Secret Independence for ML-KEM and ML-DSA #453

karthikbhargavan · 2024-07-30T11:56:31Z

We need to prove secret-independence for the code in libcrux-ml-kem and libcrux-ml-dsa
This will require merging some ongoing work in https://github.com/hacspec/hax/tree/karthik/secret-integers

karthikbhargavan · 2024-09-09T05:23:50Z

We never got around to doing this.

franziskuskiefer · 2024-09-16T07:48:54Z

karthikbhargavan · 2024-10-11T06:42:54Z

I have created a new branch: https://github.com/cryspen/libcrux/tree/libcrux-secret-independence/libcrux-ml-kem
The secret independence (aka secret integers) crate is now here: https://github.com/cryspen/libcrux/tree/libcrux-secret-independence/libcrux-secret-independence
I extended libcrux-intrinsics to support secret-independent SIMD instructions: use avx2_secret and neon_secret modules to get the secret independent versions
This branch uses secret integers throughout libcrux-sha3, which is proved to be secret independent (yay!)
Now all SHA-3 functions expect &[U8] and produce arrays of [U8]
I propagated the use of SHA-3 throughout libcrux, resulting in changes to ML-KEM and ML-DSA
For now the pattern for using SHA-3 is: first classify the input, call SHA-3, then declassify the output
As more code becomes secret independent, we can move this classification dance higher and higher till it only applies to user inputs and outputs
There is some bug in psq that seems unrelated and needs fixing.
I did not propagate the changes to the old Kyber code yet.

karthikbhargavan mentioned this issue Jul 30, 2024

Formally Verify ML-KEM (Portable + AVX2) #454

Closed

29 tasks

karthikbhargavan changed the title ~~Secret Independence for libcrux-ml-kem~~ Secret Independence for ML-KEM and ML-DSA Sep 16, 2024

karthikbhargavan assigned karthikbhargavan and W95Psp Sep 16, 2024

franziskuskiefer unassigned W95Psp Oct 8, 2024

Provide feedback