[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #12694 [Tor]: Upgrade to latest curve25519-donna32
#12694: Upgrade to latest curve25519-donna32
----------------------------------+------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.4.x-final
Component: Tor | Version:
Keywords: tor-relay curve25519 | Actual Points:
Parent ID: | Points:
----------------------------------+------------------------------------
Adam Langley has updated the 32-bit curve25519-donna implementation so
that it behaves the same as the 64-bit one (and the same as nacl) for all
keys and scalars. The old one had bounds-checking problems. His commit
message:
{{{
Correct bounds in 32-bit code.
The 32-bit code was illustrative of the tricks used in the original
curve25519 paper rather than rigorous. However, it has proven quite
popular.
This change fixes an issue that Robert Ransom found where outputs
between
2^255-19 and 2^255-1 weren't correctly reduced in fcontract. This
appears to leak a small fraction of a bit of security of private keys.
Additionally, the code has been cleaned up to reflect the real-world
needs. The ref10 code also exists for 32-bit, generic C but is
somewhat
slower and objections around the lack of qhasm availibility have been
raised.
}}}
To be clear, this does not seem to affect most private keys, and for the
private keys it does affect, it doesn't actually appear to weaken them
appreciably. Still, it's not the kind of behavior that it seems okay to
leave in our implementation. So let's upgrade.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12694>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs