kyber icon indicating copy to clipboard operation
kyber copied to clipboard

Published 20 hours ago verified publisher icon pq-crystals

Zeroize sensitive data

Open cuongng007 opened this issue 1 year ago • 1 comments

  • Set private information in Kyber encapsulation/decapsulation (https://github.com/pq-crystals/kyber/commit/914f2504c8783ded5596c034f15fbebd77756016) Kyber encapsulation/decapsulation encrypts using a random seed from the system, that seed is expanded into the byte array buf, and later operated and generated the random material of byte array kr that would lately be used to generate the secret shared. This information can be used to generate the shared secret if leaked --> need to be zeroized immediately after the last usage.

  • Set private information buffers to 0 in Key generation (https://github.com/pq-crystals/kyber/commit/527a9171f75b55c42f8ff73da7643741909f1949): The variable buf contains the seeds to generate the private key. If at least the second half of the array is not zeroized, the information of the private key is kept in the machine until the stack overwrites it. Given that, the code is not initialized to 0 also on declaration of other arrays, the key can be preserved in memory for a longer amount of time. If any call would abort the execution, the secret information would be kept in memory.

  • Set private key structure to zero after serialization (https://github.com/pq-crystals/kyber/commit/0f15a0d8ae162e30dbca01f13a4879ff4ea6df7b): The secret key is serialized but the memory with the private information is not cleaned after that. The private key information stays in memory, and we rely on the system to do the job of reassign. Given that the code does not zeroize the arrays on declaration, it makes it easier to access the information.

  • Set private key structure to zero after decryption (https://github.com/pq-crystals/kyber/commit/26c847faf0bbb8ec4efa5adb7834189b7fbc419a): The secret key is deserialized in the memory to compute the decryption, at that point there is a copy of the private key. After running the decryption operation, the private key information stays in memory, and we rely on the system to do the job of reassign. Given that the code does not zeroize the arrays on declaration, it makes it easier to access the information.

cuongng007 avatar Jul 07 '23 08:07 cuongng007

I'd be very hesitant to accept this PR, because it attempts to accomplish something that is not possible to accomplish systematically at this level. See, e.g., our recent paper on systematic zeroization at https://eprint.iacr.org/2023/1713 I'd be more comfortable to clearly state that this implementation does not attempt to zeroize any data and leave the responsibility to the caller.

cryptojedi avatar Jan 31 '24 12:01 cryptojedi