• Breaking News

    Tuesday, June 26, 2018

    Cryptography Zilliqa (ZIL) Price : $0.06714 (6.67%)

    Cryptography Zilliqa (ZIL) Price : $0.06714 (6.67%)


    Zilliqa (ZIL) Price : $0.06714 (6.67%)

    Posted: 26 Jun 2018 01:51 AM PDT

    Critical vulnerability in Monocypher (full disclosure)

    Posted: 25 Jun 2018 01:49 AM PDT

    TL;DR: EdDSA signature verification is broken. Update to version 2.0.4 or 1.1.1 right now.


    Last Wednesday, (06/20), Mike Pechkin informed me that crypto_check() accepted all zero input as valid:

    uint8_t zero[64] = {0}; if (crypto_check(zero, zero, 0, 0)) { printf("Rejected\n"); } else { printf("Accepted\n"); } 

    I initially thought this was because of the all zero public key, which is a low order key. Monocypher makes no guarantee when you verify with a public key that doesn't make sense in the first place. Still, Mike Pechkin found several bugs in earlier versions of Monocypher, I couldn't dismiss his input out of hand. So I tried Libsodium and TweetNaCL. Libsodium, as expected, rejected the input (it has low order checks). My spidey senses went off when I saw that even TweetNaCl rejected the signature.

    So I dug a little deeper, and found on Thursday (06/21) out that Monocypher accepted the signature even with a genuine public key. At this point, I had a critical vulnerability. The first one since 1.0.0. (There was another one before, but Monocypher wasn't deemed ready for production yet.) I offered Mike his bounty, but he gracefully declined.

    Turned out crypto_check() wasn't an easy function to test. Its result is binary (accept or reject), and doesn't give a lot of insight about whatever error may lurk below. Fortunately, it reuse much the same code as crypto_sign(), so there is still little room for error.

    Not zero, though.

    The error was somewhere in the internal function ge_scalarmult_base(): multiplying the base point by zero yielded 0 instead of 1 (in packed form), which causes the rest of the computation to accept the signature. I was pretty surprised, because that function worked correctly for every other scalar. Only zero (and I suspect, but have not verified, 2255-19, L, and a couple others).

    Searching through the git history revealed that the bug was introduced by an optimisation, where I would perform the scalar multiplication in Montgomery space to speed up the computation by a factor of almost 2. I have yet to determine where the error is exactly. I could have screwed up a constant or the conversion algorithm, but this looks unlikely. My current theory is that I ran upon a fundamental limitation of either the conversion mechanism or the multiplication in Montgomery space, one of which just wasn't meant for this edge case for some reason.

    Now it would have been tempting to blacklist zero and other suspicious scalars. But since I don't understand the math behind this problem, I judged the approach unsafe. Instead, I just reverted the optimisation. The fix is available on version 2.0.4, and 1.1.1 (in case anyone is still using that old branch).

    The speed of EdDSA is now halved, so I'm not too happy about it. I do plan to re-introduce the optimisation later, but I'll need expert advice about how to deal with the edge cases correctly.


    Note that Monocypher still accepts non-sensical signatures when the public key is all zero. I was right about low order points. The reason why TweetNaCl didn't accept it was mere chance, because it used a different hash. Toggling the -DED25519_SHA512 flag for monocypher (to replace Blake2 by SHA512 for full Ed25519 compatibility) gives the same results as TweetNaCl, down to the internal buffer. Likewise, TweetNacl behave the same as Monocypher when we replace SHA-512 by Blake2b.

    submitted by /u/loup-vaillant
    [link] [comments]

    Want to learn Quantum Computing?

    Posted: 25 Jun 2018 05:44 AM PDT

    Hello!

    If you're reading this, you're most likely interested in learning about quantum computing; however, you might not be sure how to get started because of a lack of people to work with, lack of direction, and maybe even a lack of a bit of background knowledge.

    I've created a subreddit, /r/MikeAndIke, which will enable people with the desire to learn about quantum computing to come together and learn, generally directed (though not entirely restricted) by the book Quantum Computation and Quantum Information by Michael A. Nielsen and Isaac L. Chuang (hence the name, Mike & Ike).

    I'm very new to reddit in general, and so I'm extremely new to running a subreddit. But, I hope that together we can make this a great learning experience for each other! Let me know if you have any questions or any other comments, feel free to spread the word to people you think may be interested, and I'll continue to look forward to your arrival! :D

    -Foobanana (the real one)

    P.S. - This is the first time I've advertised on this sub, but I fully leave it to the moderators to determine whether or not I'm spamming the sub, and to please feel free to remove my post if they deem this to be the case!

    submitted by /u/realFoobanana
    [link] [comments]

    No comments:

    Post a Comment