kyber icon indicating copy to clipboard operation
kyber copied to clipboard

Published 20 hours ago verified publisher icon dedis

The square-and-multiply algorithm used in bn256 is not constant time

Open cgrigis opened this issue 4 years ago • 1 comments

Security Code Review finding:

A square-and-multiply algorithm without protection is not constant time and leaks information on the exponent. It is used in the following spots in kyber:

  • pairing/bn256/gfp.go on line 41
  • pairing/bn256/gfp12.go on line 175
  • pairing/bn256/twist.go on line 160

However notice that it is mentioned in the code that currently only the Ed25519 SuiTe is currently constant time, so this is probably a known issue.

cgrigis avatar Sep 07 '20 16:09 cgrigis

Marked the issue as "won't fix", after analysis by @si-co, considering that (1) the issue is documented in the code and (2) we plan to deprecate BN256, based on https://moderncrypto.org/mail-archive/curves/2016/000740.html

pierluca avatar Dec 01 '22 13:12 pierluca