Allow all-zero messages #207
Conversation
|
Uh, the all-zero message is evil, at least when it comes to verification, see https://crypto.stackexchange.com/a/50290 . Can you explain where you need this? (A more precise statement is "ECDSA without hashing is evil." Unfortunately upstream secp256k1 relies on the caller providing the hash directly. This has the advantage that everything is fixed-size but it's certainly not optimal.) |
|
Agreed, concept NACK. But I am curious why you need this? |
|
Ethereum has an After @real-or-random's explanation I do see that all-zero message does not look safe. However, to stay in consensus we currently just have to support that case. We're thinking about (mis-)use the |
|
I think that if Ethereum supports flagrantly insecure modes of operation you will need to fork this library to support that. I highly doubt that this specific problem will be the only instance of this sort of thing. I'm really disappointed to hear people talking about abuse of |
To be fair, upstream does the same. So strictly speaking we indeed differ from upstream (as used by go-ethereum) here. Which is fine unless someone finds a SHA256 preimage of We all know consensus is hard, that's why our point is that rust-bitcoin shouldn't be used for Bitcoin consensus. (https://github.com/rust-bitcoin/rust-bitcoin#consensus) I don't want to start this discussion. But I still wonder if it's avoidable to have a consensus failure of two implementations that essentially rely on the same library, just one implementation uses a Rust wrapper. The problem here is that we want to provide an API that's as safe as possible to use. That means we don't want to offer low-level functionality.
It's merged, #206 extends it only. |
|
Hmmm I do agree that a zeroed message is a bad idea. I definitely agree that a correct API should hash the message for you. |
Oh I haven't thought of this. That's a neat hack indeed. (Should we prevent this? If we assume zeroes is some default value, then a careless user may pass this as a hash but probably not the group order. If we assume the hash is chosen by the attacker, things are different.) |
|
@real-or-random Can you provide some more info how to use group order directly in |
But I'm somewhat with @apoelstra here, that this is a bug in ethereum. |
|
I personally feel double of disallowing things that upstream allows. If the zero message is unsafe, upstream should not allow it. If upstream doesn't, then why would we make an exception? |
|
Upstream allows it because in Bitcoin Core's use there is no way to get an all-0s hash (though there almost was, and this would've made coins trivial to steal), and preventing this would greatly complicate the C API. Unlike upstream, we are working in a reasonable programming language and do not have only one user, whose accidental safety we can rely on when designing APIs. |
How would rejecting 0s complicate the C API? I think it could just return 0? I think upstream has more than one user too, that's part of the issue here. |
|
Given that a zero message is clearly a special case, how about leaving the |
|
@real-or-random we could return 0 upstream, but this is different from preventing the user from creating a 0 |
|
While I agree that that zero-messages should not be used I do not think that making fork, periodically sync it with upstream (and maybe publish to cargo) is a good idea. |
|
Yeah let's just pull this in. I agree with the moral argument that we shouldn't deviate from upstream. I'm also unsure we're really protecting anybody with this check to be honest. If you have freeform user-provided hashes you are vulnerable to forged signatures anyway (Craig Wright tried this a year or two ago, though I've lost the link), just blocking all-zeros doesn't get you much. |
In Ethereum's
ecrecoverprecompile, we need to operate on the raw preimage/message. The message is user input and can be all-zero. However, the currentMessagestruct treats all-zero message asInvalidMessage. This breaks some of our use cases.cc https://github.com/openethereum/openethereum/issues/11603