-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
330 zeroize #511
base: main
Are you sure you want to change the base?
330 zeroize #511
Conversation
src/presign/participant.rs
Outdated
k, | ||
rho, | ||
k: k.into(), | ||
rho: rho.into(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure if this is the right place to convert from a Nonce
to a SecretNonce
. For example, rho
is generated above in the EncryptionKey::encrypt
function, this function create a regular Nonce
. The encrypt
function uses the nonce like so let c = self.encrypt_with_nonce(x, &MaskedNonce(nonce.clone()))?;
. Here, we are cloning the nonce. Since this is not a SecretNonce
it will go out of scope without getting zeroized. So we have a copy of rho
lingering in memory.
I believe we need to handle these cases as well? Otherwise, what is the point of zeroizing here but not there?
src/presign/participant.rs
Outdated
@@ -1037,7 +1037,8 @@ impl PresignKeyShareAndInfo { | |||
rng, | |||
)?; | |||
let mut transcript = Transcript::new(b"PiLogProof"); | |||
let secret = ProverSecret::new(&sender_r1_priv.gamma, &sender_r1_priv.nu); | |||
let nonce_clone = &sender_r1_priv.nu.get_nonce().clone(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here you are taking a SecretNonce
, accessing the underlying Nonce
and cloning it. So now we have a copy of nu
that won't get zeroized. This seems like a security issue? We should either:
- Fix this to not create a non-Secret copy. The best way to fix this, is probably to have
ProverSecret
use aSecretNonce
instead of aNonce
. - If we really do want to convert a
SecretNonce
->Nonce
we should have a comment justifying why it is okay.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just went through and reviewed again. There are still some issues we should fix before merging this. I left new comments for those. Additionally:
- There is some commented out code on this PR. Please delete those.
- We should move the SecretBigNumber, SecretNonce, and SecreteScalar to a more appropriate location. I recommend the
src/utils.rs
file.
I "marked as resolved" the original comments that have been fixed. I left some open that we are still no handling. We need to decide how to handle those comments even if we don't plan on fixing it as part of this PR? We could move some of this comments as comments in the code? @hridambasu @cryptograph thoughts? |
Cargo.toml
Outdated
@@ -21,6 +21,7 @@ displaydoc = { version = "0.2", default-features = false } | |||
flame = { version = "0.2", optional = true } | |||
flamer = { version = "0.3", optional = true } | |||
generic-array = "0.14" | |||
#gmp-mpfr-sys = { version = "1.4", features = ["use-system-libs"] } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove commented out dependency.
src/paillier.rs
Outdated
@@ -9,6 +9,8 @@ use crate::{ | |||
parameters::PRIME_BITS, | |||
utils::{modpow, random_bn_in_z_star, CRYPTOGRAPHIC_RETRY_MAX}, | |||
}; | |||
//use crate::presign::round_three::SecretBigNumber; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove commented out imports.
src/paillier.rs
Outdated
@@ -134,6 +136,7 @@ impl EncryptionKey { | |||
// `encrypt_with_nonce`. | |||
let nonce = | |||
random_bn_in_z_star(rng, self.modulus()).map_err(|_| PaillierError::RetryFailed)?; | |||
//let secretnonce = SecretBigNumber::from_number(nonce); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove commented out code.
@@ -19,8 +19,8 @@ | |||
mod input; | |||
mod participant; | |||
mod record; | |||
mod round_one; | |||
mod round_three; | |||
pub(crate) mod round_one; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These two modules were made pub(crate) since the Secret* types are defined in them. As we talked about, I think this is the wrong place for these types and we should move them. Once they are moved, this change can be reverted (will make a separate comment for that).
@@ -1141,7 +1157,10 @@ impl PresignKeyShareAndInfo { | |||
self.aux_info_public.pk(), | |||
&Gamma, | |||
), | |||
ProverSecret::new(&sender_r1_priv.k, &sender_r1_priv.rho), | |||
ProverSecret::new( | |||
&sender_r1_priv.k.get_bignumber_secret().clone(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are copying the underlying secret to a non-secret for k
and rho
. We should comment flagging this fact so we can fix it later.
@@ -22,16 +22,32 @@ use serde::{Deserialize, Serialize}; | |||
use std::fmt::Debug; | |||
use zeroize::ZeroizeOnDrop; | |||
|
|||
use super::round_three::SecretBigNumber; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per my previous comment: We should move the SecretBigNumber, SecretNonce, and SecreteScalar to a more appropriate location. I recommend the src/utils.rs file.
src/presign/round_one.rs
Outdated
pub nu: Nonce, | ||
#[zeroize(skip)] | ||
pub nu: SecretNonce, | ||
//#[zeroize(skip)] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove commented out code.
src/presign/round_one.rs
Outdated
pub G: Ciphertext, // Technically can be public but is only one per party | ||
#[zeroize(skip)] | ||
//#[zeroize(skip)] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove commented out code.
pub Delta: CurvePoint, | ||
} | ||
#[derive(Clone, ZeroizeOnDrop)] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move SecretBigNumber to more appropriate file.
src/presign/round_two.rs
Outdated
@@ -20,16 +20,18 @@ use crate::{ | |||
Proof, ProofContext, | |||
}, | |||
}; | |||
use libpaillier::unknown_order::BigNumber; | |||
//use libpaillier::unknown_order::BigNumber; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove commented out code.
Closes #330