Re: Kalyna block cipher available

Mon, 08 May 2017 13:10:09 -0700 


> Kalyna is a Ukrainian block cipher with variable key and block sizes. Its 
>> now available in the the library. The tracking issue and commits of 
>> interest are:
>>
>> * https://github.com/weidai11/cryptopp/issues/411
>> * https://github.com/weidai11/cryptopp/commit/a5c67cfdd6ad
>> * https://github.com/weidai11/cryptopp/commit/1d7dfc69274d
>>
>> Its our first attempt at variable block sizes, so it may have some rough 
>> edges.
>>
>> We also have a wiki page started at https://www.cryptopp.com/wiki/Kalyna. 
>> Its a work in progress.
>>
>
> I got to run the cryptest.sh last night on Kalyna. I have good news and 
> bad news...
>
> The good news is Kalyna is testing good on nearly every platform. The bad 
> news is, it failed on my 6th gen Skylake. The Skylake runs Fedora with GCC 
> 6.3.1, and its known to be a little more rigid with respect to dotting i's 
> and crossing t's. For example, Red Hat will run memcpy's in reverse, which 
> breaks regular memcpy if the buffers overlap. Overlapping buffers are 
> usually undefined behavior, but other compilers and platforms are usually 
> more accommodating.
>
> I'm guessing I introduced some undefined behavior. I'll track down the 
> undefined behavior shortly.
>

Yeah, it was UB from the cache timing attack hardening (commit 
9cf9f4235d52). A out-of-bounds read was performed. Bad code which tries to 
access S[256] (from an array of S[4][256]):

    word32 u ...;
    for (unsigned int i=0; i<256; i+=cacheLineSize) 
         u &= *reinterpret_cast<const word32*>(KalynaTab::S+i);

Good code:

    word64 u ...;
    const byte* p = reinterpret_cast<const byte*>(KalynaTab::S);
    for (unsigned int i=0; i<256; i+=cacheLineSize)
        u &= *reinterpret_cast<const word64*>(p+i);

If anyone is interested, UBSan identified the problem. 'make ubsan' to the 
rescue!

Jeff


-- 
-- 
You received this message because you are subscribed to the "Crypto++ Users" 
Google Group.
To unsubscribe, send an email to cryptopp-users-unsubscr...@googlegroups.com.
More information about Crypto++ and this group is available at 
http://www.cryptopp.com.
--- 
You received this message because you are subscribed to the Google Groups 
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cryptopp-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to