Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrating from num-bigint(-dig) to crypto-bigint #390

Open
tarcieri opened this issue Nov 28, 2023 · 4 comments
Open

Migrating from num-bigint(-dig) to crypto-bigint #390

tarcieri opened this issue Nov 28, 2023 · 4 comments

Comments

@tarcieri
Copy link
Member

tarcieri commented Nov 28, 2023

There are a couple issues related to this (#19, #51), but no specific discussion issue for it, so I thought I'd open one.

crypto-bigint v0.6.0-pre.0 now includes more fully featured heap-allocated types which are fixed-precision, can be easily padded to the modulus size, and are (almost) completely implemented in terms of constant-time algorithms:

Notably it should be possible to represent the RSA modulus using BoxedResidueParams which precomputes the constants needed to translate in and out of the Montgomery domain.

The BoxedResidue type supports modular pow and invert, and BoxedUint supports inv_mod (though the implementation on BoxedResidue should be more efficient, since it can rely on an odd modulus). All of these are implemented using constant-time algorithms, although lingering bits of timing variability may remain in certain places (notably the BoxedResidueParams constructor presently uses a non-constant-time remainder function, though since the RSA modulus is a public parameter this shouldn't be an issue).

That should be the core functionality required. There are probably still gaps as this functionality was somewhat hastily implemented, though it should all be fairly well tested.

To start I think we can focus on rsa::hazmat::rsa_decrypt, perhaps converting num_bigint::BigUint to crypto_bigint::BoxedResidue internally. If we can get that to work, we may be able to ship a mitigation without breaking changes to the public API.

A full conversion will require much more work. We'll need to add Boxed* support to crypto-primes, for example: https://github.com/entropyxyz/crypto-primes

cc @dignifiedquire

@tarcieri tarcieri changed the title Migrating from num-bigint to crypto-bigint Migrating from num-bigint(-dig) to crypto-bigint Nov 28, 2023
@dignifiedquire
Copy link
Member

work on this is happening on #394

@StackOverflowExcept1on
Copy link

Hi, I'm looking for stack-allocated RSA library in Rust. crypto-bigint seems to be able to do this. Although I can't see modpow in crypto-bigint.

@sosthene-nitrokey
Copy link

Hi, I'm looking for stack-allocated RSA library in Rust. crypto-bigint seems to be able to do this. Although I can't see modpow in crypto-bigint.

See #394 (comment) and #394 (comment)

@tarcieri
Copy link
Member Author

#51 is the tracking issue for "heapless" support

wez added a commit to KumoCorp/kumomta that referenced this issue Apr 10, 2024
We keep getting asked about
https://rustsec.org/advisories/RUSTSEC-2023-0071.html and how it impacts
kumomta.

The answer to that question is: in the default build configuration, we
use openssl's RSA signing implementation rather than that of the rsa
crate.  The reason for this is that OpenSSL's RSA implementation is due
to the performance gap between the two implementations
(RustCrypto/RSA#339). The result of this is
that the problematic code and attack vector described in the security
advisory does not apply to KumoMTA, because it is not used to compute
any signatures.

In the interest of not raising any false alarms as more and more people
perform security analyses on kumomta, this commit removes the `rsa`
crate from the build graph. In order to do so, we need to port
verification over to the openssl RSA implementation which is what this
commit does.

I look forward to a future version of the `rsa` crate being published
that has this issue resolved, and that closes the performance gap!

refs: RustCrypto/RSA#390
doutv pushed a commit to doutv/jolt-demo that referenced this issue Apr 11, 2024
doutv added a commit to doutv/jolt-demo that referenced this issue Apr 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants