512 sats \ 5 replies \ @0260378aef 4 Jan \ parent \ on: waxwing commentary on twist attacks + bitcoin’s curve bitdevs
No, it's to generate the conversation key (shared secret)
Ah! I had a feeling I was missing something, indeed :) Should have read the function :)
So the question is whether the operation in the called library is checking the input public key. Where is that function? The decred github link in the comment is (no longer?) valid).
The warning is telling me that is that it does not check, it just truncates the value. Checking would mean that it would throw an error imo:
I think that warning is just talking about how it truncates the input private key argument, i.e. if it's > N but < 2*256. N is a few bits smaller than 2^256. So if you enter a value m s.t. N < m < 2 **256 it will truncate it by doing m mod N, which will be an extremely small number, and therefore a valid, but completely insecure private key. At least that's how I read the comment.
write
preview
0 sats \ 0 replies \ @ek 4 Jan
Oh, I think I found another source of confusion.
I am talking about this function when I mean GenerateConversationKey:
func GenerateConversationKey(sendPrivkey *secp256k1.PrivateKey, recvPubkey *secp256k1.PublicKey) []byte {
	// TODO: Make sure keys are not invalid or weak since the secp256k1 package does not.
	// See documentation of secp256k1.PrivKeyFromBytes:
	// ================================================================================
	// | WARNING: This means passing a slice with more than 32 bytes is truncated and |
	// | that truncated value is reduced modulo N.  Further, 0 is not a valid private |
	// | key.  It is up to the caller to provide a value in the appropriate range of  |
	// | [1, N-1].  Failure to do so will either result in an invalid private key or  |
	// | potentially weak private keys that have bias that could be exploited.        |
	// ================================================================================
	// -- https://pkg.go.dev/github.com/decred/dcrd/dcrec/secp256k1/v4#PrivKeyFromBytes
	shared := secp256k1.GenerateSharedSecret(sendPrivkey, recvPubkey)
	return hkdf.Extract(sha256.New, shared, []byte("nip44-v2"))
}
This is part of my NIP-44 golang library. (NIP-44 was recently merged.) So this code is meant to be called with secp256k1 keys (see function signature).
However, since these keys are already of type secp256k1.PrivateKey and secp256k1.PublicKey (to be precise: pointers of these types), these keys could have been generated in a weak way - for example, if the caller used secp256k1.PrivKeyFromBytes which contains the warning that I copied into my GenerateSharedSecret function:
	// | WARNING: This means passing a slice with more than 32 bytes is truncated and |
	// | that truncated value is reduced modulo N.  Further, 0 is not a valid private |
	// | key.  It is up to the caller to provide a value in the appropriate range of  |
	// | [1, N-1].  Failure to do so will either result in an invalid private key or  |
	// | potentially weak private keys that have bias that could be exploited.        |
	//
So currently, there is a disclaimer in the README of my NIP-44 implementation since not all test vectors are passing. I am using PrivKeyFromBytes myself in my tests and my library is not checking for weak or invalid private keys:
DISCLAIMER - READ BEFORE USING
This library does not make sure yet that the secp256k1 keys you want to use for the conversation key are valid, protected against twist attacks and not contain any other weaknesses as mentioned in the NIP-44 security audit.
If you really want to use this library before this is fixed, you need to make sure that the keys you use with GenerateConversationKey are not affected yourself.
See this line in my tests:
func assertConversationKeyFail(t *testing.T, sk1 string, pub2 string, msg string) {
	// TODO: Update GenerateConversationKey since secp256k1 does accept invalid or weak keys
	t.Skip("secp256k1 keys are not validated yet during conversation key generation.")
reply
0 sats \ 3 replies \ @0260378aef 4 Jan
I guess it's just my lack of knowledge of something about golang? But I can't find github.com/decred/dcrd/dcrec/secp256k1/v4 , nor can I find a v4 (or v4.*) branch?
reply
0 sats \ 2 replies \ @0260378aef 4 Jan
So I guess it must be this one?
https://github.com/decred/dcrd/blob/8208daf4c708454b408699d31ca923ef321637a5/dcrec/secp256k1/ecdh.go#L14C6-L14C26
What's input is a PubKey object, which I guess will be got by calling ParsePubKey, here?:
https://github.com/decred/dcrd/blob/8208daf4c708454b408699d31ca923ef321637a5/dcrec/secp256k1/pubkey.go#L104
and it is checking that it's a valid point (actually, it's also checking in the case when the point is uncompressed, as you'd hope/expect. (line 141)
reply
0 sats \ 1 reply \ @ek 4 Jan
So I guess it must be this one?
Sorry, using GenerateSharedSecret was confusing. I didn't mean the function in secpk256k1. I meant the function in my NIP-44 library and that I am currently skipping tests because I assumed that secp256k1 keys are always valid of strong. However, if they are generated usingsecp256k1.PrivKeyFromBytes they might not be valid or contain weaknesses.
See this reply from me, hopefully it unconfuses you :)
reply
0 sats \ 0 replies \ @0260378aef 4 Jan
No, I don't think there was any confusion in that second point. I read the function in your library, then I went looking for secp256k1.GenerateShared Secret that you use, there.
I don't think there's any issue apart from the one you mention about how the private key is generated, i.e. what they warn about in your original comment. (and this is always a big concern to address, whether doing ECDH or anything else).
And as for pubkeys, which are the only source of a "twist attack" type concern, The secp256k1.PubKey object is almost always going to be generated from ParsePubKey right? The only other way is via a constructor, and there is no concern there anyway.
reply