Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JubJubScalar - stack overflow on random function #25

Closed
vlopes11 opened this issue Jul 29, 2020 · 0 comments · Fixed by #26
Closed

JubJubScalar - stack overflow on random function #25

vlopes11 opened this issue Jul 29, 2020 · 0 comments · Fixed by #26
Assignees
@vlopes11

Comments

@vlopes11
Copy link

vlopes11 commented Jul 29, 2020
edited
Loading

There is a bug on the random function for JubJubScalar. Here is how to reproduce the bug:

use dusk_jubjub::Fr;

fn main() {
    let mut rng = rand::thread_rng();

    Fr::random(&mut rng);
}

The snippet above will panic with thread 'main' has overflowed its stack

The implementation of fn random is as follows:

    /// Generate a valid Scalar choosen uniformly using user-
    /// provided rng.
    ///
    /// By `rng` we mean any Rng that implements: `Rng` + `CryptoRng`.
    pub fn random<T>(rand: &mut T) -> Fr
    where
        T: RngCore + CryptoRng,
    {
        let mut bytes = [0u8; 32];
        rand.fill_bytes(&mut bytes);
        // Ensure that the value is lower than `L`.
        bytes[31] &= 0b0000_0001;
        Fr::from_bytes(&bytes).unwrap_or_else(|| Fr::random(rand))
    }

The reason for this bug is another bug inside of subtle. This is not a proper approach since when the unwrap fails the function will recursively call itself until the stack overflow. The following code fails:

use subtle::{Choice, CtOption};

fn main() {
    let tmp = 32u64;
    let is_some = 1u8;
    let t = CtOption::new(tmp, Choice::from(is_some));
    t.unwrap_or_else(|| panic!("Fail"));
}

It should obviously work since is_some is set to 1u8. The root of the problem is the implementation of unwrap_or_else on subtle.

Subtle is beyond our scope. A secure quickfix for this is the following:

    /// Generate a valid Scalar choosen uniformly using user-
    /// provided rng.
    ///
    /// By `rng` we mean any Rng that implements: `Rng` + `CryptoRng`.
    pub fn random<T>(rand: &mut T) -> Fr
    where
        T: RngCore + CryptoRng,
    {
        let mut bytes = [0u8; 32];
        rand.fill_bytes(&mut bytes);
        // Ensure that the value is lower than `L`.
        bytes[31] &= 0b0000_0001;

        Fr::from_bytes(&bytes).unwrap_or({
            let mut bytes = [0u8; 64];
            rand.fill_bytes(&mut bytes);
            Fr::from_bytes_wide(&bytes)
        })
    }

The from_bytes_wide function will safely reduce a wide set of bytes to a JubJubScalar
vlopes11 added a commit that referenced this issue Jul 29, 2020
@vlopes11
Fixes #25 - JubJubScalar random overflow
0a99a85
@vlopes11 vlopes11 mentioned this issue Jul 29, 2020
Merged
vlopes11 added a commit that referenced this issue Jul 29, 2020
@vlopes11
Version 0.3.5 - Fix jubjub random function (#25)
84a59b5
vlopes11 added a commit that referenced this issue Jul 29, 2020
@vlopes11
Fixes #25 - Use bytes wide for JubJubScalar
f2eefe7 
Subtle contains a bug when generating CtOption and unwrapping it. An
alternative is to work with wide bytes so the scalar reduction will
never fail.
vlopes11 added a commit that referenced this issue Jul 29, 2020
@vlopes11
Merge pull request #26 from dusk-network/vlopes11/jubjub-random
6149dbb 
JubJubScalar - stack overflow on random function (#25)
@vlopes11 vlopes11 mentioned this issue Jul 29, 2020
Merged
@vlopes11 vlopes11 mentioned this issue Aug 13, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vlopes11 vlopes11

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

JubJubScalar - stack overflow on random function dusk-network/jubjub
1 participant
@vlopes11