Make poly_chknorm constant flow #2788
Merged
+44
−28
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
dkostic
reviewed
Oct 30, 2025
Comment on lines
232
to
235
| /* Reference: Leaks which polynomial violates the bound via a conditional. | ||
| * We are more conservative to reduce the number of declassifications in | ||
| * constant-time testing. | ||
| */ |
Contributor
There was a problem hiding this comment.
Suggested change
| /* Reference: Leaks which polynomial violates the bound via a conditional. | |
| * We are more conservative to reduce the number of declassifications in | |
| * constant-time testing. | |
| */ |
dkostic
reviewed
Oct 30, 2025
|
|
||
| /* FIPS 204: Algorithm 7 line 23 - Reject if either check fails (constant-time to avoid leaking | ||
| which check failed) */ | ||
| if(z_invalid | w0_invalid) { |
Contributor
There was a problem hiding this comment.
I think the compiler can turn this into non-CT code, please use an appropriate constant_time_* function to get the branch condition.
Collaborator
Author
There was a problem hiding this comment.
Removed this check, added documentation and references to https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf section 5.5
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2788 +/- ##
==========================================
+ Coverage 78.42% 78.60% +0.18%
==========================================
Files 683 683
Lines 116283 116287 +4
Branches 16404 16407 +3
==========================================
+ Hits 91194 91409 +215
+ Misses 24213 24002 -211
Partials 876 876 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Comment on lines
262
to
264
| /* FIPS 204: Algorithm 7 line 23 - Reject if either check fails (constant-time to avoid leaking | ||
| which check failed) */ | ||
| if(z_invalid | w0_invalid) { |
Contributor
There was a problem hiding this comment.
Similar comment as above. We may want to harden this as defense-in-depth, but separate checks are OK from all we know -- and what is explicitly stated in 5.5 of https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf -- so the comment should be changed.
hanno-becker
suggested changes
Oct 31, 2025
Contributor
hanno-becker
left a comment
hanno-becker
left a comment
There was a problem hiding this comment.
I'm fine with defense-in-depth hardening of poly_chknorm as already done in mldsa-native, but we should change the comment so it's not suggested that the implementation would be insecure otherwise.
I have reservations towards consolidating the validity checks. As mentioned in the comments, they too are explicitly documented in the Dilithium documentation as safe to be performed separately, and merging them comes at a meaningful performance penalty (~5%); see the test PR pq-code-package/mldsa-native#572.
This reverts commit 5790986.
dkostic
approved these changes
Nov 4, 2025
torben-hansen
approved these changes
Nov 7, 2025
justsmth
added a commit
that referenced
this pull request
Nov 11, 2025
### Description of changes: Prepare release v1.64.0. ### What's Changed * Update max polyz value by @jakemas in #2787 * ECR Repositories for Android and Formal Verification Images by @skmcgrail in #2794 * Support more "openssl rsa" options by @justsmth in #2777 * Remove python codebuild patches by @WillChilds-Klein in #2793 * Additional options for "openssl c_client" by @justsmth in #2791 * GitHub-based Formal Verification Image Build by @skmcgrail in #2796 * Use C++11 atomics to update session stats by @justsmth in #2786 * Support "openssl dhparam" by @justsmth in #2790 * Add scrutinice pull permissions for aws-lc/amazonlinux repository by @skmcgrail in #2799 * Use GitHub-based Verification Images by @skmcgrail in #2798 * Remove dead code by @torben-hansen in #2797 * Rename snapsafe to VM UBE by @torben-hansen in #2800 * Bump MySQL version tag to 9.5.0 by @samuel40791765 in #2768 * Migrate to macos-15-intel by @samuel40791765 in #2802 * Use right compiler with ruby CI by @samuel40791765 in #2801 * Migrate analytics job to be GitHub triggered by @skmcgrail in #2779 * Support NetBSD by @justsmth in #2754 * Make poly_chknorm constant flow by @jakemas in #2788 * Rename fork to fork UBE by @torben-hansen in #2803 * Extend grv asan timeout for Golang to allow completion by @torben-hansen in #2805 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
sgmenda-aws
pushed a commit
to sgmenda-aws/aws-lc
that referenced
this pull request
Nov 11, 2025
### Description of changes: Prepare release v1.64.0. ### What's Changed * Update max polyz value by @jakemas in aws#2787 * ECR Repositories for Android and Formal Verification Images by @skmcgrail in aws#2794 * Support more "openssl rsa" options by @justsmth in aws#2777 * Remove python codebuild patches by @WillChilds-Klein in aws#2793 * Additional options for "openssl c_client" by @justsmth in aws#2791 * GitHub-based Formal Verification Image Build by @skmcgrail in aws#2796 * Use C++11 atomics to update session stats by @justsmth in aws#2786 * Support "openssl dhparam" by @justsmth in aws#2790 * Add scrutinice pull permissions for aws-lc/amazonlinux repository by @skmcgrail in aws#2799 * Use GitHub-based Verification Images by @skmcgrail in aws#2798 * Remove dead code by @torben-hansen in aws#2797 * Rename snapsafe to VM UBE by @torben-hansen in aws#2800 * Bump MySQL version tag to 9.5.0 by @samuel40791765 in aws#2768 * Migrate to macos-15-intel by @samuel40791765 in aws#2802 * Use right compiler with ruby CI by @samuel40791765 in aws#2801 * Migrate analytics job to be GitHub triggered by @skmcgrail in aws#2779 * Support NetBSD by @justsmth in aws#2754 * Make poly_chknorm constant flow by @jakemas in aws#2788 * Rename fork to fork UBE by @torben-hansen in aws#2803 * Extend grv asan timeout for Golang to allow completion by @torben-hansen in aws#2805 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
Resolves #V1982530715 and #V1982532566
Description of changes:
The reference implementation implements
poly_chknormin variables time. It argues that while the input coefficients itself are secret in some call sites, it is okay to leak which coefficient lead to rejection. It, hence, does absolute value computation in constant-time and then checks the bound using a conditional.This approach appears safe, but somewhat unclean as it is still operating on secret data. When performing constant-time testing it also requires a number of declassifications.
This commit takes a more conservative approach and changes
poly_chknormto a constant-time implementation in the hope that the performance penalty is acceptable.A minor change is that the API of
poly_chknormis changed to returning0xFFFFFFFFin the case of failure to be able to re-use existing constant-time primitives.Call-outs:
PR source adapted from: Upstream PR in pq-code-package/mldsa-native#392.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.