Problem: didn't verify secrets against public key in DirectPath #2018
Conversation
There was a problem hiding this comment.
would be good to add a test + document (some explanation why) the "non-obvious" part:
kp_secret_pending has newer signature key but older kem key, new signature key is generated when preparing update proposal.
kp_secret has newer kem key but older signature key, new kem key is generated when commit the self-updating proposal.
| let self_update_proposal = commit_content | ||
| .updates | ||
| .iter() | ||
| .filter_map(|(sender, update)| { |
There was a problem hiding this comment.
can use find? because it's finding the first one?
| @@ -835,6 +848,8 @@ pub enum ProcessCommitError { | |||
| CommitError, | |||
| #[error("decrypted path secret don't match the public key")] | |||
| PathSecretPublicKeyDontMatch, | |||
| #[error("cached secret key don't match commit leaf keypackage")] | |||
| LeafSecretPublicKeyDontMatch, | |||
There was a problem hiding this comment.
seems this error is not used?
There was a problem hiding this comment.
yes, let me remove it, this error case is now keypackage verify error.
| @@ -570,6 +570,28 @@ impl TreePublicKey { | |||
| } | |||
| self.nodes[path[0].node_index()].compute_parent_hash(self.cs) | |||
| } | |||
|
|
|||
| fn verify_node_private_key( | |||
There was a problem hiding this comment.
is it ok to make this pub(crate)? I may need to use this -- just document the intended usage/args
…pto-com#1797) Solution: sketched out core of "NACK" mechanism which involves revealing shared secrets from invalid message parts and including DLEQ proofs. -- currently, needs: 1) latest master of p256 which contains scalar arithmetic (not yet released) 2) for the high-level API, it needs to directly decrypt HPKE ciphertext from a shared secret -- this may not ever be released also needs "verify_node_private_key" from crypto-com#2018
yihuang
force-pushed
the
verify-path-secrets
branch
from
fab1218 to
169fffa
Compare
|
Added |
| if !bool::from( | ||
| private_key | ||
| .public_key() | ||
| .marshal() | ||
| .ct_eq(&node.public_key.marshal()), | ||
| ) { | ||
| false | ||
| } else { | ||
| true | ||
| } |
There was a problem hiding this comment.
could this be rewritten as:
bool::from(private_key
.public_key()
.marshal()
.ct_eq(&node.public_key.marshal())
or private_key.public_key().marshal().ct_eq(&node.public_key.marshal().into() without this extra if branching?
| } | ||
| } | ||
|
|
||
| self.path_secrets.truncate(overlap_pos); |
There was a problem hiding this comment.
was a bit puzzled about truncate here -- I guess the meaning is that it'll keep secrets up to the overlap start (as they are unchanged), and then replace with was decrypted / computed?
a comment could be good here
There was a problem hiding this comment.
yes, added a comment now.
yihuang
force-pushed
the
verify-path-secrets
branch
from
169fffa to
4e7cae6
Compare
yihuang
force-pushed
the
verify-path-secrets
branch
from
4e7cae6 to
4deeb28
Compare
Another issue is, for multiple pending commits, there'll be only one is valid, the pending secrets for other commits will not cleaned up. don't know when or how to cleanup the |
cleanup after applying the "committed" commit (block time when it was included + NACK timeout)? |
I guess just remove all the pending secrets after processing any commit, because all the pending commits will be invalid anyway(the epoch is old)? |
|
needs to be documented crypto-org-chain/chain-docs#141 (comment) in here https://github.com/crypto-com/chain-docs/blob/master/docs/modules/tdbe.md#abci-processing-sketch , it'll be in transitions 8. and 10. |
Yes, I think so -- if e.g. you happen to generate self update proposal while there was another on-going update/removal, it'll be rejected... so you'll need to re-generate and re-submit. |
Codecov Report
@@ Coverage Diff @@
## master #2018 +/- ##
==========================================
+ Coverage 65.01% 65.15% +0.13%
==========================================
Files 213 212 -1
Lines 26520 26649 +129
==========================================
+ Hits 17242 17363 +121
- Misses 9278 9286 +8
|
yihuang
force-pushed
the
verify-path-secrets
branch
2 times, most recently
from
7106922 to
2d6c0b8
Compare
yihuang
force-pushed
the
verify-path-secrets
branch
from
2d6c0b8 to
fb59df2
Compare
|
Fixed partial mutation when process invalid commit. |
yihuang
force-pushed
the
verify-path-secrets
branch
from
fb59df2 to
b817a6b
Compare
Solution: - verify decreted secret against public key - also verify leaf keypackage against leaf secret
yihuang
force-pushed
the
verify-path-secrets
branch
from
b817a6b to
7566540
Compare
|
bors r+ |
|
Build succeeded: |
…pto-com#1797) Solution: sketched out core of "NACK" mechanism which involves revealing shared secrets from invalid message parts and including DLEQ proofs. -- currently, needs: 1) latest master of p256 which contains scalar arithmetic (not yet released) 2) for the high-level API, it needs to directly decrypt HPKE ciphertext from a shared secret -- this may not ever be released also needs "verify_node_private_key" from crypto-com#2018
2029: Problem: no way for mls member to prove invalid ciphertext (fixes #1797) r=tomtau a=tomtau Solution: sketched out core of "NACK" mechanism which involves revealing shared secrets from invalid message parts and including DLEQ proofs. -- currently, needs: 1) latest master of p256 which contains scalar arithmetic (not yet released) 2) for the high-level API, it needs to directly decrypt HPKE ciphertext from a shared secret -- this may not ever be released also needs "verify_node_private_key" from #2018 Co-authored-by: Tomas Tauber <[email protected]>
Solution: