{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":75924987,"defaultBranch":"main","name":"curve25519-dalek","ownerLogin":"dalek-cryptography","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2016-12-08T09:50:02.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/35540388?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1726755688.0","currentOid":""},"activityList":{"items":[{"before":"b636fb8ee4460360bcf3e4b1029b4b632a52e958","after":"d5ef57a3c2c4570720cafe8a112f5dd3ff56905e","ref":"refs/heads/main","pushedAt":"2024-09-19T22:43:32.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"rozbb","name":"Michael Rosenberg","path":"/rozbb","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/752802?s=80&v=4"},"commit":{"message":"ed: update `VerifyingKey::from_bytes` with ZIP-215 info (#704)\n\nRemoves the previous warning that points are unvalidated: they're\r\nvalidated using the ZIP-215 rules, which allows unreduced y-coordinates.\r\nPoints are ensured valid by performing decompression, which finds a\r\nsolution to the curve equation, or returns an error.\r\n\r\nAdds references to ZIP-215 and dalek-cryptography/curve25519-dalek#626\r\nwhich is an issue about potentially adding support for the RFC8032/NIST\r\nvalidation criteria in the future.","shortMessageHtmlLink":"ed: update <code>VerifyingKey::from_bytes</code> with ZIP-215 info (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2536502355\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/704\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/704/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/704\">#704</a>)"}},{"before":null,"after":"0a21b1cfb910e44d3aa56ee0b7577ab60a6f16cb","ref":"refs/heads/ed/verifying-key-from-bytes-rustdoc","pushedAt":"2024-09-19T14:21:28.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"ed: update `VerifyingKey::from_bytes` with ZIP-215 info\n\nRemoves the previous warning that points are unvalidated: they're\nvalidated using the ZIP-215 rules, which allows unreduced y-coordinates.\nPoints are ensured valid by performing decompression, which finds a\nsolution to the curve equation, or returns an error.\n\nAdds references to ZIP-215 and dalek-cryptography/curve25519-dalek#626\nwhich is an issue about potentially adding support for the RFC8032/NIST\nvalidation criteria in the future.","shortMessageHtmlLink":"ed: update <code>VerifyingKey::from_bytes</code> with ZIP-215 info"}},{"before":"0964f800ab2114a862543ca000291a6e3531c203","after":"b636fb8ee4460360bcf3e4b1029b4b632a52e958","ref":"refs/heads/main","pushedAt":"2024-09-08T05:13:36.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"rozbb","name":"Michael Rosenberg","path":"/rozbb","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/752802?s=80&v=4"},"commit":{"message":"Make AVX512IFMA opt-in backend (#695)\n\n* Make AVX512IFMA opt-in backend\r\n\r\n* Updated README to have backend info\r\n\r\n* Added entry to changelog\r\n\r\n---------\r\n\r\nCo-authored-by: Michael Rosenberg <michael@mrosenberg.pub>","shortMessageHtmlLink":"Make AVX512IFMA opt-in backend (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2493241289\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/695\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/695/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/695\">#695</a>)"}},{"before":"83a57e591fb6fdd7f879cbf28278737fee1f5479","after":"0964f800ab2114a862543ca000291a6e3531c203","ref":"refs/heads/main","pushedAt":"2024-07-30T13:43:13.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"rozbb","name":"Michael Rosenberg","path":"/rozbb","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/752802?s=80&v=4"},"commit":{"message":"curve: Support MSM #static scalars <= #static points (#668)","shortMessageHtmlLink":"curve: Support MSM #static scalars &lt;= #static points (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2384513345\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/668\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/668/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/668\">#668</a>)"}},{"before":"79ab6c29bd90c37d89a34a6279b92ae594c44e94","after":"83a57e591fb6fdd7f879cbf28278737fee1f5479","ref":"refs/heads/main","pushedAt":"2024-07-30T06:05:52.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"rozbb","name":"Michael Rosenberg","path":"/rozbb","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/752802?s=80&v=4"},"commit":{"message":"curve: Impl `Default` `ConstantTImeEq` and `ConditionallySelectable` for `SubgroupPoint` (#672)","shortMessageHtmlLink":"curve: Impl <code>Default</code> <code>ConstantTImeEq</code> and <code>ConditionallySelectable</code> …"}},{"before":"a7a9fffdc98cea50c24b5cdaa0da706b01ed48df","after":"79ab6c29bd90c37d89a34a6279b92ae594c44e94","ref":"refs/heads/main","pushedAt":"2024-07-30T05:51:44.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"rozbb","name":"Michael Rosenberg","path":"/rozbb","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/752802?s=80&v=4"},"commit":{"message":"curve: Implement ConditionallySelectable for MontgomeryPoint (#677)","shortMessageHtmlLink":"curve: Implement ConditionallySelectable for MontgomeryPoint (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2435774654\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/677\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/677/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/677\">#677</a>)"}},{"before":"35e78b21efb61a1de148cbcf4cfe2c3d559fbec0","after":"a7a9fffdc98cea50c24b5cdaa0da706b01ed48df","ref":"refs/heads/main","pushedAt":"2024-07-30T05:11:26.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"rozbb","name":"Michael Rosenberg","path":"/rozbb","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/752802?s=80&v=4"},"commit":{"message":"Minor documentation fixes (#671)","shortMessageHtmlLink":"Minor documentation fixes (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2396399007\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/671\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/671/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/671\">#671</a>)"}},{"before":"4ada2f61c5b0dde492b12a1877ca73ec87de7dc6","after":"44508ba8652ae3445608ad3c56b63ef528ddfb93","ref":"refs/heads/rustcrypto-new-releases","pushedAt":"2024-07-28T16:36:44.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"Bump ed25519-dalek version","shortMessageHtmlLink":"Bump ed25519-dalek version"}},{"before":null,"after":"4ada2f61c5b0dde492b12a1877ca73ec87de7dc6","ref":"refs/heads/rustcrypto-new-releases","pushedAt":"2024-07-28T16:32:22.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"[WIP] Bump `digest`, `ed25519`, `signature`, and `sha2`\n\nBumps the aforementioned dependencies to their latest (pre)releases","shortMessageHtmlLink":"[WIP] Bump <code>digest</code>, <code>ed25519</code>, <code>signature</code>, and <code>sha2</code>"}},{"before":"921bd7ced0af512677ee8e1d5b05ba26417696b9","after":"35e78b21efb61a1de148cbcf4cfe2c3d559fbec0","ref":"refs/heads/main","pushedAt":"2024-07-26T02:24:39.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"Enable unexpected cfgs lint (#656)\n\nPreviously, the only way to configure this lint was using a build.rs\r\nfile, but now it can be done using Cargo.toml as well.","shortMessageHtmlLink":"Enable unexpected cfgs lint (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2336059338\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/656\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/656/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/656\">#656</a>)"}},{"before":"6ab58140b2ead375b6793f144a46318feac7db13","after":null,"ref":"refs/heads/use-choice-for-constant-time-fixes","pushedAt":"2024-07-17T18:05:50.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"}},{"before":"5b7082bbc8e0b2106ab0d956064f61fa0f393cdc","after":"921bd7ced0af512677ee8e1d5b05ba26417696b9","ref":"refs/heads/main","pushedAt":"2024-07-17T18:05:46.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"curve: use `subtle::Choice` for constant-time fixes (#665)\n\nAlternative to #659/#661 and #662 which leverages `subtle::Choice` and\r\n`subtle::ConditionallySelectable` as the optimization barriers.\r\n\r\nReally the previous masking was there to conditionally add the scalar\r\nfield modulus on underflow, so instead of that, we can conditionally\r\nselect zero or the modulus using a `Choice` constructed from the\r\nunderflow bit.","shortMessageHtmlLink":"curve: use <code>subtle::Choice</code> for constant-time fixes (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2373055917\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/665\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/665/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/665\">#665</a>)"}},{"before":null,"after":"6ab58140b2ead375b6793f144a46318feac7db13","ref":"refs/heads/use-choice-for-constant-time-fixes","pushedAt":"2024-06-25T15:56:49.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"curve: use `subtle::Choice` for constant-time fixes\n\nAlternative to #659/#661 and #662 which leverages `subtle::Choice` and\n`subtle::ConditionallySelectable` as the optimization barriers.\n\nReally the previous masking was there to conditionally add the scalar\nfield modulus on underflow, so instead of that, we can conditionally\nselect zero or the modulus using a `Choice` constructed from the\nunderflow bit.","shortMessageHtmlLink":"curve: use <code>subtle::Choice</code> for constant-time fixes"}},{"before":"5312a0311ec40df95be953eacfa8a11b9a34bc54","after":"5b7082bbc8e0b2106ab0d956064f61fa0f393cdc","ref":"refs/heads/main","pushedAt":"2024-06-24T18:13:54.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"rozbb","name":"Michael Rosenberg","path":"/rozbb","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/752802?s=80&v=4"},"commit":{"message":"curve: use `subtle::BlackBox` optimization barrier (#662)\n\nReplaces the security mitigation added in #659 and #661 for\r\nmasking-related timing variability which used an inline `black_box`\r\nusing the recently added `subtle::BlackBox` newtype (see\r\ndalek-cryptography/subtle#123)\r\n\r\nInternally `BlackBox` uses a volatile read by default (i.e. same\r\nstrategy which was used before) or when the `core_hint_black_box`\r\nfeature of `subtle` is enabled, it uses `core::hint::black_box`\r\n(whose documentation was recently updated to reflect the nuances of\r\npotential cryptographic use, see rust-lang/rust#126703)\r\n\r\nThis PR goes ahead and uses `BlackBox` for both `mask` and\r\n`underflow_mask` where previously it was only used on `underflow_mask`.\r\nThe general pattern of bitwise masking inside a loop seems worrisome for\r\nthe optimizer potentially inserting branches in the future.\r\n\r\nBelow are godbolt inspections of the generated assembly, which are free\r\nof the `jns` instructions originally spotted in #659/#661:\r\n\r\n- 32-bit (read_volatile): https://godbolt.org/z/TKo9fqza4\r\n- 32-bit (hint::black_box): https://godbolt.org/z/caoMxYbET\r\n- 64-bit (read_volatile): https://godbolt.org/z/PM6zKjj1f\r\n- 64-bit (hint::black_box): https://godbolt.org/z/nseaPvdWv","shortMessageHtmlLink":"curve: use <code>subtle::BlackBox</code> optimization barrier (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2364542134\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/662\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/662/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/662\">#662</a>)"}},{"before":"fbd851b65469b7079bcfd05810b286feb8157b46","after":"b4a374cb9e1ff75ce614474b165b6cf501889392","ref":"refs/heads/use-subtle-blackbox","pushedAt":"2024-06-24T17:54:06.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"curve: use `subtle::BlackBox` optimization barrier\n\nReplaces the security mitigation added in #659 and #661 for\nmasking-related timing variability which used an inline `black_box`\nusing the recently added `subtle::BlackBox` newtype (see\ndalek-cryptography/subtle#123)\n\nInternally `BlackBox` uses a volatile read by default (i.e. same\nstrategy which was used before) or when the `core_hint_black_box`\nfeature of `subtle` is enabled, it uses `core::hint::black_box`\n(whose documentation was recently updated to reflect the nuances of\npotential cryptographic use, see rust-lang/rust#126703)\n\nThis PR goes ahead and uses `BlackBox` for both `mask` and\n`underflow_mask` where previously it was only used on `underflow_mask`.