Version 3.7.3.

Wei Dai · Wei Dai · commit 265d77e84fb3 · 2022-03-16T17:33:12.000-07:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -7,12 +7,13 @@
 - All output files including downloaded thirdparty dependencies and Visual Studio project and solution files will be created in the build directory [(PR 427)](https://github.com/microsoft/SEAL/pull/427).
 - Reduced `util::try_minimal_primitive_root` search iterations by half [(PR 430)](https://github.com/microsoft/SEAL/pull/430). Thanks, [zirconium-n](https://github.com/zirconium-n)!
 - Updated .Net SDK version to 6.0.x and supported Visual Studio version to 17 2022.
+- Added `SEAL_AVOID_BRANCHING` option to eleminate branching in critical functions when Microsoft SEAL is built with maliciously inserted compiler flags.
 
-## Bug Fixes
+### Bug Fixes
 
 - Removed exceptions in `KeyGenerator::CreateGaloisKeys` when inputs do not include steps so that even when `EncryptionParameterQualifiers::using_batching` is false Galois automorphisms are still available.
 
-## File Changes
+### File Changes
 
 - `dotnet/SEALNet.sln` is removed.
 - `dotnet/SEALNet.sln.in` is added.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -23,7 +23,7 @@ if(NOT CMAKE_BUILD_TYPE)
 endif()
 message(STATUS "Build type (CMAKE_BUILD_TYPE): ${CMAKE_BUILD_TYPE}")
 
-project(SEAL VERSION 3.7.2 LANGUAGES CXX C)
+project(SEAL VERSION 3.7.3 LANGUAGES CXX C)
 
 ########################
 # Global configuration #
@@ -266,7 +266,7 @@ set_property(CACHE SEAL_DEFAULT_PRNG PROPERTY
 mark_as_advanced(FORCE SEAL_DEFAULT_PRNG)
 
 # [option] SEAL_AVOID_BRANCHING (default: OFF)
-# Avoid branching in conditional move operations if set to ON, use faster method if set to OFF.
+# Avoid branching in critical conditional move operations if set to ON, use faster method if set to OFF.
 set(SEAL_AVOID_BRANCHING_STR "Use an always branching-free conditional move")
 option(SEAL_AVOID_BRANCHING ${SEAL_AVOID_BRANCHING_STR} OFF)
 message(STATUS "SEAL_AVOID_BRANCHING: ${SEAL_AVOID_BRANCHING}")
diff --git a/README.md b/README.md
@@ -430,6 +430,7 @@ The following options can be used with CMake to further configure the build. Mos
 | SEAL_BUILD_STATIC_SEAL_C             | ON / **OFF**              | Set to `ON` to build SEAL_C as a static library instead of a shared library.                                                                                                                                                                                                                             |
 | SEAL_DEFAULT_PRNG                    | **Blake2xb**</br>Shake256 | Microsoft SEAL supports both Blake2xb and Shake256 XOFs for generating random bytes. Blake2xb is much faster, but it is not standardized, whereas Shake256 is a FIPS standard.                                                                                                                           |
 | SEAL_USE_GAUSSIAN_NOISE              | ON / **OFF**              | Set to `ON` to use a non-constant time rounded continuous Gaussian for the error distribution; otherwise a centered binomial distribution &ndash; with slightly larger standard deviation &ndash; is used.                                                                                               |
+| SEAL_AVOID_BRANCHING                 | ON / **OFF**              | Set to `ON` to eliminate branching in critical conditional move operations when compiler has maliciously inserted flags; otherwise assume `cmov` is used.                                                                                               |
 | SEAL_SECURE_COMPILE_OPTIONS          | ON / **OFF**              | Set to `ON` to compile/link with Control-Flow Guard (`/guard:cf`) and Spectre mitigations (`/Qspectre`). This has an effect only when compiling with MSVC.                                                                                                                                               |
 | SEAL_USE_ALIGNED_ALLOC                    | **ON** / OFF              | Set to `ON` to use 64-byte aligned memory allocations. This can improve performance of AVX512 primitives when Intel HEXL is enabled. This depends on C++17 and is disabled on Android.                                                                                               |
 
diff --git a/cmake/SEALConfig.cmake.in b/cmake/SEALConfig.cmake.in
@@ -27,6 +27,7 @@
 #       validation code (little impact on performance)
 #   SEAL_USE_GAUSSIAN_NOISE : Set to non-zero value if library is compiled to sample noise from a rounded Gaussian
 #       distribution (slower) instead of a centered binomial distribution (faster)
+#   SEAL_AVOID_BRANCHING : Set to non-zero value if library is compiled to eliminate branching in critical conditional move operations.
 #   SEAL_DEFAULT_PRNG : The default choice of PRNG (e.g., "Blake2xb" or "Shake256")
 #
 #   SEAL_USE_MSGSL : Set to non-zero value if library is compiled with Microsoft GSL support
@@ -70,6 +71,7 @@ set(SEAL_USE_NODISCARD @SEAL_USE_NODISCARD@)
 
 set(SEAL_THROW_ON_TRANSPARENT_CIPHERTEXT @SEAL_THROW_ON_TRANSPARENT_CIPHERTEXT@)
 set(SEAL_USE_GAUSSIAN_NOISE @SEAL_USE_GAUSSIAN_NOISE@)
+set(SEAL_AVOID_BRANCHING @SEAL_AVOID_BRANCHING@)
 set(SEAL_DEFAULT_PRNG @SEAL_DEFAULT_PRNG@)
 
 set(SEAL_USE_MSGSL @SEAL_USE_MSGSL@)
diff --git a/dotnet/tests/SEALNetTest.csproj.in b/dotnet/tests/SEALNetTest.csproj.in
@@ -15,7 +15,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.1.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.11.0" />
     <PackageReference Include="MSTest.TestAdapter" Version="2.2.8" />
     <PackageReference Include="MSTest.TestFramework" Version="2.2.8" />
   </ItemGroup>
diff --git a/native/bench/CMakeLists.txt b/native/bench/CMakeLists.txt
@@ -3,14 +3,14 @@
 
 cmake_minimum_required(VERSION 3.13)
 
-project(SEALBench VERSION 3.7.2 LANGUAGES CXX)
+project(SEALBench VERSION 3.7.3 LANGUAGES CXX)
 
 # If not called from root CMakeLists.txt
 if(NOT DEFINED SEAL_BUILD_BENCH)
     set(SEAL_BUILD_BENCH ON)
 
     # Import Microsoft SEAL
-    find_package(SEAL 3.7.2 EXACT REQUIRED)
+    find_package(SEAL 3.7.3 EXACT REQUIRED)
 
     # Must define these variables and include macros
     set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/${OUTLIB_PATH})
diff --git a/native/examples/CMakeLists.txt b/native/examples/CMakeLists.txt
@@ -3,14 +3,14 @@
 
 cmake_minimum_required(VERSION 3.13)
 
-project(SEALExamples VERSION 3.7.2 LANGUAGES CXX)
+project(SEALExamples VERSION 3.7.3 LANGUAGES CXX)
 
 # If not called from root CMakeLists.txt
 if(NOT DEFINED SEAL_BUILD_EXAMPLES)
     set(SEAL_BUILD_EXAMPLES ON)
 
     # Import Microsoft SEAL
-    find_package(SEAL 3.7.2 EXACT REQUIRED)
+    find_package(SEAL 3.7.3 EXACT REQUIRED)
 
     set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/bin)
 endif()
diff --git a/native/tests/CMakeLists.txt b/native/tests/CMakeLists.txt
@@ -3,14 +3,14 @@
 
 cmake_minimum_required(VERSION 3.13)
 
-project(SEALTest VERSION 3.7.2 LANGUAGES CXX C)
+project(SEALTest VERSION 3.7.3 LANGUAGES CXX C)
 
 # If not called from root CMakeLists.txt
 if(NOT DEFINED SEAL_BUILD_TESTS)
     set(SEAL_BUILD_TESTS ON)
 
     # Import Microsoft SEAL
-    find_package(SEAL 3.7.2 EXACT REQUIRED)
+    find_package(SEAL 3.7.3 EXACT REQUIRED)
 
     # Must define these variables and include macros
     set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/${OUTLIB_PATH})
diff --git a/pipelines/jobs.yml b/pipelines/jobs.yml
@@ -11,11 +11,11 @@ jobs:
     ${{ if eq(parameters.debug, 'false') }}:
       timeoutInMinutes: 0
     pool:
-      vmImage: 'windows-latest'
+      vmImage: 'windows-2022'
     steps:
     - template: windows.yml
       parameters:
-        nuget_version: '5.4.0'
+        nuget_version: '6.1.0'
         ${{ if eq(parameters.debug, 'true') }}:
           configuration: 'Debug'
         ${{ if eq(parameters.debug, 'false') }}:
@@ -67,7 +67,7 @@ jobs:
   - job: ${{ parameters.name }}
     displayName: ${{ parameters.name }}
     pool:
-      vmImage: 'windows-latest'
+      vmImage: 'windows-2022'
     steps:
     - template: android.yml
       parameters:
@@ -82,8 +82,8 @@ jobs:
     displayName: ${{ parameters.name }}
     dependsOn: [Windows, Linux, macOS, Android]
     pool:
-      vmImage: 'windows-latest'
+      vmImage: 'windows-2022'
     steps:
     - template: nuget.yml
       parameters:
-        nuget_version: '5.4.0'
+        nuget_version: '6.1.0'
diff --git a/pipelines/windows.yml b/pipelines/windows.yml
@@ -1,4 +1,30 @@
 steps:
+- task: CMake@1
+  displayName: 'Configure SEAL'
+  inputs:
+    cmakeArgs: .. -DCMAKE_BUILD_TYPE='${{ parameters.configuration }}' -DSEAL_BUILD_DEPS=ON -DSEAL_BUILD_TESTS=ON -DSEAL_BUILD_EXAMPLES=ON -DSEAL_BUILD_SEAL_C=ON -DSEAL_SECURE_COMPILE_OPTIONS=ON
+    workingDirectory: '$(Build.SourcesDirectory)/build'
+
+- task: MSBuild@1
+  displayName: 'Build SEAL'
+  inputs:
+    solution: '$(Build.SourcesDirectory)/build/seal.sln'
+    msbuildArchitecture: 'x64'
+    platform: 'x64'
+    configuration: '${{ parameters.configuration }}'
+    msbuildVersion: 'latest'
+
+- task: VSTest@2
+  displayName: 'VsTest - native tests'
+  inputs:
+    testAssemblyVer2: |
+        **\${{ parameters.configuration }}\*test*.dll
+        **\${{ parameters.configuration }}\*test*.exe
+        !**\obj\**
+    platform: 'x64'
+    configuration: ${{ parameters.configuration }}
+    diagnosticsEnabled: True
+
 - task: NuGetToolInstaller@1
   displayName: 'Use NuGet'
   inputs:
@@ -10,18 +36,21 @@ steps:
     restoreSolution: tools/config/packages.config
     restoreDirectory: ConfigPackages
 
+- task: UseDotNet@2
+  displayName: 'Get .NET Core 6.0 SDK'
+  inputs:
+    packageType: 'sdk'
+    version: '6.0.x'
+
 - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2
   displayName: 'Run CredScan'
   inputs:
     toolMajorVersion: 'V2'
     outputFormat: sarif
     debugMode: false
 
-- task: UseDotNet@2
-  displayName: 'Get .NET Core 6.0 SDK'
-  inputs:
-    packageType: 'sdk'
-    version: '6.0.x'
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@2
+  displayName: 'Run Roslyn Analyzers'
 
 - ${{ if eq(parameters.configuration, 'Release') }}:
   - task: PowerShell@2
@@ -30,75 +59,39 @@ steps:
       targetType: 'inline'
       script: |
           # Get signing certificate
-          $CertOutFile = Join-Path -Path $env:BUILD_SOURCESDIRECTORY -ChildPath dotnet\src\SEALNetCert.snk
+          $CertOutFile = Join-Path -Path $env:BUILD_SOURCESDIRECTORY -ChildPath build\dotnet\src\SEALNetCert.snk
           if (Test-Path env:SEALNetSigningCertificate) {
               Invoke-WebRequest -Uri "$env:SEALNetSigningCertificate" -OutFile $CertOutFile
           }
 
-- task: CMake@1
-  displayName: 'Configure SEAL'
-  inputs:
-    cmakeArgs: .. -DCMAKE_BUILD_TYPE='${{ parameters.configuration }}' -DSEAL_BUILD_DEPS=ON -DSEAL_BUILD_TESTS=ON -DSEAL_BUILD_EXAMPLES=ON -DSEAL_BUILD_SEAL_C=ON -DSEAL_SECURE_COMPILE_OPTIONS=ON
-    workingDirectory: '$(Build.SourcesDirectory)/build'
-
-- task: MSBuild@1
-  displayName: 'Build SEAL'
-  inputs:
-    solution: '$(Build.SourcesDirectory)/build/seal.sln'
-    msbuildArchitecture: 'x64'
-    platform: 'x64'
-    configuration: '${{ parameters.configuration }}'
-
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@2
-  displayName: 'Run Roslyn Analyzers'
-
-- task: VSTest@2
-  displayName: 'VsTest - native tests'
-  inputs:
-    testAssemblyVer2: |
-        **\${{ parameters.configuration }}\*test*.dll
-        **\${{ parameters.configuration }}\*test*.exe
-        !**\obj\**
-    platform: 'x64'
-    configuration: ${{ parameters.configuration }}
-    diagnosticsEnabled: True
-
 - task: NuGetCommand@2
   displayName: 'NuGet restore from Solution'
   inputs:
     command: 'restore'
-    restoreSolution: 'dotnet/SEALNet.sln'
+    restoreSolution: '$(Build.SourcesDirectory)/build/dotnet/SEALNet.sln'
     feedsToUse: 'select'
 
