• How we avoided side-channels in our new post-quantum Go cryptography libraries The Trail of Bits cryptography team is releasing our open-source pure Go implementations of ML-DSA (FIPS-204) and SLH-DSA (FIPS-205), two NIST-standardized post-quantum signature algorithms. • These implementations have been engineered and reviewed by several of our cryptographers, so if you or your organization is looking to transition to post-quantum support for digital signatures, try them out! • This post will detail some of the work we did to ensure the implementations are constant time. • These tricks specifically apply to the ML-DSA (FIPS-204) algorithm, protecting from attacks like KyberSlash, but they also apply to any cryptographic algorithm that requires branching or division. • The road to constant-time FIPS-204 SLH-DSA (FIPS-205) is relatively easy to implement without introducing side channels, as it’s based on pseudorandom functions built from hash functions, but the ML-DSA (FIPS-204) specification includes several integer divisions, which require more careful consideration. • Division was the root cause of a timing attack called KyberSlash that impacted early implementations of Kyber, which later became ML-KEM (FIPS-203).
Article Summaries:
- Trail of Bits has released open‑source, pure‑Go implementations of the NIST‑standardized post‑quantum signature schemes ML‑DSA (FIPS‑204) and SLH‑DSA (FIPS‑205). The team focused on constant‑time design to eliminate side‑channel vulnerabilities, particularly timing attacks that exploit integer division, such as the KyberSlash attack on early Kyber/KL‑KEM code. For ML‑DSA, they replaced branching and division operations with branchless conditional swaps and Barrett reduction, using pre‑computed reciprocals for the fixed parameter γ₂. SLH‑DSA, based on hash‑derived pseudorandom functions, required fewer adjustments. The result is a secure, side‑channel‑resistant Go library ready for organizations transitioning to post‑quantum signatures.
Sources: