diff options
author | Jeff Burdges <burdges@gnunet.org> | 2016-05-30 15:54:56 +0000 |
---|---|---|
committer | Jeff Burdges <burdges@gnunet.org> | 2016-05-30 15:54:56 +0000 |
commit | afb40a6d7a49d2608b709d6e8863675a6a301c99 (patch) | |
tree | 26c97c0217311d2313ecac5daa853d428ecf9025 /src/util/test_crypto_rsa.c | |
parent | 295a7ab56564369098a12e2cc39fac0d5225c465 (diff) | |
download | gnunet-afb40a6d7a49d2608b709d6e8863675a6a301c99.tar.gz gnunet-afb40a6d7a49d2608b709d6e8863675a6a301c99.zip |
Use a uniform random number mod an RSA composites for both
the blinding factor and the full domain hash.
This resolves an attack against the blinding factor in Taler:
There was a call to GNUNET_CRYPTO_kdf in
bkey = rsa_blinding_key_derive (len, bks);
that gives exactly len bits where
len = GNUNET_CRYPTO_rsa_public_key_len (pkey);
Now r = 2^(len-1)/pkey.n is the probability that a set high bit being
okay, meaning bkey < pkey.n. It follows that (1-r)/2 of the time bkey >
pkey.n making the effective bkey be
bkey mod pkey.n = bkey - pkey.n
so the effective bkey has its high bit set with probability r/2.
We expect r to be close to 1/2 if the exchange is honest, but the
exchange can choose r otherwise.
In blind signing, the exchange sees
B = bkey * S mod pkey.n
On deposit, the exchange sees S so they can compute bkey' = B/S mod
pkey.n for all B they recorded to see if bkey' has it's high bit set.
Also, note the exchange can compute 1/S efficiently since they know the
factors of pkey.n.
I suppose that happens with probability r/(1+r) if its the wrong B, not
completely sure. If otoh we've the right B, then we've the probability
r/2 of a set high bit in the effective bkey.
Interestingly, r^2-r has a maximum at the default r=1/2 anyways, giving
the wrong and right probabilities 1/3 and 1/4, respectively.
I fear this gives the exchange a meaningful fraction of a bit of
information per coin involved in the transaction. It sounds damaging if
numerous coins were involved. And it could run across transactions in
some scenarios.
I suspect we need a more uniform deterministic pseudo-random number
generator for blinding factors. Just fyi, our old call to
gcry_mpi_randomize had this same problem.
I do not believe this caused a problem for the full domain hash, but
we can fix it easily enough anyways.
Diffstat (limited to 'src/util/test_crypto_rsa.c')
-rw-r--r-- | src/util/test_crypto_rsa.c | 17 |
1 files changed, 1 insertions, 16 deletions
diff --git a/src/util/test_crypto_rsa.c b/src/util/test_crypto_rsa.c index 2abb008e2..d346bdae8 100644 --- a/src/util/test_crypto_rsa.c +++ b/src/util/test_crypto_rsa.c | |||
@@ -18,6 +18,7 @@ | |||
18 | * @file util/test_crypto_rsa.c | 18 | * @file util/test_crypto_rsa.c |
19 | * @brief testcase for utility functions for RSA cryptography | 19 | * @brief testcase for utility functions for RSA cryptography |
20 | * @author Sree Harsha Totakura <sreeharsha@totakura.in> | 20 | * @author Sree Harsha Totakura <sreeharsha@totakura.in> |
21 | * @author Jeffrey Burdges <burdges@gnunet.org> | ||
21 | */ | 22 | */ |
22 | #include "platform.h" | 23 | #include "platform.h" |
23 | #include <gcrypt.h> | 24 | #include <gcrypt.h> |
@@ -26,13 +27,6 @@ | |||
26 | #define KEY_SIZE 1024 | 27 | #define KEY_SIZE 1024 |
27 | 28 | ||
28 | 29 | ||
29 | gcry_error_t | ||
30 | rsa_full_domain_hash (gcry_mpi_t *r, | ||
31 | const struct GNUNET_HashCode *hash, | ||
32 | const struct GNUNET_CRYPTO_RsaPublicKey *pkey, | ||
33 | size_t *rsize); | ||
34 | |||
35 | |||
36 | int | 30 | int |
37 | main (int argc, | 31 | main (int argc, |
38 | char *argv[]) | 32 | char *argv[]) |
@@ -50,7 +44,6 @@ main (int argc, | |||
50 | struct GNUNET_HashCode hash; | 44 | struct GNUNET_HashCode hash; |
51 | char *blind_buf; | 45 | char *blind_buf; |
52 | size_t bsize; | 46 | size_t bsize; |
53 | gcry_mpi_t v; | ||
54 | 47 | ||
55 | GNUNET_log_setup ("test-rsa", "WARNING", NULL); | 48 | GNUNET_log_setup ("test-rsa", "WARNING", NULL); |
56 | GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK, | 49 | GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK, |
@@ -82,14 +75,6 @@ main (int argc, | |||
82 | (void) fprintf (stderr, "The above warning is expected.\n"); | 75 | (void) fprintf (stderr, "The above warning is expected.\n"); |
83 | GNUNET_free (enc); | 76 | GNUNET_free (enc); |
84 | 77 | ||
85 | /* test full domain hash size */ | ||
86 | GNUNET_assert (0 == rsa_full_domain_hash (&v, &hash, pub, NULL)); | ||
87 | GNUNET_assert (gcry_mpi_get_nbits(v) < KEY_SIZE); | ||
88 | gcry_mpi_clear_highbit (v, gcry_mpi_get_nbits(v)-1); /* clear the set high bit */ | ||
89 | GNUNET_assert (gcry_mpi_get_nbits(v) > 3*KEY_SIZE/4); | ||
90 | /* This test necessarily randomly fails with probability 2^(3 - KEY_SIZE/4) */ | ||
91 | gcry_mpi_release(v); | ||
92 | |||
93 | /* try ordinary sig first */ | 78 | /* try ordinary sig first */ |
94 | sig = GNUNET_CRYPTO_rsa_sign_fdh (priv, | 79 | sig = GNUNET_CRYPTO_rsa_sign_fdh (priv, |
95 | &hash); | 80 | &hash); |