liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms.
Impact
A control-flow timing leak has been identified in the reference implementation of the Kyber key encapsulation mechanism when it is compiled with Clang 15-18 for -Os, -O1, and other compilation options.
A proof-of-concept local attack on the reference implementation leaks the entire ML-KEM 512 secret key in ~10 minutes using end-to-end decapsulation timing measurements.
Patches
Fixed in version 0.10.1 and main branch of liboqs on GitHub.
Workarounds
Some compiler options may produce vectorized code that does not leak secret information, however relying on these compiler options as a workaround may not be reliable.
References
Further details
The function poly_frommsg produces a polynomial based on the bits of the message m. Given that m is sensitive in both the encapsulation and decapsulation procedure, it is crucial that the implementation does not leak the bits of m through timing. Despite the source-level mitigations in poly_frommsg, the latest generations of Clang recognize that the code essentially performs a bit test and produces a secret-dependent branch for several compiler options.
The following compiler options when used with Clang 15, 16, 17, and 18 on x86 produce a branch:
-Os-O1-O2 -fno-vectorize-O3 -fno-vectorize
Credits
The vulnerability was identified by Antoon Purnal (PQShield). A patch was developed by Peter Schwabe (MPI-SP).
antoonpurnal Reporter
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms.
Impact
A control-flow timing leak has been identified in the reference implementation of the Kyber key encapsulation mechanism when it is compiled with Clang 15-18 for
-Os,-O1, and other compilation options.A proof-of-concept local attack on the reference implementation leaks the entire ML-KEM 512 secret key in ~10 minutes using end-to-end decapsulation timing measurements.
Patches
Fixed in version 0.10.1 and main branch of liboqs on GitHub.
Workarounds
Some compiler options may produce vectorized code that does not leak secret information, however relying on these compiler options as a workaround may not be reliable.
References
Further details
The function
poly_frommsgproduces a polynomial based on the bits of the message m. Given that m is sensitive in both the encapsulation and decapsulation procedure, it is crucial that the implementation does not leak the bits of m through timing. Despite the source-level mitigations in poly_frommsg, the latest generations of Clang recognize that the code essentially performs a bit test and produces a secret-dependent branch for several compiler options.The following compiler options when used with Clang 15, 16, 17, and 18 on x86 produce a branch:
-Os-O1-O2 -fno-vectorize-O3 -fno-vectorizeCredits
The vulnerability was identified by Antoon Purnal (PQShield). A patch was developed by Peter Schwabe (MPI-SP).