From feea2f386430fd241bbb38d7daf8a78205352cec Mon Sep 17 00:00:00 2001 From: Ted Eaton Date: Wed, 25 May 2022 10:47:34 -0400 Subject: [PATCH] Issues and passes for aarch64 const time checks (#1214) --- tests/constant_time/kem/passes/kyber | 14 ++++ tests/constant_time/sig/issues.json | 72 +++++++++---------- tests/constant_time/sig/issues/sphincs | 7 ++ tests/constant_time/sig/passes.json | 12 ++-- .../sig/passes/dilithium-aarch64 | 48 +++++++++++++ 5 files changed, 111 insertions(+), 42 deletions(-) create mode 100644 tests/constant_time/sig/issues/sphincs create mode 100644 tests/constant_time/sig/passes/dilithium-aarch64 diff --git a/tests/constant_time/kem/passes/kyber b/tests/constant_time/kem/passes/kyber index 189d64cc2..63a11707c 100644 --- a/tests/constant_time/kem/passes/kyber +++ b/tests/constant_time/kem/passes/kyber @@ -19,3 +19,17 @@ fun:pqcrystals_kyber*_avx2_gen_matrix fun:pqcrystals_kyber*_avx2_indcpa_* } +{ + Rejection sampling to produce public "A" matrix + Memcheck:Value8 + ... + fun:PQCLEAN_KYBER*_AARCH64_gen_matrix + fun:PQCLEAN_KYBER*_AARCH64_indcpa_* +} +{ + Rejection sampling to produce public "A" matrix + Memcheck:Cond + ... + fun:PQCLEAN_KYBER*_AARCH64_gen_matrix + fun:PQCLEAN_KYBER*_AARCH64_indcpa_* +} diff --git a/tests/constant_time/sig/issues.json b/tests/constant_time/sig/issues.json index b8c3abc18..878c8d477 100644 --- a/tests/constant_time/sig/issues.json +++ b/tests/constant_time/sig/issues.json @@ -17,42 +17,42 @@ "Rainbow-V-Circumzenithal": [], "Rainbow-V-Classic": [], "Rainbow-V-Compressed": [], - "SPHINCS+-Haraka-128f-robust": [], - "SPHINCS+-Haraka-128f-simple": [], - "SPHINCS+-Haraka-128s-robust": [], - "SPHINCS+-Haraka-128s-simple": [], - "SPHINCS+-Haraka-192f-robust": [], - "SPHINCS+-Haraka-192f-simple": [], - "SPHINCS+-Haraka-192s-robust": [], - "SPHINCS+-Haraka-192s-simple": [], - "SPHINCS+-Haraka-256f-robust": [], - "SPHINCS+-Haraka-256f-simple": [], - "SPHINCS+-Haraka-256s-robust": [], - "SPHINCS+-Haraka-256s-simple": [], - "SPHINCS+-SHA256-128f-robust": [], - "SPHINCS+-SHA256-128f-simple": [], - "SPHINCS+-SHA256-128s-robust": [], - "SPHINCS+-SHA256-128s-simple": [], - "SPHINCS+-SHA256-192f-robust": [], - "SPHINCS+-SHA256-192f-simple": [], - "SPHINCS+-SHA256-192s-robust": [], - "SPHINCS+-SHA256-192s-simple": [], - "SPHINCS+-SHA256-256f-robust": [], - "SPHINCS+-SHA256-256f-simple": [], - "SPHINCS+-SHA256-256s-robust": [], - "SPHINCS+-SHA256-256s-simple": [], - "SPHINCS+-SHAKE256-128f-robust": [], - "SPHINCS+-SHAKE256-128f-simple": [], - "SPHINCS+-SHAKE256-128s-robust": [], - "SPHINCS+-SHAKE256-128s-simple": [], - "SPHINCS+-SHAKE256-192f-robust": [], - "SPHINCS+-SHAKE256-192f-simple": [], - "SPHINCS+-SHAKE256-192s-robust": [], - "SPHINCS+-SHAKE256-192s-simple": [], - "SPHINCS+-SHAKE256-256f-robust": [], - "SPHINCS+-SHAKE256-256f-simple": [], - "SPHINCS+-SHAKE256-256s-robust": [], - "SPHINCS+-SHAKE256-256s-simple": [], + "SPHINCS+-Haraka-128f-robust": ["sphincs"], + "SPHINCS+-Haraka-128f-simple": ["sphincs"], + "SPHINCS+-Haraka-128s-robust": ["sphincs"], + "SPHINCS+-Haraka-128s-simple": ["sphincs"], + "SPHINCS+-Haraka-192f-robust": ["sphincs"], + "SPHINCS+-Haraka-192f-simple": ["sphincs"], + "SPHINCS+-Haraka-192s-robust": ["sphincs"], + "SPHINCS+-Haraka-192s-simple": ["sphincs"], + "SPHINCS+-Haraka-256f-robust": ["sphincs"], + "SPHINCS+-Haraka-256f-simple": ["sphincs"], + "SPHINCS+-Haraka-256s-robust": ["sphincs"], + "SPHINCS+-Haraka-256s-simple": ["sphincs"], + "SPHINCS+-SHA256-128f-robust": ["sphincs"], + "SPHINCS+-SHA256-128f-simple": ["sphincs"], + "SPHINCS+-SHA256-128s-robust": ["sphincs"], + "SPHINCS+-SHA256-128s-simple": ["sphincs"], + "SPHINCS+-SHA256-192f-robust": ["sphincs"], + "SPHINCS+-SHA256-192f-simple": ["sphincs"], + "SPHINCS+-SHA256-192s-robust": ["sphincs"], + "SPHINCS+-SHA256-192s-simple": ["sphincs"], + "SPHINCS+-SHA256-256f-robust": ["sphincs"], + "SPHINCS+-