How do I add key commitment to my AEAD scheme in 2023?
While working on my master’s thesis, I investigated some recently proposed constructions that turn AEADs into key-committing or fully-committing ones. Key commitment has recently gotten a lot more attention and I, therefore, expect this post to be outdated quite soon, as new research emerges. This post serves as a quick collection of personal notes and pointers, that maybe could help someone looking to add key commitment to their AEAD schemes today....
Notes on point compression with P384/secp384r1
Public keys represent a point on the curve, given a pair of ($x$,$y$) coordinates. In uncompressed form, a public key when encoded as bytes ([1], sec 2.3.4) it would be with the identifier 0x04 prepended to both coordinates: pk := 0x04 || x || y. However, it’s not required to store the $y$-coordinate in order the use the public key. The compressed form of a public key leaves out $y$ and adds a sign instead, indicating whether $y$ was even or odd....
An audit of the Turtl core library
Link to Turtl’s announcement. Lately, I’ve spent some parts of my evenings poking at Turtl’s core library. Turtl is a note-taking application, focused on security and listed as one of three recommended alternatives, on privacytools.io, to Evernote, Google Keep, or Microsoft OneNote. I’ve collected the findings in a short audit report which can be found here: audit report link. The work was unpaid, focused primarily on crypto, and done mostly whenever I found the time for it, so it is in no way exhaustive of the entire library....
CVE-2020-36255 and Branca implementations continued
This is a follow-up post to “Rolling your own crypto gone wrong: A look at a .NET Branca implementation”. In short, it went over several critical issues of a NuGet that offers authentication token formats, specifically Branca. The NuGet has since fixed the issues in its 1.3.0 release. The issues are tracked under CVE-2020-36255. If you want to read the original issues on GitHub, describing the attack, you’ll have to find them on the Wayback Machine here, as they seem to have been deleted from the issue tracker after a CVE was assigned and before NVD finished analyzing it....
Rolling your own crypto gone wrong: A look at a .NET Branca implementation
Introduction Some time back, I was looking at token authentication formats to authenticate some API calls. I didn’t even attempt to look at JWT & Co. for multiple reasons. I landed between PASETO and Branca. I chose Branca for its simplicity. I needed authenticated API calls with a shared symmetric key. Both Branca and PASETO implemented this using XChaCha20-Poly1305, but PASETO also supports asymmetric authentication, which I didn’t need. I was quite pleased by looking at how straight-forward Branca made it:...
Rust, dudect and constant-time crypto in debug mode
Introduction The following are observations from when I started testing my own pure-Rust crypto library, including its dependencies, for constant-time execution. Starting with a short introduction to dudect and how it can be used to test code for timing-based side-channel vulnerabilities. Then discussing the process of discovering a short-circuit that resulted in variable-time execution, in dalek-cryptography’s subtle library and how this seems to relate to Rust codegen option opt-level. DISCLAIMER: The tests and analysis presented in this post were not done by a professional - take everything with a grain of salt....
'orion' - yet another attempt at pure-Rust cryptography
What is it? orion is another attempt at cryptography implemented in pure Rust. Its main focus is usability. This is in part achieved by providing thorough documentation of the library. High-level abstractions are also provided, which are an attempt at guiding users towards safe usage of the lower-level functionality of the library. Additionally, types used throughout the library, especially in the high-level interfaces, are designed to increase misuse-resistance. orion itself forbids the use of so-called “unsafe” code, meaning that all memory-safety guarantees provided by Rust are enforced at compile-time (see rust-lang docs)....
Securing HKDF - backdoor resistance using salts
About In the paper “Backdoored Hash Functions: Immunizing HMAC and HKDF” by Marc Fischlin, Christian Janson and Sogol Mazaheri (Ref 1), there are two proposed solutions. The first is to make HMAC resistant to a backdoored compression function of the hashing primitive, using a random cascade construction that replaces the compression function. The second is to make HKDF backdoor-resistant using random salts in the compression function of the hashing primitive. A method first introduced by Shai Halevi and Hugo Krawczyk (Ref 2)....
HMAC optimization - slight performance improvements through precomputation
Background I’ve been working on one project called orion, where I’ve implemented the HMAC algorithm. That project is written in Rust and depends on the std library, which means that I’m unable to run that code on embedded devices. After a couple of times where I had been reviewing my own code, I started to notice some patterns in the HMAC implementation that seemed to be repetitive. So I set out to implement HMAC again, without the repetitive patterns and something that could be run on embedded devices....