Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

side_channels: Add SLH DSA report #238

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

side_channels: Add SLH DSA report #238

wants to merge 11 commits into from

Conversation

aewag
Copy link
Collaborator

@aewag aewag commented Oct 11, 2024

No description provided.

@reneme reneme added this to the Botan 3.6.0 milestone Oct 22, 2024
@reneme reneme force-pushed the aisec/sca/slh-dsa branch from a1ce11e to d9fac0c Compare October 29, 2024 14:32
@reneme reneme changed the base branch from release/3.5.0 to main October 29, 2024 14:33
@reneme
Copy link
Collaborator

reneme commented Oct 29, 2024

@aewag I rebased this draft to the currrent main branch and re-targetted the pull request onto main as well. Please be aware when you continue working on this.

Also, I fixed a few minor things and used the :srcref: extension in explicit commits.

@reneme reneme force-pushed the aisec/sca/slh-dsa branch from d9fac0c to 3b7dd03 Compare October 29, 2024 15:20
@reneme reneme mentioned this pull request Oct 29, 2024
@falsecurity falsecurity marked this pull request as ready for review November 18, 2024 02:07
@FAlbertDev FAlbertDev self-requested a review November 18, 2024 14:08

Analysed variants:

- SphincsPlus-sha2-128s-r3.1, deterministic
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we want to test the instance SLH-DSA-SHA2-128s instead. Both share ~99% of the code, but SphincsPlus-sha2-128s-r3.1 is the legacy SPHINCS+ support, while SLH-DSA-SHA2-128s is the final SLH-DSA standard. While I don't think we miss any side-channels when testing only the legacy mode, it looks better on paper with SLH-DSA. Do you think you can execute DATA once with the SLH-DSA instance and quickly verify it, or does it take too much time?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the hint, will do! 👍

Copy link
Collaborator

@FAlbertDev FAlbertDev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! I've mainly got some en-US vs. en-GB remarks. The execution difference description sounds sensible 👍 Thanks!

docs/audit_report/src/side_channels/01_04_slh_dsa.rst Outdated Show resolved Hide resolved
The `treehash` routine detects during execution whether the currently calculated node must be added to the authentication data (:srcref:`[src/lib/pubkey/sphincsplus/sphincsplus_common]/sp_treehash.cpp:64|internal_leaf`).
If this is the case, a condition in the programme flow is fulfilled and the programme execution is changed.
This control flow difference is indicated by DATA.
The difference is not critical because the values of the nodes within these Merkle trees are public.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the argument is instead: The information about which nodes are part of the authentication path is public. The node values aren't leaked, aren't they?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right that it is observable which nodes are part of the authentication path. I will clarify this.

Just as note: In the treehash routine both (i) which nodes are used and (ii) the values itself are public data.

docs/audit_report/src/side_channels/01_04_slh_dsa.rst Outdated Show resolved Hide resolved
docs/audit_report/src/side_channels/01_04_slh_dsa.rst Outdated Show resolved Hide resolved
docs/audit_report/src/side_channels/01_04_slh_dsa.rst Outdated Show resolved Hide resolved
docs/audit_report/src/side_channels/01_04_slh_dsa.rst Outdated Show resolved Hide resolved
docs/audit_report/src/side_channels/01_04_slh_dsa.rst Outdated Show resolved Hide resolved
docs/audit_report/src/side_channels/01_04_slh_dsa.rst Outdated Show resolved Hide resolved
docs/audit_report/src/side_channels/01_04_slh_dsa.rst Outdated Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants