Make Dilithium pass constant-time validation

Tested with GCC[0] and Clang[1] on x86_64 in release builds:

- Declassify the signature before outputting it

- Declassify the public key before outputting it

- Some asserts need to be declassify_assert because they act on secret
  data.

- Rejection sampling is not actually vartime (good because it's run with
  secret inputs + outputs), but does need declassifications.

- Rejecting the signature is an intentional declassification. But also
  compute all the intermediate values with constant time functions and a
  value barrier (hidden inside the declassify call) because the compiler
  will otherwise leak which arm of the || fired.

- SampleInBall is... unclear. Declassify it for now, because the
  algorithm is only viable if this is safe to leak, but leave a TODO
  because we will need to follow-up with the Dilithium authors.

[0] gcc (Debian 13.2.0-10) 13.2.0
[1] clang version 19.0.0git (https://chromium.googlesource.com/a/external/github.com/llvm/llvm-project 315c88c5fbdb2b27cebf23c87fb502f7a567d84b)

Change-Id: I362e69bd3d1ea59fb0dbf35574e654c371061af6
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/67747
Reviewed-by: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
2 files changed
tree: 390c01feb9ad756346033e263e29878a29ac5135
  1. .github/
  2. cmake/
  3. crypto/
  4. decrepit/
  5. fuzz/
  6. gen/
  7. include/
  8. pki/
  9. rust/
  10. ssl/
  11. third_party/
  12. tool/
  13. util/
  14. .bazelignore
  15. .bazelrc
  16. .clang-format
  17. .gitignore
  18. API-CONVENTIONS.md
  19. BREAKING-CHANGES.md
  20. BUILD.bazel
  21. build.json
  22. BUILDING.md
  23. CMakeLists.txt
  24. codereview.settings
  25. CONTRIBUTING.md
  26. FUZZING.md
  27. go.mod
  28. go.sum
  29. INCORPORATING.md
  30. LICENSE
  31. MODULE.bazel
  32. MODULE.bazel.lock
  33. PORTING.md
  34. PrivacyInfo.xcprivacy
  35. README.md
  36. SANDBOXING.md
  37. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

There are other files in this directory which might be helpful: