
||
| status_t hardened_mod_reduce(const uint32_t *value, const uint32_t *n, |
There was a problem hiding this comment.
Would it be possible to add a few comments to make it easier to follow along the algorithm from the paper? I'd like to understand it but it's quite opaque like that.
There was a problem hiding this comment.
It is opaque because the comment lied hehe, added comments now
There was a problem hiding this comment.
Thanks, I think I understand it now.
siemen11
force-pushed
the
hardened_memory_mod
branch
from
5176f80 to
87fc03c
Compare
siemen11
force-pushed
the
hardened_memory_mod
branch
2 times, most recently
from
196f774 to
865e270
Compare
For the arithmetic sharings for ECC, we use a modular subtraction, implement helper functions which are constant time and hardened against fault injection. Also added a functest for the hardened arithmetic operations to check whether they are constant time and whether they are correct on a RV platform. The functions including the add and sub functions are written to use the risc-v instructions when on such a platform. This is to enforce the constant time nature of the operations. Helper functions for add, sub, and select are created. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
siemen11
force-pushed
the
hardened_memory_mod
branch
from
865e270 to
631e186
Compare
|
Backport failed for Please cherry-pick the changes locally and resolve any conflicts. git fetch origin master
git worktree add -d .worktree/backport-29752-to-master origin/master
cd .worktree/backport-29752-to-master
git switch --create backport-29752-to-master
git cherry-pick -x 631e186ab043a1d62de837cb5e97cad0973c19f1 |
lowrisc-ci
Bot
added
the
Manually CherryPick
|
Backport failed for Please cherry-pick the changes locally and resolve any conflicts. git fetch origin master
git worktree add -d .worktree/backport-29752-to-master origin/master
cd .worktree/backport-29752-to-master
git switch --create backport-29752-to-master
git cherry-pick -x 631e186ab043a1d62de837cb5e97cad0973c19f1 |
4 participants
Add helper functions for modular reduction or modular addition/subtraction.