SHA256-256f-simple": ["sphincs"], + "SPHINCS+-SHA256-256s-robust": ["sphincs"], + "SPHINCS+-SHA256-256s-simple": ["sphincs"], + "SPHINCS+-SHAKE256-128f-robust": ["sphincs"], + "SPHINCS+-SHAKE256-128f-simple": ["sphincs"], + "SPHINCS+-SHAKE256-128s-robust": ["sphincs"], + "SPHINCS+-SHAKE256-128s-simple": ["sphincs"], + "SPHINCS+-SHAKE256-192f-robust": ["sphincs"], + "SPHINCS+-SHAKE256-192f-simple": ["sphincs"], + "SPHINCS+-SHAKE256-192s-robust": ["sphincs"], + "SPHINCS+-SHAKE256-192s-simple": ["sphincs"], + "SPHINCS+-SHAKE256-256f-robust": ["sphincs"], + "SPHINCS+-SHAKE256-256f-simple": ["sphincs"], + "SPHINCS+-SHAKE256-256s-robust": ["sphincs"], + "SPHINCS+-SHAKE256-256s-simple": ["sphincs"], "picnic3_L1": [], "picnic3_L3": [], "picnic3_L5": [], diff --git a/tests/constant_time/sig/issues/sphincs b/tests/constant_time/sig/issues/sphincs new file mode 100644 index 000000000..14a18ee7a --- /dev/null +++ b/tests/constant_time/sig/issues/sphincs @@ -0,0 +1,7 @@ +{ + memcpy source and destination overlap see issue 1038 + Memcheck:Overlap + fun:__GI_memcpy + fun:gen_chain + fun:PQCLEAN_SPHINCS*_CLEAN_wots_* +} diff --git a/tests/constant_time/sig/passes.json b/tests/constant_time/sig/passes.json index 3629ce730..ad181c509 100644 --- a/tests/constant_time/sig/passes.json +++ b/tests/constant_time/sig/passes.json @@ -1,11 +1,11 @@ { - "Dilithium2": ["dilithium", "dilithium-avx2"], - "Dilithium3": ["dilithium", "dilithium-avx2"], - "Dilithium5": ["dilithium", "dilithium-avx2"], - "Dilithium2-AES": ["dilithium", "dilithium-avx2", "dilithium-aes-avx2"], - "Dilithium3-AES": ["dilithium", "dilithium-avx2", "dilithium-aes-avx2"], - "Dilithium5-AES": ["dilithium", "dilithium-avx2", "dilithium-aes-avx2"], + "Dilithium2": ["dilithium", "dilithium-avx2", "dilithium-aarch64"], + "Dilithium3": ["dilithium", "dilithium-avx2", "dilithium-aarch64"], + "Dilithium5": ["dilithium", "dilithium-avx2", "dilithium-aarch64"], + "Dilithium2-AES": ["dilithium", "dilithium-avx2", "dilithium-aarch64", "dilithium-aes-avx2"], + "Dilithium3-AES": ["dilithium", "dilithium-avx2", "dilithium-aarch64", "dilithium-aes-avx2"], + "Dilithium5-AES": ["dilithium", "dilithium-avx2", "dilithium-aarch64", "dilithium-aes-avx2"], "Falcon-1024": ["falcon_keygen", "falcon_sign"], "Falcon-512": ["falcon_keygen", "falcon_sign"], "Rainbow-I-Circumzenithal": ["rainbow"], diff --git a/tests/constant_time/sig/passes/dilithium-aarch64 b/tests/constant_time/sig/passes/dilithium-aarch64 new file mode 100644 index 000000000..a02dfa2c4 --- /dev/null +++ b/tests/constant_time/sig/passes/dilithium-aarch64 @@ -0,0 +1,48 @@ +{ + Rejection sampling for uniformly distributed public A matrix + Memcheck:Cond + fun:rej_uniform + fun:PQCLEAN_DILITHIUM*_AARCH64_poly_uniformx2 + fun:PQCLEAN_DILITHIUM*_AARCH64_polyvec_matrix_expand +} +{ + Rejection sampling for s1 and s2 + Memcheck:Cond + fun:rej_eta + fun:PQCLEAN_DILITHIUM*_AARCH64_poly_uniform_eta + fun:PQCLEAN_DILITHIUM*_AARCH64_polyvec*_uniform_eta + fun:PQCLEAN_DILITHIUM*_AARCH64_crypto_sign_keypair +} +{ + Rejection sampling for challenge + Memcheck:Cond + fun:PQCLEAN_DILITHIUM*_AARCH64_poly_challenge + fun:PQCLEAN_DILITHIUM*_AARCH64_crypto_sign_signature +} +{ + Rejection sampling for challenge + Memcheck:Value8 + fun:PQCLEAN_DILITHIUM*_AARCH64_poly_challenge + fun:PQCLEAN_DILITHIUM*_AARCH64_crypto_sign_signature +} +{ + Rejection sampling for signature distribution + Memcheck:Cond + ... + src:sign.c:153 # Call to polyvecl_chknorm + # fun:PQCLEAN_DILITHIUM*_AARCH64_crypto_sign_signature +} +{ + Rejection sampling for signature distribution + Memcheck:Cond + ... + src:sign.c:163 # Call to polyveck_chknorm + # fun:PQCLEAN_DILITHIUM*_AARCH64_crypto_sign_signature +} +{ + Hint does not need to be computed in constant time + Memcheck:Cond + ... + src:sign.c:176 # Call to polyveck_make_hint + # fun:PQCLEAN_DILITHIUM*_AARCH64_crypto_sign_signature +}