)]}'
{
  "commit": "e7d76da920a1bd79b6ebc77e75b407cdf0a58962",
  "tree": "390c01feb9ad756346033e263e29878a29ac5135",
  "parents": [
    "3efe2eb9e3dfb49cb110c53e3430caeae4599f52"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Wed Apr 10 16:52:03 2024 -0400"
  },
  "committer": {
    "name": "Boringssl LUCI CQ",
    "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com",
    "time": "Thu May 09 16:28:31 2024 +0000"
  },
  "message": "Make Dilithium pass constant-time validation\n\nTested with GCC[0] and Clang[1] on x86_64 in release builds:\n\n- Declassify the signature before outputting it\n\n- Declassify the public key before outputting it\n\n- Some asserts need to be declassify_assert because they act on secret\n  data.\n\n- Rejection sampling is not actually vartime (good because it\u0027s run with\n  secret inputs + outputs), but does need declassifications.\n\n- Rejecting the signature is an intentional declassification. But also\n  compute all the intermediate values with constant time functions and a\n  value barrier (hidden inside the declassify call) because the compiler\n  will otherwise leak which arm of the || fired.\n\n- SampleInBall is... unclear. Declassify it for now, because the\n  algorithm is only viable if this is safe to leak, but leave a TODO\n  because we will need to follow-up with the Dilithium authors.\n\n[0] gcc (Debian 13.2.0-10) 13.2.0\n[1] clang version 19.0.0git (https://chromium.googlesource.com/a/external/github.com/llvm/llvm-project 315c88c5fbdb2b27cebf23c87fb502f7a567d84b)\n\nChange-Id: I362e69bd3d1ea59fb0dbf35574e654c371061af6\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/67747\nReviewed-by: Bob Beck \u003cbbe@google.com\u003e\nAuto-Submit: David Benjamin \u003cdavidben@google.com\u003e\nCommit-Queue: Bob Beck \u003cbbe@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "a709fcf2b0b0b1d93447f5e2ea6a13fca3ee8566",
      "old_mode": 33188,
      "old_path": "crypto/dilithium/dilithium.c",
      "new_id": "8247095105108ac8bc3dfe9decff64f0573761c9",
      "new_mode": 33188,
      "new_path": "crypto/dilithium/dilithium.c"
    },
    {
      "type": "modify",
      "old_id": "13631d142be7f11372d1bc9f7d5751d31dd73f68",
      "old_mode": 33188,
      "old_path": "crypto/dilithium/dilithium_test.cc",
      "new_id": "3918142ffb0f9c4c4c4d12d1e8e0d54294681946",
      "new_mode": 33188,
      "new_path": "crypto/dilithium/dilithium_test.cc"
    }
  ]
}