 - task: MSBuild@1
   displayName: 'Build SEALNet'
   inputs:
-    solution: '$(Build.SourcesDirectory)/dotnet/SEALNet.sln'
+    solution: '$(Build.SourcesDirectory)/build/dotnet/SEALNet.sln'
     msbuildArchitecture: 'x64'
     platform: 'x64'
     configuration: '${{ parameters.configuration }}'
-
-- ${{ if eq(parameters.configuration, 'Release') }}:
-  - task: MSBuild@1
-    displayName: 'Build SEALNet for iOS'
-    inputs:
-      solution: '$(Build.SourcesDirectory)/dotnet/src/SEALNet.csproj'
-      msbuildArchitecture: 'x64'
-      platform: 'x64'
-      msbuildArguments: '/p:BuildIOS=1'
-      configuration: '${{ parameters.configuration }}'
+    msbuildVersion: 'latest'
 
 - task: VSTest@2
   displayName: 'VsTest - dotnet tests'
   inputs:
     testAssemblyVer2: |
         **\${{ parameters.configuration }}\**\sealnettest.dll
         !**\obj\**
+        !**\ref\**
     configuration: ${{ parameters.configuration }}
     diagnosticsEnabled: True
 
 - ${{ if eq(parameters.configuration, 'Release') }}:
-  - task: Semmle@0
+  - task: Semmle@1
     displayName: 'Semmle SEAL'
     env:
       SYSTEM_ACCESSTOKEN: $(System.AccessToken)
@@ -112,7 +105,7 @@ steps:
       buildCommands: '"%ProgramFiles(x86)%\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat" && msbuild $(Build.SourcesDirectory)/build/seal.sln'
       cleanupBuildCommands: '"%ProgramFiles(x86)%\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat" && msbuild $(Build.SourcesDirectory)/build/seal.sln /t:Clean'
 
-  - task: Semmle@0
+  - task: Semmle@1
     displayName: 'Semmle SEALNet'
     env:
       SYSTEM_ACCESSTOKEN: $(System.AccessToken)
@@ -123,8 +116,18 @@ steps:
       timeout: '1800'
       ram: '16384'
       addProjectDirToScanningExclusionList: true
-      buildCommands: '"%ProgramFiles(x86)%\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat" && msbuild $(Build.SourcesDirectory)/dotnet/SEALNet.sln'
-      cleanupBuildCommands: '"%ProgramFiles(x86)%\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat" && msbuild $(Build.SourcesDirectory)/dotnet/SEALNet.sln /t:Clean'
+      buildCommands: '"%ProgramFiles(x86)%\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat" && msbuild $(Build.SourcesDirectory)/build/dotnet/SEALNet.sln'
+      cleanupBuildCommands: '"%ProgramFiles(x86)%\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat" && msbuild $(Build.SourcesDirectory)/build/dotnet/SEALNet.sln /t:Clean'
+
+  - task: MSBuild@1
+    displayName: 'Build SEALNet for iOS'
+    inputs:
+      solution: '$(Build.SourcesDirectory)/build/dotnet/src/SEALNet.csproj'
+      msbuildArchitecture: 'x64'
+      platform: 'x64'
+      msbuildArguments: '/p:BuildIOS=1'
+      configuration: '${{ parameters.configuration }}'
+      msbuildVersion: 'latest'
 
   - task: PublishSymbols@2
     displayName: 'Publish symbols path'
@@ -286,7 +289,7 @@ steps:
 - task: CopyFiles@2
   displayName: 'Copy NuSpec File to: $(Build.ArtifactStagingDirectory)'
   inputs:
-    SourceFolder: '$(Build.SourcesDirectory)\dotnet\nuget\'
+    SourceFolder: '$(Build.SourcesDirectory)\build\dotnet\nuget\'
     Contents: 'SEALNet-multi.nuspec'
     TargetFolder: '$(Build.ArtifactStagingDirectory)\dotnet\nuget\'
 
