{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":704672776,"defaultBranch":"main","name":"curve25519-dalek","ownerLogin":"anza-xyz","currentUserCanPush":false,"isFork":true,"isEmpty":false,"createdAt":"2023-10-13T19:36:54.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/142632002?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1721023200.0","currentOid":""},"activityList":{"items":[{"before":null,"after":"2f4f29ef9f2734b73ae92b51aeb16b2162d8cb6f","ref":"refs/heads/curve25519-4.x","pushedAt":"2024-07-15T06:00:00.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"yihau","name":"Yihau Chen","path":"/yihau","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8209234?s=80&v=4"},"commit":{"message":"don't use simd for solana os","shortMessageHtmlLink":"don't use simd for solana os"}},{"before":"ecda2f8036b6969c57184b631b79659e420e8d52","after":"0382b672560493840f453f2a0e24c4a129abd3a4","ref":"refs/heads/3.2.1-fix-audit","pushedAt":"2024-06-27T11:19:16.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"yihau","name":"Yihau Chen","path":"/yihau","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8209234?s=80&v=4"},"commit":{"message":"SECURITY: fix timing variability in backend/serial/u64/scalar.rs (#659)\n\nTiming variability of any kind is problematic when working with\npotentially secret values such as elliptic curve scalars, and such\nissues can potentially leak private keys and other secrets. Such a\nproblem was recently discovered in `curve25519-dalek`.\n\nThe `Scalar52::sub` function contained usage of a mask value inside of a\nloop where LLVM saw an opportunity to insert a branch instruction\n(`jns` on x86) to conditionally bypass this code section when the mask\nvalue is set to zero, as can be seen in godbolt:\n\nhttps://godbolt.org/z/PczYj7Pda\n\nA similar problem was recently discovered in the Kyber reference\nimplementation:\n\nhttps://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hqbtIGFKIpU/m/cnE3pbueBgAJ\n\nAs discussed on that thread, one portable solution, which is also used\nin this PR, is to introduce a volatile read as an optimization barrier,\nwhich prevents the compiler from optimizing it away.\n\nThe fix can be validated in godbolt here:\n\nhttps://godbolt.org/z/x8d46Yfah\n\nThe problem was discovered and the solution independently verified by\nAlexander Wagner <alexander.wagner@aisec.fraunhofer.de> and\nLea Themint <lea.thiemt@tum.de> using their DATA tool:\n\nhttps://github.com/Fraunhofer-AISEC/DATA\n\nCo-authored-by: Tony Arcieri <bascule@gmail.com>","shortMessageHtmlLink":"SECURITY: fix timing variability in backend/serial/u64/scalar.rs (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2360328197\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/659\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/659/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/659\">dal…</a>"}},{"before":null,"after":"ecda2f8036b6969c57184b631b79659e420e8d52","ref":"refs/heads/3.2.1-fix-audit","pushedAt":"2024-06-27T11:17:56.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"yihau","name":"Yihau Chen","path":"/yihau","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8209234?s=80&v=4"},"commit":{"message":"SECURITY: fix timing variability in backend/serial/u64/scalar.rs (#659)\n\nTiming variability of any kind is problematic when working with\npotentially secret values such as elliptic curve scalars, and such\nissues can potentially leak private keys and other secrets. Such a\nproblem was recently discovered in `curve25519-dalek`.\n\nThe `Scalar52::sub` function contained usage of a mask value inside of a\nloop where LLVM saw an opportunity to insert a branch instruction\n(`jns` on x86) to conditionally bypass this code section when the mask\nvalue is set to zero, as can be seen in godbolt:\n\nhttps://godbolt.org/z/PczYj7Pda\n\nA similar problem was recently discovered in the Kyber reference\nimplementation:\n\nhttps://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hqbtIGFKIpU/m/cnE3pbueBgAJ\n\nAs discussed on that thread, one portable solution, which is also used\nin this PR, is to introduce a volatile read as an optimization barrier,\nwhich prevents the compiler from optimizing it away.\n\nThe fix can be validated in godbolt here:\n\nhttps://godbolt.org/z/x8d46Yfah\n\nThe problem was discovered and the solution independently verified by\nAlexander Wagner <alexander.wagner@aisec.fraunhofer.de> and\nLea Themint <lea.thiemt@tum.de> using their DATA tool:\n\nhttps://github.com/Fraunhofer-AISEC/DATA\n\nCo-authored-by: Tony Arcieri <bascule@gmail.com>","shortMessageHtmlLink":"SECURITY: fix timing variability in backend/serial/u64/scalar.rs (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2360328197\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/659\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/659/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/659\">dal…</a>"}},{"before":"e6675c67ceadecc3e22b561296490f4b7de9ff39","after":"5b7082bbc8e0b2106ab0d956064f61fa0f393cdc","ref":"refs/heads/main","pushedAt":"2024-06-27T11:11:59.000Z","pushType":"push","commitsCount":33,"pusher":{"login":"yihau","name":"Yihau Chen","path":"/yihau","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8209234?s=80&v=4"},"commit":{"message":"curve: use `subtle::BlackBox` optimization barrier (#662)\n\nReplaces the security mitigation added in #659 and #661 for\r\nmasking-related timing variability which used an inline `black_box`\r\nusing the recently added `subtle::BlackBox` newtype (see\r\ndalek-cryptography/subtle#123)\r\n\r\nInternally `BlackBox` uses a volatile read by default (i.e. same\r\nstrategy which was used before) or when the `core_hint_black_box`\r\nfeature of `subtle` is enabled, it uses `core::hint::black_box`\r\n(whose documentation was recently updated to reflect the nuances of\r\npotential cryptographic use, see rust-lang/rust#126703)\r\n\r\nThis PR goes ahead and uses `BlackBox` for both `mask` and\r\n`underflow_mask` where previously it was only used on `underflow_mask`.\r\nThe general pattern of bitwise masking inside a loop seems worrisome for\r\nthe optimizer potentially inserting branches in the future.\r\n\r\nBelow are godbolt inspections of the generated assembly, which are free\r\nof the `jns` instructions originally spotted in #659/#661:\r\n\r\n- 32-bit (read_volatile): https://godbolt.org/z/TKo9fqza4\r\n- 32-bit (hint::black_box): https://godbolt.org/z/caoMxYbET\r\n- 64-bit (read_volatile): https://godbolt.org/z/PM6zKjj1f\r\n- 64-bit (hint::black_box): https://godbolt.org/z/nseaPvdWv","shortMessageHtmlLink":"curve: use <code>subtle::BlackBox</code> optimization barrier (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2364542134\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/662\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/662/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/662\">dalek-cryptograph…</a>"}},{"before":null,"after":"b500cdc2a920cd5bff9e2dd974d7b97349d61464","ref":"refs/heads/3.2.1-unpin-zeroize","pushedAt":"2023-10-21T01:18:41.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ilya-bobyr","name":"Illia Bobyr","path":"/ilya-bobyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/694419?s=80&v=4"},"commit":{"message":"Relax zeroize dependency and bump MSRV (#412)","shortMessageHtmlLink":"Relax zeroize dependency and bump MSRV (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1410805055\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/412\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/412/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/412\">dalek-cryptography#412</a>)"}},{"before":"b500cdc2a920cd5bff9e2dd974d7b97349d61464","after":null,"ref":"refs/heads/ilya-bobyr/3.2.1-unpin-zeroize","pushedAt":"2023-10-21T01:18:29.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ilya-bobyr","name":"Illia Bobyr","path":"/ilya-bobyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/694419?s=80&v=4"}},{"before":null,"after":"b500cdc2a920cd5bff9e2dd974d7b97349d61464","ref":"refs/heads/ilya-bobyr/3.2.1-unpin-zeroize","pushedAt":"2023-10-21T01:17:50.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ilya-bobyr","name":"Illia Bobyr","path":"/ilya-bobyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/694419?s=80&v=4"},"commit":{"message":"Relax zeroize dependency and bump MSRV (#412)","shortMessageHtmlLink":"Relax zeroize dependency and bump MSRV (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1410805055\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/412\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/412/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/412\">dalek-cryptography#412</a>)"}},{"before":null,"after":"90be4d9e3bba673b2c3ea9ccdff3d817be5a8fd1","ref":"refs/heads/release/3.2","pushedAt":"2023-10-21T01:15:57.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ilya-bobyr","name":"Illia Bobyr","path":"/ilya-bobyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/694419?s=80&v=4"},"commit":{"message":"Merge branch 'release/3.2.1' into release/3.2","shortMessageHtmlLink":"Merge branch 'release/3.2.1' into release/3.2"}}],"hasNextPage":false,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"startCursor":"Y3Vyc29yOnYyOpK7MjAyNC0wNy0xNVQwNjowMDowMC4wMDAwMDBazwAAAAR_Wknv","endCursor":"Y3Vyc29yOnYyOpK7MjAyMy0xMC0yMVQwMToxNTo1Ny4wMDAwMDBazwAAAAOcVSDB"}},"title":"Activity · anza-xyz/curve25519-dalek"}