Skip to content

Fix diffie hellman computation #177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 8, 2025
Merged

Fix diffie hellman computation #177

merged 2 commits into from
Apr 8, 2025

Conversation

@threema-theo
Copy link
Contributor

@threema-theo threema-theo commented Apr 8, 2025
edited
Loading

crypto_box currently uses the * operator directly to multiply the secret_key.scalar and the public_key.0.
This results in a minor incompatibility with libsodium, especially for specially drafted public keys.

This MR adds

  1. a test for one such special case, i.e., the public key being on the twist of a curve. Along with this comes the function of generating the ciphertext with libsodium, see test-vector-gen/src/crypto_box.rs. This test is taken from bleichenbacher-daniel/Rooterberg.
  2. a fix for the Diffie-Hellman computation that essentially copies the code for multiplication from x25519_dalek.

To reproduce the issue, clone this repository, and run the tests.

  • Without the fix (second commit), the tests fail.
  • With the fix, the tests succeed.

@tarcieri tarcieri merged commit 20be967 into RustCrypto:master Apr 8, 2025
11 checks passed
@threema-theo
Copy link
Contributor Author

threema-theo commented Apr 9, 2025

Thanks for the fast merging!

We have a security audit we would like to share with you. As this MR solved the only issue ( 🎉 ), we could directly include the fix. For that we would need a release first. Otherwise, we can share the audit as it is. Please tell me your preference.

On a side note, the security advisory URL https://github.com/RustCrypto/nacl-compat/security/advisories/new is broken. How should we send you the audit?

@tarcieri
Copy link
Member

tarcieri commented Apr 10, 2025

We have a security audit we would like to share with you. As this MR solved the only issue ( 🎉 ), we could directly include the fix. For that we would need a release first. Otherwise, we can share the audit as it is. Please tell me your preference.

Will try to cut a new release soon

On a side note, the security advisory URL https://github.com/RustCrypto/nacl-compat/security/advisories/new is broken. How should we send you the audit?

Please open a separate issue with screenshots that illustrate whatever problem you're having. The link works for me.

@tarcieri tarcieri mentioned this pull request Sep 29, 2025
Merged
@dignifiedquire
Copy link
Member

dignifiedquire commented Sep 29, 2025

This change actually breaks basic usage with ed25519-dalek: #182

@tarcieri
Copy link
Member

tarcieri commented Sep 29, 2025

Not sure what to do about that. We may need to add first-class support for Ed25519.

@dignifiedquire
Copy link
Member

dignifiedquire commented Sep 29, 2025

what I don't quite understand is why does this fail in conjunction with ed25519-dalek but seems to be fine in other use cases

@tarcieri
Copy link
Member

tarcieri commented Sep 29, 2025

I believe it's because the Ed25519 scalar has already been clamped.

Clamping can make the Edwards -> Montgomery equivalence somewhat difficult to use

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarcieri tarcieri tarcieri approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@threema-theo @tarcieri @dignifiedquire