RUSTSEC-2024-0344: 
Rust vulnerability analysis and mitigation

A critical timing variability vulnerability was discovered in curve25519-dalek's Scalar29::sub/Scalar52::sub functions (RUSTSEC-2024-0344). The vulnerability affects versions up to 1.1 of the library, where the Scalar52::sub function contained usage of a mask value inside a loop that could lead to timing-based side-channel attacks (GitHub PR).

The vulnerability stems from LLVM's optimization where it inserted a branch instruction (jns on x86) to conditionally bypass code sections when the mask value is set to zero. This timing variability could potentially leak private keys and other secrets when working with elliptic curve scalars. The issue was discovered using the DATA tool by Alexander Wagner and Lea Themint from Fraunhofer AISEC (GitHub PR).

The vulnerability could potentially lead to the leakage of private keys and other secret values through timing-based side-channel attacks. This is particularly critical in cryptographic operations where constant-time execution is essential for security (GitHub PR).

The issue has been fixed by introducing a volatile read as an optimization barrier, which prevents the compiler from optimizing away the constant-time behavior. The fix was later improved by using subtle::Choice for constant-time operations. Users should upgrade to the latest version of the library that includes these fixes (GitHub PR).