poc: Add application context string (*) #422
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cjpatton
force-pushed
the
cjpatton/draft-12/context-string
branch
from
1ffddcb to
cb5bc19
Compare
cjpatton
changed the title
cjpatton
force-pushed
the
cjpatton/draft-12/context-string
branch
from
cb5bc19 to
2814e72
Compare
cjpatton
force-pushed
the
cjpatton/draft-12/domain-sep
branch
from
b78382b to
4abca34
Compare
cjpatton
force-pushed
the
cjpatton/draft-12/context-string
branch
from
2814e72 to
ce8f458
Compare
|
Scoped the PR to just changing the poc and converted to "ready for review". (We'll propagate the changes to the draft in the next PR.) Also rebased. |
cjpatton
force-pushed
the
cjpatton/draft-12/domain-sep
branch
from
e93baa9 to
fe18ace
Compare
cjpatton
force-pushed
the
cjpatton/draft-12/context-string
branch
from
ce8f458 to
faa2520
Compare
|
Rebased. |
divergentdave
approved these changes
Sep 27, 2024
WIP: We still need to propagate the changes through the draft and update security considerations, in particular the line about weak parameters being exploitable across tasks. Add an application context string, denoted `ctx`, to sharding and preparation APIs for DAFs and VDAFs. The intent is to use this for defense-in-depth: by binding execution of a VDAF to its application (concretely, in DAP we would set `ctx` to the task ID), we hope that an attack on that application does not translate directly to an attack on another application using the same parameters. This change is motivated by the possibility of an offline attack against the robustness of some Prio3 variants. The attack is as follows: fix an invalid measurement, then search for measurement shares that derive joint randomness that causes the circuit to accept. Once these shares are found, they can be used to corrupt any batch that uses the same Prio3 parameters. To reduce the blast radius of this attack, we can bind `ctx` to the joint randomness derivation, thereby ensuring the offline work done by the attacker is only useful to break a single application. This change is slightly more general: wherever we compute a domain separation tag in either Prio3 or Poplar1, we append `ctx`. This is a more invasive than necessary, but it's also more conservative. Finally, we modify XofTurboShake128 and XofFixedKeyAes128 by changing the length prefix for the domain separation tag from a single byte to two bytes, thereby accommodating larger application context strings.
cjpatton
force-pushed
the
cjpatton/draft-12/context-string
branch
from
faa2520 to
fd87fac
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Based on #421 (merge that first).
Partially addresses #418 (still need to propagate to draft).
Add an application context string, denoted
ctx, to sharding and preparation APIs for DAFs and VDAFs. The intent is to use this for defense-in-depth: by binding execution of a VDAF to its application (concretely, in DAP we would setctxto the task ID), we hope that an attack on that application does not translate directly to an attack on another application using the same parameters.This change is motivated by the possibility of an offline attack against the robustness of some Prio3 variants. The attack is as follows: fix an invalid measurement, then search for measurement shares that derive joint randomness that causes the circuit to accept. Once these shares are found, they can be used to corrupt any batch that uses the same Prio3 parameters.
To reduce the blast radius of this attack, we can bind
ctxto the joint randomness derivation, thereby ensuring the offline work done by the attacker is only useful to break a single application.This change is slightly more general: wherever we compute a domain separation tag in either Prio3 or Poplar1, we append
ctx. This is a more invasive than necessary, but it's also more conservative.Finally, we modify XofTurboShake128 and XofFixedKeyAes128 by changing the length prefix for the domain separation tag from a single byte to two bytes, thereby accommodating larger application context strings.