Migrating from num-bigint(-dig) to crypto-bigint
#390
Comments
tarcieri
changed the title
num-bigint to crypto-bigintnum-bigint(-dig) to crypto-bigint
|
work on this is happening on #394 |
|
Hi, I'm looking for stack-allocated RSA library in Rust. |
See #394 (comment) and #394 (comment) |
|
#51 is the tracking issue for "heapless" support |
wez
added a commit
to KumoCorp/kumomta
that referenced
this issue
Apr 10, 2024
We keep getting asked about https://rustsec.org/advisories/RUSTSEC-2023-0071.html and how it impacts kumomta. The answer to that question is: in the default build configuration, we use openssl's RSA signing implementation rather than that of the rsa crate. The reason for this is that OpenSSL's RSA implementation is due to the performance gap between the two implementations (RustCrypto/RSA#339). The result of this is that the problematic code and attack vector described in the security advisory does not apply to KumoMTA, because it is not used to compute any signatures. In the interest of not raising any false alarms as more and more people perform security analyses on kumomta, this commit removes the `rsa` crate from the build graph. In order to do so, we need to port verification over to the openssl RSA implementation which is what this commit does. I look forward to a future version of the `rsa` crate being published that has this issue resolved, and that closes the performance gap! refs: RustCrypto/RSA#390
doutv
pushed a commit
to doutv/jolt-demo
that referenced
this issue
Apr 11, 2024
doutv
added a commit
to doutv/jolt-demo
that referenced
this issue
Apr 11, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are a couple issues related to this (#19, #51), but no specific discussion issue for it, so I thought I'd open one.
crypto-bigintv0.6.0-pre.0 now includes more fully featured heap-allocated types which are fixed-precision, can be easily padded to the modulus size, and are (almost) completely implemented in terms of constant-time algorithms:BoxedUintBoxedResidueBoxedResidueParamsNotably it should be possible to represent the RSA modulus using
BoxedResidueParamswhich precomputes the constants needed to translate in and out of the Montgomery domain.The
BoxedResiduetype supports modularpowandinvert, andBoxedUintsupportsinv_mod(though the implementation onBoxedResidueshould be more efficient, since it can rely on an odd modulus). All of these are implemented using constant-time algorithms, although lingering bits of timing variability may remain in certain places (notably theBoxedResidueParamsconstructor presently uses a non-constant-time remainder function, though since the RSA modulus is a public parameter this shouldn't be an issue).That should be the core functionality required. There are probably still gaps as this functionality was somewhat hastily implemented, though it should all be fairly well tested.
To start I think we can focus on
rsa::hazmat::rsa_decrypt, perhaps convertingnum_bigint::BigUinttocrypto_bigint::BoxedResidueinternally. If we can get that to work, we may be able to ship a mitigation without breaking changes to the public API.A full conversion will require much more work. We'll need to add
Boxed*support tocrypto-primes, for example: https://github.com/entropyxyz/crypto-primescc @dignifiedquire
The text was updated successfully, but these errors were encountered: