This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate x25519-dalek


(4 total, 1 possibly insecure)

 curve25519-dalek ⚠️^44.1.3maybe insecure
 rand_core^ to date
 serde^11.0.203up to date
 zeroize^11.8.1up to date

Dev dependencies

(3 total, all up-to-date)

 bincode^11.3.3up to date
 criterion^ to date
 rand_core^ to date

Security Vulnerabilities

curve25519-dalek: Timing variability in `curve25519-dalek`'s `Scalar29::sub`/`Scalar52::sub`


Timing variability of any kind is problematic when working with potentially secret values such as elliptic curve scalars, and such issues can potentially leak private keys and other secrets. Such a problem was recently discovered in curve25519-dalek.

The Scalar29::sub (32-bit) and Scalar52::sub (64-bit) functions contained usage of a mask value inside a loop where LLVM saw an opportunity to insert a branch instruction (jns on x86) to conditionally bypass this code section when the mask value is set to zero as can be seen in godbolt:

A similar problem was recently discovered in the Kyber reference implementation:

As discussed on that thread, one portable solution, which is also used in this PR, is to introduce a volatile read as an optimization barrier, which prevents the compiler from optimizing it away.

The fix can be validated in godbolt here:

The problem was discovered and the solution independently verified by Alexander Wagner [email protected] and Lea Themint [email protected] using their DATA tool: