This repository has been archived by the owner on Jun 3, 2020. It is now read-only.
introduces transcipt hashing to secret connection. #254
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Breaks compatibility with legacy secret connection
tarcieri
pushed a commit
that referenced
this pull request
Jun 24, 2019
This is a belt-and-suspenders approach which adds both a blacklist of points with low-order elements (sourced from the Curve25519 web site) as well as a check for all-zero outputs from X25519. The primary rationale for the first comes from the "May the Fourth" paper: <https://eprint.iacr.org/2017/806.pdf> From Section 5 (under "Rejecting Known Bad Points"): > To protect against small subgroup attacks against Curve25519 and > related curves that have a small set of low-order elements, an > implementation can simply check if the received public key is in the > set. Bernstein [12] provides a full list of these points for > Curve25519, but suggests that rejecting these points is only necessary > for protocols that wish to ensure “contributory” behavior. Langley and > Hamburg [53] have a similar suggestion. We argue that rejecting these > points would also give better side-channel protection. While this > protection may seem unnecessary when used with constant-time code, as > Kaufmann et al. [50] demonstrate, constant-time code is fragile and > may fail to provide adequate protection. Namely, as noted above, using a blacklist prevents the X25519 operation from ever occuring, meaning the attacker-controlled point never interacts with the D-H secret scalars. Additionally, this change adds a constant-time check to ensure the computed shared secret is all zeroes. This shouldn't strictly be necessary if Secret Connection transcripts were't malleable (see #254), for example, the Noise protocol tolerates outputs of zero, because attacker malfeasance is caught via a transcript hash mismatch. The "Prime, Order Please!" paper describes Tamarin proofs of the security of the Tendermint Secret Connection protocol, showing that either the addition of transcript hasing, or explicit checks for low order points are sufficient for the desired security properties: <https://eprint.iacr.org/2019/526.pdf>
Closed
|
This PR needs to get reopened here as the relevant code has moved: |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Breaks compatibility with legacy secret connection.
Companion to tendermint/tendermint#3668
Integration tests should fail.