\nThe general pattern of bitwise masking inside a loop seems worrisome for\nthe optimizer potentially inserting branches in the future.\n\nBelow are godbolt inspections of the generated assembly, which are free\nof the `jns` instructions originally spotted in #659/#661:\n\n- 32-bit (read_volatile): https://godbolt.org/z/TKo9fqza4\n- 32-bit (hint::black_box): https://godbolt.org/z/caoMxYbET\n- 64-bit (read_volatile): https://godbolt.org/z/PM6zKjj1f\n- 64-bit (hint::black_box): https://godbolt.org/z/nseaPvdWv","shortMessageHtmlLink":"curve: use <code>subtle::BlackBox</code> optimization barrier"}},{"before":null,"after":"fbd851b65469b7079bcfd05810b286feb8157b46","ref":"refs/heads/use-subtle-blackbox","pushedAt":"2024-06-20T14:02:07.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"curve: use `subtle::BlackBox` optimization barrier\n\nReplaces the security mitigation added in #659 and #661 for\nmasking-related timing variability which used an inline `black_box`\nusing the recently added `subtle::BlackBox` newtype (see\ndalek-cryptography/subtle#123)\n\nInternally `BlackBox` uses a volatile read by default (i.e. same\nstrategy which was used before) or when the `core_hint_black_box`\nfeature of `subtle` is enabled, it uses `core::hint::black_box`\n(whose documentation was recently updated to reflect the nuances of\npotential cryptographic use, see rust-lang/rust#126703)\n\nThis PR goes ahead and uses `BlackBox` for both `mask` and\n`underflow_mask` where previously it was only used on `underflow_mask`.\nThe general pattern of bitwise masking inside a loop seems worrisome for\nthe optimizer potentially inserting branches in the future.\n\nBelow are godbolt inspections of the generated assembly, which are free\nof the `jns` instructions originally spotted in #659/#661:\n\n- 32-bit (read_volatile): https://godbolt.org/z/TKo9fqza4\n- 32-bit (hint::black_box): https://godbolt.org/z/caoMxYbET\n- 64-bit (read_volatile): https://godbolt.org/z/PM6zKjj1f\n- 64-bit (hint::black_box): https://godbolt.org/z/nseaPvdWv","shortMessageHtmlLink":"curve: use <code>subtle::BlackBox</code> optimization barrier"}},{"before":"b4f9e4df92a4689fb59e312a21f940ba06ba7013","after":"5312a0311ec40df95be953eacfa8a11b9a34bc54","ref":"refs/heads/main","pushedAt":"2024-06-18T19:18:51.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"rozbb","name":"Michael Rosenberg","path":"/rozbb","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/752802?s=80&v=4"},"commit":{"message":"curve: Bump version to 4.1.3 (#660)\n\n* Bumped to v4.1.3\r\n\r\n* Added recent PRs to changelog","shortMessageHtmlLink":"curve: Bump version to 4.1.3 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2360485919\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/660\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/660/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/660\">#660</a>)"}},{"before":"dac6f1ba2b24bf5ead6b1adce0ca9f36c5bc842f","after":null,"ref":"refs/heads/32-bit-fix","pushedAt":"2024-06-18T19:02:47.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"}},{"before":"415892acf1cdf9161bd6a4c99bc2f4cb8fae5e6a","after":"b4f9e4df92a4689fb59e312a21f940ba06ba7013","ref":"refs/heads/main","pushedAt":"2024-06-18T19:02:37.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"rozbb","name":"Michael Rosenberg","path":"/rozbb","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/752802?s=80&v=4"},"commit":{"message":"SECURITY: fix timing variability in backend/serial/u32/scalar.rs (#661)\n\nSimilar security fix to #659, but for the 32-bit backend. See that PR\r\nfor more information about the problem. Relevant compiler outputs (thanks to @tarcieri):\r\n\r\nWithout fix\r\nhttps://godbolt.org/z/zvaWxzvqv\r\nNotice the `jns` (\"jump if not sign\") instruction on line 106.\r\n\r\nWith fix\r\nhttps://godbolt.org/z/jc9j7eb8E","shortMessageHtmlLink":"SECURITY: fix timing variability in backend/serial/u32/scalar.rs (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2360493764\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/661\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/661/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/661\">#661</a>)"}},{"before":"4e6a2cff0422d49ef3b1cff3aa037c0586e112f8","after":"dac6f1ba2b24bf5ead6b1adce0ca9f36c5bc842f","ref":"refs/heads/32-bit-fix","pushedAt":"2024-06-18T18:53:54.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"SECURITY: fix timing variability in backend/serial/u32/scalar.rs\n\nSimilar security fix to #659, but for the 32-bit backend. See that PR\nfor more information about the problem.","shortMessageHtmlLink":"SECURITY: fix timing variability in backend/serial/u32/scalar.rs"}},{"before":null,"after":"4e6a2cff0422d49ef3b1cff3aa037c0586e112f8","ref":"refs/heads/32-bit-fix","pushedAt":"2024-06-18T18:52:27.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"SECURITY: fix timing variability in backend/serial/u32/scalar.rs\n\nSimilar security fix to #659, but for the 32-bit backend. See that PR\nfor more information about the problem.","shortMessageHtmlLink":"SECURITY: fix timing variability in backend/serial/u32/scalar.rs"}},{"before":"8f38163e5cd6ddb048b0bd5a3737927b79e6d80f","after":null,"ref":"refs/heads/fix","pushedAt":"2024-06-18T17:50:29.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"}},{"before":"56bf398d0caed63ef1d1edfbd35eb5335132aba2","after":"415892acf1cdf9161bd6a4c99bc2f4cb8fae5e6a","ref":"refs/heads/main","pushedAt":"2024-06-18T17:49:31.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"rozbb","name":"Michael Rosenberg","path":"/rozbb","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/752802?s=80&v=4"},"commit":{"message":"SECURITY: fix timing variability in backend/serial/u64/scalar.rs (#659)\n\nTiming variability of any kind is problematic when working with\r\npotentially secret values such as elliptic curve scalars, and such\r\nissues can potentially leak private keys and other secrets. Such a\r\nproblem was recently discovered in `curve25519-dalek`.\r\n\r\nThe `Scalar52::sub` function contained usage of a mask value inside of a\r\nloop where LLVM saw an opportunity to insert a branch instruction\r\n(`jns` on x86) to conditionally bypass this code section when the mask\r\nvalue is set to zero, as can be seen in godbolt:\r\n\r\nhttps://godbolt.org/z/PczYj7Pda\r\n\r\nA similar problem was recently discovered in the Kyber reference\r\nimplementation:\r\n\r\nhttps://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hqbtIGFKIpU/m/cnE3pbueBgAJ\r\n\r\nAs discussed on that thread, one portable solution, which is also used\r\nin this PR, is to introduce a volatile read as an optimization barrier,\r\nwhich prevents the compiler from optimizing it away.\r\n\r\nThe fix can be validated in godbolt here:\r\n\r\nhttps://godbolt.org/z/x8d46Yfah\r\n\r\nThe problem was discovered and the solution independently verified by\r\nAlexander Wagner <alexander.wagner@aisec.fraunhofer.de> and\r\nLea Themint <lea.thiemt@tum.de> using their DATA tool:\r\n\r\nhttps://github.com/Fraunhofer-AISEC/DATA\r\n\r\nCo-authored-by: Tony Arcieri <bascule@gmail.com>","shortMessageHtmlLink":"SECURITY: fix timing variability in backend/serial/u64/scalar.rs (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2360328197\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/659\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/659/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/659\">#659</a>)"}},{"before":null,"after":"8f38163e5cd6ddb048b0bd5a3737927b79e6d80f","ref":"refs/heads/fix","pushedAt":"2024-06-18T14:49:40.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"SECURITY: fix timing variability in backend/serial/u64/scalar.rs\n\nTiming variability of any kind is problematic when working with\npotentially secret values such as elliptic curve scalars, and such\nissues can potentially leak private keys and other secrets. Such a\nproblem was recently discovered in `curve25519-dalek`.\n\nThe `Scalar52::sub` function contained usage of a mask value inside of a\nloop where LLVM saw an opportunity to insert a branch instruction\n(`jns` on x86) to conditionally bypass this code section when the mask\nvalue is set to zero, as can be seen in godbolt:\n\nhttps://godbolt.org/z/PczYj7Pda\n\nA similar problem was recently discovered in the Kyber reference\nimplementation:\n\nhttps://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hqbtIGFKIpU/m/cnE3pbueBgAJ\n\nAs discussed on that thread, one portable solution, which is also used\nin this PR, is to introduce a volatile read as an optimization barrier,\nwhich prevents the compiler from optimizing it away.\n\nThe fix can be validated in godbolt here:\n\nhttps://godbolt.org/z/x8d46Yfah\n\nThe problem was discovered and the solution independently verified by\nAlexander Wagner <alexander.wagner@aisec.fraunhofer.de> and\nLea Themint <lea.thiemt@tum.de> using their DATA tool:\n\nhttps://github.com/Fraunhofer-AISEC/DATA","shortMessageHtmlLink":"SECURITY: fix timing variability in backend/serial/u64/scalar.rs"}},{"before":"5e2b45cd1f7a63706beb1d64f55575402c379246","after":null,"ref":"refs/heads/fix","pushedAt":"2024-06-14T15:12:13.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"}},{"before":null,"after":"5e2b45cd1f7a63706beb1d64f55575402c379246","ref":"refs/heads/fix","pushedAt":"2024-06-14T15:11:47.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"Fix","shortMessageHtmlLink":"Fix"}},{"before":"9252fa5c0d09054fed4ac4d649e63c40fad7abaf","after":"56bf398d0caed63ef1d1edfbd35eb5335132aba2","ref":"refs/heads/main","pushedAt":"2024-06-03T20:30:13.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"Updates license field to valid SPDX format (#647)","shortMessageHtmlLink":"Updates license field to valid SPDX format (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2211321802\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/647\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/647/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/647\">#647</a>)"}},{"before":"78dfb480173b7b0511a1fe85e55a220ccafa20d6","after":"cd3ddd81731650b99f3d8e9db6f5a1d37b6ff2b8","ref":"refs/heads/vk-frombytes-docs","pushedAt":"2024-05-10T10:37:10.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"rozbb","name":"Michael Rosenberg","path":"/rozbb","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/752802?s=80&v=4"},"commit":{"message":"Tightened wording","shortMessageHtmlLink":"Tightened wording"}},{"before":null,"after":"78dfb480173b7b0511a1fe85e55a220ccafa20d6","ref":"refs/heads/vk-frombytes-docs","pushedAt":"2024-05-10T10:33:54.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"rozbb","name":"Michael Rosenberg","path":"/rozbb","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/752802?s=80&v=4"},"commit":{"message":"Removed warning in docs for VerifyingKey::from_bytes","shortMessageHtmlLink":"Removed warning in docs for VerifyingKey::from_bytes"}},{"before":"1efe6a93b176c4389b78e81e52b2cf85d728aac6","after":"9252fa5c0d09054fed4ac4d649e63c40fad7abaf","ref":"refs/heads/main","pushedAt":"2024-05-09T13:24:16.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"tarcieri","name":"Tony Arcieri","path":"/tarcieri","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/797?s=80&v=4"},"commit":{"message":"Mitigate check-cfg until MSRV 1.77 (#652)","shortMessageHtmlLink":"Mitigate check-cfg until MSRV 1.77 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2285776509\" data-permission-text=\"Title is private\" data-url=\"https://github.com/dalek-cryptography/curve25519-dalek/issues/652\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/dalek-cryptography/curve25519-dalek/pull/652/hovercard\" href=\"https://github.com/dalek-cryptography/curve25519-dalek/pull/652\">#652</a>)"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"Y3Vyc29yOnYyOpK7MjAyNC0wOS0xOVQyMjo0MzozMi4wMDAwMDBazwAAAAS7YTS3","startCursor":"Y3Vyc29yOnYyOpK7MjAyNC0wOS0xOVQyMjo0MzozMi4wMDAwMDBazwAAAAS7YTS3","endCursor":"Y3Vyc29yOnYyOpK7MjAyNC0wNS0wOVQxMzoyNDoxNi4wMDAwMDBazwAAAARFpLhj"}},"title":"Activity · dalek-cryptography/curve25519-dalek"}