This repository has been archived by the owner on Jun 3, 2020. It is now read-only.
tendermint-rs: Reject low order points (fixes #142) #279
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a belt-and-suspenders approach which adds both a blacklist of points with low-order elements (sourced from the Curve25519 web site) as well as a check for all-zero outputs from X25519.
The primary rationale for the first comes from the "May the Fourth" paper:
https://eprint.iacr.org/2017/806.pdf
From Section 5 (under "Rejecting Known Bad Points"):
Namely, as noted above, using a blacklist prevents the X25519 operation from ever occurring, meaning the attacker-controlled point never interacts with the D-H secret scalars.
Additionally, this change adds a constant-time check to ensure the computed shared secret is all zeroes. This shouldn't strictly be necessary if Secret Connection transcripts were't malleable (see #254), for example, the Noise protocol tolerates outputs of zero, because attacker malfeasance is caught via a transcript hash mismatch.
The "Prime, Order Please!" paper describes Tamarin proofs of the security of the Tendermint Secret Connection protocol, showing that either the addition of transcript hasing, or explicit checks for low
order points are sufficient for the desired security properties:
https://eprint.iacr.org/2019/526.pdf