Skip to content
This repository has been archived by the owner on Jun 3, 2020. It is now read-only.

tendermint-rs: Reject low order points (fixes #142) #279

Merged

Conversation

tarcieri
Copy link
Contributor

This is a belt-and-suspenders approach which adds both a blacklist of points with low-order elements (sourced from the Curve25519 web site) as well as a check for all-zero outputs from X25519.

The primary rationale for the first comes from the "May the Fourth" paper:

https://eprint.iacr.org/2017/806.pdf

From Section 5 (under "Rejecting Known Bad Points"):

To protect against small subgroup attacks against Curve25519 and
related curves that have a small set of low-order elements, an
implementation can simply check if the received public key is in the
set. Bernstein [12] provides a full list of these points for
Curve25519, but suggests that rejecting these points is only necessary
for protocols that wish to ensure “contributory” behavior. Langley and
Hamburg [53] have a similar suggestion. We argue that rejecting these
points would also give better side-channel protection. While this
protection may seem unnecessary when used with constant-time code, as
Kaufmann et al. [50] demonstrate, constant-time code is fragile and
may fail to provide adequate protection.

Namely, as noted above, using a blacklist prevents the X25519 operation from ever occurring, meaning the attacker-controlled point never interacts with the D-H secret scalars.

Additionally, this change adds a constant-time check to ensure the computed shared secret is all zeroes. This shouldn't strictly be necessary if Secret Connection transcripts were't malleable (see #254), for example, the Noise protocol tolerates outputs of zero, because attacker malfeasance is caught via a transcript hash mismatch.

The "Prime, Order Please!" paper describes Tamarin proofs of the security of the Tendermint Secret Connection protocol, showing that either the addition of transcript hasing, or explicit checks for low
order points are sufficient for the desired security properties:

https://eprint.iacr.org/2019/526.pdf

This is a belt-and-suspenders approach which adds both a blacklist of
points with low-order elements (sourced from the Curve25519 web site)
as well as a check for all-zero outputs from X25519.

The primary rationale for the first comes from the "May the Fourth" paper:

<https://eprint.iacr.org/2017/806.pdf>

From Section 5 (under "Rejecting Known Bad Points"):

> To protect against small subgroup attacks against Curve25519 and
> related curves that have a small set of low-order elements, an
> implementation can simply check if the received public key is in the
> set. Bernstein [12] provides a full list of these points for
> Curve25519, but suggests that rejecting these points is only necessary
> for protocols that wish to ensure “contributory” behavior. Langley and
> Hamburg [53] have a similar suggestion. We argue that rejecting these
> points would also give better side-channel protection. While this
> protection may seem unnecessary when used with constant-time code, as
> Kaufmann et al. [50] demonstrate, constant-time code is fragile and
> may fail to provide adequate protection.

Namely, as noted above, using a blacklist prevents the X25519 operation
from ever occuring, meaning the attacker-controlled point never
interacts with the D-H secret scalars.

Additionally, this change adds a constant-time check to ensure the
computed shared secret is all zeroes. This shouldn't strictly be
necessary if Secret Connection transcripts were't malleable (see #254),
for example, the Noise protocol tolerates outputs of zero, because
attacker malfeasance is caught via a transcript hash mismatch.

The "Prime, Order Please!" paper describes Tamarin proofs of the
security of the Tendermint Secret Connection protocol, showing that
either the addition of transcript hasing, or explicit checks for low
order points are sufficient for the desired security properties:

<https://eprint.iacr.org/2019/526.pdf>
@tarcieri tarcieri merged commit 72ac6ae into master Jun 24, 2019
@tarcieri tarcieri deleted the tendermint-rs/secret-conneciton-low-order-points-check branch June 24, 2019 23:37
@tarcieri tarcieri mentioned this pull request Jun 24, 2019
@tarcieri tarcieri added the security Security-critical issues label Jul 25, 2019
@tarcieri tarcieri mentioned this pull request Jul 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
security Security-critical issues
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants