Security Notes#

This webpage provides detailed information about the security updates and enhancements for each release of our cuPQC library. It includes security descriptions of newly introduced algorithms, their implementation details, and any potential security considerations. Users are encouraged to review these notes carefully to understand the security implications of each update and to ensure the secure use of the library in their applications.

0.4.0#

In this release, we introduce Posiedon2-BabyBear which includes two variants 16 and 24 state widths. In the implementation of Poesidon 2, diffusion matrix and round constants can be selected with various generation methods, which impacts the security of the algorithm. For this release, we used the values from Plonky3. As a newly proposed cryptographic algorithm, the security of Poseidon2–babybear depends significantly on these selected parameters.

Although we’ve carefully implemented this algorithm, we cannot guarantee its security. Users should remain aware of potential risks when using it and carefully evaluate the algorithm’s suitability for their specific use case.

0.2.0#

In this release, we focused on identifying and mitigating potential side-channel vulnerabilities and maintaining a current survey of known attacks on PQC algorithms, i.e. ML-KEM and ML-DSA. Key points from our investigation include:

  • Testing conducted using Machine Learning assisted Side-Channel Analysis (MLSCA):

    • Profiles GPU hardware performance counters from CUDA kernels.

    • Feeds traces to pre-trained ML models to detect leakage patterns such as memory access, computational load, or branch behavior to detect microarchitectural attacks.

  • cuPQC code showed some variations in execution flow and memory accesses, but no side-channel leakage was detected that could be exploited by known attacks.

  • KyberSlash vulnerability mitigated in constant time due to compiler optimizations.

  • “Memory access pattern” leakage in NTT functions attributed to execution variations rather than secret dependence, with no known exploits identified.

On this page