Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Diffie-Hellman results are parsed as scalars during output recovery #4717

Closed
AaronFeickert opened this issue Sep 21, 2022 · 1 comment · Fixed by #4847
Closed

Diffie-Hellman results are parsed as scalars during output recovery #4717

AaronFeickert opened this issue Sep 21, 2022 · 1 comment · Fixed by #4847
Labels
A-wallet Area - related to the wallet C-bug Category - fixes a bug, typically associated with an issue.
Milestone
Stagenet Freeze

Comments

@AaronFeickert
Copy link
Collaborator

AaronFeickert commented Sep 21, 2022
edited
Loading

When scanning for one-sided outputs, the client computes a Diffie-Hellman shared secret, serializes it to bytes, and then parses the bytes using modular reduction to a scalar. This scalar is then hashed and parsed as a scalar for use in commitment mask extraction. That scalar is then hashed again, parsed as a scalar, and used as input to a KDF for value decryption.

The relevant code:

While Diffie-Hellman exchange results are uniformly-distributed group elements, they need not be uniformly-distributed byte arrays. Performing scalar reduction prior to the other operations used for key derivation is nonstandard and could lead to collisions. A more standard and safe approach could be the following:

  • Use the exchange result directly as input to the value encryption KDF
  • If mask extraction is not guaranteed to provide its own KDF (with scalar output) for the rewind key, use the exchange result directly as input to a scalar-output KDF to produce the rewind key; otherwise, it may be safe to pass the exchange result directly to the extractor

Note that this should not apply to the method used for detecting stealth address matching. That code hashes the shared secret prior to parsing as a scalar.
@hansieodendaal hansieodendaal moved this from Bugs to Backlog in Tari Esme Testnet Oct 6, 2022
@AaronFeickert
Copy link
Collaborator Author

Currently working on a fix for this. It uses separate KDFs that each take the shared secret as input: one for the spending key, another for the rewind key, and a third for the encryption key. This also takes advantage of the new DiffieHellmanSharedSecret type.

@AaronFeickert AaronFeickert mentioned this issue Oct 24, 2022
Merged
@stringhandler stringhandler added C-bug Category - fixes a bug, typically associated with an issue. A-wallet Area - related to the wallet labels Nov 7, 2022
@stringhandler stringhandler added this to the Stagenet Freeze milestone Nov 7, 2022
stringhandler pushed a commit that referenced this issue Nov 8, 2022
@AaronFeickert
fix(wallet)!: use KDFs on ECDH shared secrets (#4847)
3d1a51c 
Description
---
Uses KDFs on ECDH shared secrets for output generation. Closes [issue 4717](#4717).

Motivation and Context
---
Several uses of ECDH shared secrets in the output manager and transaction services parse an ECDH shared secret as a scalar spending key, and use this as input to a chain of hash functions for use in rewinding and value encryption. This is non-standard.

This work uses separate KDFs to independently produce a spending key, rewind key, and value encryption key from a `DiffieHellmanSharedSecret`-type ECDH shared secret.

How Has This Been Tested?
---
Existing tests pass.

BREAKING CHANGE: Changes the way output keys are derived.
Repository owner moved this from Backlog to Done in Tari Esme Testnet Nov 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-wallet Area - related to the wallet C-bug Category - fixes a bug, typically associated with an issue.
Projects
Tari Esme Testnet
Archived in project
Milestone
Stagenet Freeze
Development

Successfully merging a pull request may close this issue.

fix(wallet)!: use KDFs on ECDH shared secrets AaronFeickert/tari
2 participants
@stringhandler @AaronFeickert