Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

330 zeroize #511

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

330 zeroize #511

wants to merge 21 commits into from

Conversation

hridambasu
Copy link

Closes #330

@hridambasu hridambasu requested a review from gatoWololo December 7, 2023 16:20
k,
rho,
k: k.into(),
rho: rho.into(),

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if this is the right place to convert from a Nonce to a SecretNonce. For example, rho is generated above in the EncryptionKey::encrypt function, this function create a regular Nonce. The encrypt function uses the nonce like so let c = self.encrypt_with_nonce(x, &MaskedNonce(nonce.clone()))?;. Here, we are cloning the nonce. Since this is not a SecretNonce it will go out of scope without getting zeroized. So we have a copy of rho lingering in memory.

I believe we need to handle these cases as well? Otherwise, what is the point of zeroizing here but not there?

@@ -1037,7 +1037,8 @@ impl PresignKeyShareAndInfo {
rng,
)?;
let mut transcript = Transcript::new(b"PiLogProof");
let secret = ProverSecret::new(&sender_r1_priv.gamma, &sender_r1_priv.nu);
let nonce_clone = &sender_r1_priv.nu.get_nonce().clone();

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here you are taking a SecretNonce, accessing the underlying Nonce and cloning it. So now we have a copy of nu that won't get zeroized. This seems like a security issue? We should either:

  1. Fix this to not create a non-Secret copy. The best way to fix this, is probably to have ProverSecret use a SecretNonce instead of a Nonce.
  2. If we really do want to convert a SecretNonce -> Nonce we should have a comment justifying why it is okay.

@gatoWololo gatoWololo self-requested a review December 20, 2023 21:06
Copy link

@gatoWololo gatoWololo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just went through and reviewed again. There are still some issues we should fix before merging this. I left new comments for those. Additionally:

  • There is some commented out code on this PR. Please delete those.
  • We should move the SecretBigNumber, SecretNonce, and SecreteScalar to a more appropriate location. I recommend the src/utils.rs file.

@gatoWololo
Copy link

I "marked as resolved" the original comments that have been fixed. I left some open that we are still no handling.

We need to decide how to handle those comments even if we don't plan on fixing it as part of this PR? We could move some of this comments as comments in the code? @hridambasu @cryptograph thoughts?

Cargo.toml Outdated
@@ -21,6 +21,7 @@ displaydoc = { version = "0.2", default-features = false }
flame = { version = "0.2", optional = true }
flamer = { version = "0.3", optional = true }
generic-array = "0.14"
#gmp-mpfr-sys = { version = "1.4", features = ["use-system-libs"] }

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove commented out dependency.

src/paillier.rs Outdated
@@ -9,6 +9,8 @@ use crate::{
parameters::PRIME_BITS,
utils::{modpow, random_bn_in_z_star, CRYPTOGRAPHIC_RETRY_MAX},
};
//use crate::presign::round_three::SecretBigNumber;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove commented out imports.

src/paillier.rs Outdated
@@ -134,6 +136,7 @@ impl EncryptionKey {
// `encrypt_with_nonce`.
let nonce =
random_bn_in_z_star(rng, self.modulus()).map_err(|_| PaillierError::RetryFailed)?;
//let secretnonce = SecretBigNumber::from_number(nonce);

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove commented out code.

@@ -19,8 +19,8 @@
mod input;
mod participant;
mod record;
mod round_one;
mod round_three;
pub(crate) mod round_one;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two modules were made pub(crate) since the Secret* types are defined in them. As we talked about, I think this is the wrong place for these types and we should move them. Once they are moved, this change can be reverted (will make a separate comment for that).

@@ -1141,7 +1157,10 @@ impl PresignKeyShareAndInfo {
self.aux_info_public.pk(),
&Gamma,
),
ProverSecret::new(&sender_r1_priv.k, &sender_r1_priv.rho),
ProverSecret::new(
&sender_r1_priv.k.get_bignumber_secret().clone(),

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are copying the underlying secret to a non-secret for k and rho. We should comment flagging this fact so we can fix it later.

@@ -22,16 +22,32 @@ use serde::{Deserialize, Serialize};
use std::fmt::Debug;
use zeroize::ZeroizeOnDrop;

use super::round_three::SecretBigNumber;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per my previous comment: We should move the SecretBigNumber, SecretNonce, and SecreteScalar to a more appropriate location. I recommend the src/utils.rs file.

pub nu: Nonce,
#[zeroize(skip)]
pub nu: SecretNonce,
//#[zeroize(skip)]

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove commented out code.

pub G: Ciphertext, // Technically can be public but is only one per party
#[zeroize(skip)]
//#[zeroize(skip)]

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove commented out code.

pub Delta: CurvePoint,
}
#[derive(Clone, ZeroizeOnDrop)]

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move SecretBigNumber to more appropriate file.

@@ -20,16 +20,18 @@ use crate::{
Proof, ProofContext,
},
};
use libpaillier::unknown_order::BigNumber;
//use libpaillier::unknown_order::BigNumber;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove commented out code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Make sure secret and zeroize on drop apply only to lowest-level secret types
2 participants