Upgrade to latest curve25519-donna32
|Reported by:||nickm||Owned by:|
|Severity:||Keywords:||tor-relay, curve25519, 2016-bug-retrospective|
Adam Langley has updated the 32-bit curve25519-donna implementation so that it behaves the same as the 64-bit one (and the same as nacl) for all keys and scalars. The old one had bounds-checking problems. His commit message:
Correct bounds in 32-bit code. The 32-bit code was illustrative of the tricks used in the original curve25519 paper rather than rigorous. However, it has proven quite popular. This change fixes an issue that Robert Ransom found where outputs between 2^255-19 and 2^255-1 weren't correctly reduced in fcontract. This appears to leak a small fraction of a bit of security of private keys. Additionally, the code has been cleaned up to reflect the real-world needs. The ref10 code also exists for 32-bit, generic C but is somewhat slower and objections around the lack of qhasm availibility have been raised.
To be clear, this does not seem to affect most private keys, and for the private keys it does affect, it doesn't actually appear to weaken them appreciably. Still, it's not the kind of behavior that it seems okay to leave in our implementation. So let's upgrade.