Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add bitflip test for trivial SUF-CMA forgeries #2090

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Add bitflip test for trivial SUF-CMA forgeries #2090

wants to merge 13 commits into from

Conversation

rtjk
Copy link
Contributor

@rtjk rtjk commented Feb 27, 2025

This pull request adds a test against trivial SUF-CMA forgeries in signature schemes: for every bit of the signature, flip it and ensure that the verification fails.

As discussed in #1999.

  • Does this PR change the input/output behaviour of a cryptographic algorithm (i.e., does it change known answer test values)? (If so, a version bump will be required from x.y.z to x.(y+1).0.)
  • Does this PR change the list of algorithms available -- either adding, removing, or renaming? Does this PR otherwise change an API? (If so, PRs in fully supported downstream projects dependent on these, i.e., oqs-provider will also need to be ready for review and merge by the time this is merged.)

@rtjk
Copy link
Contributor Author

rtjk commented Feb 27, 2025

A couple of concerns from this initial draft:

  • flipping every single bit like this results in a significant slowdown of test_sig.c, on my Skylake laptop it went from basically instantaneous to taking 2 minutes for a single signature (tested with cross-rsdp-128-balanced)

  • ideally we would test only signatures declared as SUF-CMA, should we add bool suf_cma the OQS_SIG struct? Or maybe replace bool euf_cma with an enum specifying the claimed security?

Tagging @dstebila and @SWilson4 for feedback on this.

@SWilson4
Copy link
Member

A couple of concerns from this initial draft:

* flipping every single bit like this results in a significant slowdown of `test_sig.c`, on my Skylake laptop it went from basically instantaneous to taking 2 minutes for a single signature (tested with cross-rsdp-128-balanced)

I think it would suffice to select an index at random and flip that bit. In the event of a failure we'll want to output the bit index that triggered the error. Maybe we could make the number of iterations customizable via a command-line flag. That would allow us to do a minimal number of iterations in the standard CI tests but perhaps do more in the scheduled weekly runs.

* ideally we would test only signatures declared as SUF-CMA, should we add `bool suf_cma` the OQS_SIG struct? Or maybe replace `bool euf_cma` with an enum specifying the claimed security?

Fine by me to replace the boolean with an enum.

@dstebila
Copy link
Member 

* flipping every single bit like this results in a significant slowdown of `test_sig.c`, on my Skylake laptop it went from basically instantaneous to taking 2 minutes for a single signature (tested with cross-rsdp-128-balanced)

Ouch. Before thinking thoroughly about, in mind signatures are short (few hundred bits) so it's "only" a factor of a few hundred, but of course PQ signatures are much longer, and so it's a factor of several thousand at least. Yeah, that's now a pain point. Sorry for setting you down the wrong track.

I think Spencer's suggestion of a command-line argument would be a good compromise.

* ideally we would test only signatures declared as SUF-CMA, should we add `bool suf_cma` the OQS_SIG struct? Or maybe replace `bool euf_cma` with an enum specifying the claimed security?

I think recording this in the OQS_SIG struct would make sense; for backwards compatibility, I'd go with introducing a new bool rather than changing the name/behaviour of the existing flag.

@SWilson4 SWilson4 linked an issue Feb 27, 2025 that may be closed by this pull request
Strengthen signature verification failure tests #1999
Open
rtjk added 4 commits March 4, 2025 08:31
@rtjk
add bitflip test to test_sig.c
56e6ab1 
Signed-off-by: rtjk <[email protected]>

Signed-off-by: rtjk <[email protected]>
@rtjk
format code
fb8835c 
Signed-off-by: rtjk <[email protected]>

Signed-off-by: rtjk <[email protected]>
@rtjk
- add sig->suf_cma
c0daec5 
- add command-line argument to test_sig.c (the number of bitflips)
- update CROSS upstream to SUF-CMA
Signed-off-by: rtjk <[email protected]>

Signed-off-by: rtjk <[email protected]>
@rtjk
%d to %ld for size_t bitflips
e937e3b 
Signed-off-by: rtjk <[email protected]>
@rtjk rtjk force-pushed the add-bitflip-test branch from 9bf3def to e937e3b Compare March 4, 2025 07:32
@rtjk rtjk force-pushed the add-bitflip-test branch from 23091fd to b0e32ba Compare March 4, 2025 08:17
rtjk added 2 commits March 6, 2025 16:18
@rtjk
update bitflip tests:
305cbca 
- revert CROSS to EUF-CMA
- add test_bitflip_message
- exclude stateful signatures for now
Signed-off-by: rtjk <[email protected]>
@rtjk
remove bitflips_as_str in printf
dba9478 
Signed-off-by: rtjk <[email protected]>
@rtjk rtjk mentioned this pull request Mar 6, 2025
Open
@rtjk rtjk marked this pull request as ready for review March 7, 2025 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dstebila dstebila dstebila approved these changes

@ashman-p ashman-p Awaiting requested review from ashman-p ashman-p is a code owner

@cothan cothan Awaiting requested review from cothan cothan is a code owner

@bhess bhess Awaiting requested review from bhess bhess is a code owner

@alexrow alexrow Awaiting requested review from alexrow alexrow is a code owner

@baentsch baentsch Awaiting requested review from baentsch baentsch is a code owner

@praveksharma praveksharma Awaiting requested review from praveksharma praveksharma is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Strengthen signature verification failure tests
3 participants
@rtjk @SWilson4 @dstebila