RustCrypto Signatures ML-Digital Signature Algorithm Timing Side-Channel Vulnerability

A timing side-channel vulnerability has been identified in the Decompose algorithm of the RustCrypto Signatures library, specifically in the ML-Digital Signature Algorithm (DSA) component, prior to version 0.1.0-rc.2. This vulnerability arises from the use of hardware division instructions in a manner that creates variable timing, potentially allowing an attacker to infer information about the signing key by analyzing timing discrepancies. The issue has been addressed in version 0.1.0-rc.2 by replacing the problematic division with a constant-time operation using Barrett reduction, which eliminates the side-channel risk.

Impact

Exploitation of this vulnerability could lead to the extraction of secret key information by exploiting timing variations in the division operation during the signing process.

Reproduction

The vulnerability can be reproduced by using the ML-DSA signing process in a version of RustCrypto Signatures prior to 0.1.0-rc.2. The Decompose algorithm will introduce a timing side-channel by using hardware division on values derived from secret key components, such as 's2' and 't0'. This timing variation can be measured and potentially used to infer details about the signing key.

Remediation

Users can upgrade to RustCrypto Signatures version 0.1.0-rc.2 or later, where this vulnerability has been patched.