x/crypto/curve25519,crypto/ed25519: reject low order points #31846
Comments
FiloSottile
added
the
NeedsFix
|
Change https://golang.org/cl/183039 mentions this issue: |
The RFC recommends checking the X25519 output to ensure it's not the zero value, to guard against peers trying to remove contributory behavior. In TLS there should be enough transcript involvement to mitigate any attack, and the RSA key exchange would suffer from the same issues by design, so not proposing a backport. See #31846 Change-Id: I8e657f8ee8aa72c3f8ca3b124555202638c53f5e Reviewed-on: https://go-review.googlesource.com/c/go/+/183039 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
FiloSottile
added
the
early-in-cycle
FiloSottile
changed the title
|
Curve25519 is covered by #32670, this issue is now about doing the check in crypto/ed25519. |
|
Does the signature must also reject non-prime order points for the public keys and the R of signatures? |
FiloSottile
changed the title
|
Changing the Ed25519 verification rules now would cause significant disruption downstream, as it would lead to forks in any cryptocurrency that relies on the crypto/ed25519 verification rules for consensus. (They should not do that and instead migrate to github.com/hdevalence/ed25519consensus, but it is what it is.) While the contributory behavior of X25519 might be expected and is anyway easily achieved, the properties of Ed25519 that require low-order checks are not commonly understood to be signature properties. Moreover, no implementation in the ecosystem achieves them. libsodium makes an attempt but it's unclear if sufficient. The original paper that led to #32670 is https://eprint.iacr.org/2019/526.pdf, with a live attack against Tendermint that would have failed with the new API. The paper that describes the Ed25519 properties is https://eprint.iacr.org/2019/779.pdf. You can read more at https://hdevalence.ca/blog/2020-10-04-its-25519am. Instead, we'll lock in behavior with #40478. |
|
Minor correction:
This is not the case -- libsodium provably achieves them. The details and proofs of the impact of checks (or lack thereof) were recently given here: https://eprint.iacr.org/2020/823 (or S&P 2021) (and in the previous, "Tamarin" should probably be something else, like a protocol, not a protocol analysis tool) |
Ah, yes, thank you Cas! I was confusedly remembering the pre-1.0.16 behavior, where the check was not complete. Looks like there's also ed25519-dalek’s If an application really needs a
I had that open in a tab but clearly haven't gotten to it yet! Glad it addresses this.
Hah, "Tendermint" of course. Fixed. |
Rejecting low order points is not strictly necessary, but it helps root out behaviors that can come unexpected to protocol designers (like non-contributory DH, or signature:message:key not being 1:1:1). libsodium already does indiscriminately, and we should too.
https://github.com/jedisct1/libsodium/blob/cec56d867f741e66f78b9fde37d9081643599a2a/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c#L90
This was suggested by Cas Cremers and Dennis Jackson as part of their upcoming work on revisiting small subgroup and invalid curve attacks.
The text was updated successfully, but these errors were encountered: