Skip to content

feat(kes): Use constant-time comparison for KES public key#1627

Merged
wolf31o2 merged 2 commits intomainfrom
kes_pub_key_comapre
Mar 10, 2026
Merged

feat(kes): Use constant-time comparison for KES public key#1627
wolf31o2 merged 2 commits intomainfrom
kes_pub_key_comapre

Conversation

@arepala-uml
Copy link
Contributor

@arepala-uml arepala-uml commented Mar 8, 2026
edited by cubic-dev-ai bot
Loading

  1. Updated KES public key verification to subtle.ConstantTimeCompare for consistency with VRF

Closes #1575

Summary by cubic

Replaces bytes.Equal with crypto/subtle’s ConstantTimeCompare for KES public key verification in kes to prevent timing leaks and align with VRF. Closes #1575.

Written for commit 5ac7647. Summary will update on new commits.

Summary by CodeRabbit

  • Bug Fixes
    • Enhanced security of cryptographic verification operations to improve robustness against certain attack vectors.

@arepala-uml
feat(kes): Replaced bytes.Equal with subtle.ConstantTimeCompare in ke…
74fb131 
…s/kes.go

Signed-off-by: Akhil Repala <arepala@blinklabs.io>
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 8, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The change modifies the cryptographic key comparison logic in the KES verification function. Specifically, it replaces the standard byte slice equality check with a constant-time comparison function. The imports were updated to remove the bytes package and add the crypto/subtle package. The verification logic flow and behavior remain unchanged, with the comparison now performed against the HashPair result. No public API changes were made.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: replacing bytes.Equal with constant-time comparison for KES public key verification.
Linked Issues check ✅ Passed The PR successfully implements all coding requirements from issue #1575: replaced bytes.Equal with crypto/subtle.ConstantTimeCompare at the specified location and added the necessary import.
Out of Scope Changes check ✅ Passed All changes are directly related to the linked issue requirements; only the KES public key comparison logic was modified with appropriate import adjustments.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch kes_pub_key_comapre

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@arepala-uml arepala-uml marked this pull request as ready for review March 8, 2026 02:52
@arepala-uml arepala-uml requested a review from a team as a code owner March 8, 2026 02:52
@arepala-uml arepala-uml requested review from agaffney and wolf31o2 March 8, 2026 02:52
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 8, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

@wolf31o2 wolf31o2 merged commit 4ad7aad into main Mar 10, 2026
12 checks passed
@wolf31o2 wolf31o2 deleted the kes_pub_key_comapre branch March 10, 2026 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@wolf31o2 wolf31o2 wolf31o2 approved these changes

@agaffney agaffney Awaiting requested review from agaffney

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use constant-time comparison for KES public key

2 participants

@arepala-uml @wolf31o2