From 833137e00396500c1aa5f4f07f771219ca52c67f Mon Sep 17 00:00:00 2001 From: lauener Date: Tue, 6 Aug 2024 09:39:57 +0200 Subject: [PATCH 1/3] Add BLS12-381 recommendation --- pairing/bn256/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pairing/bn256/README.md b/pairing/bn256/README.md index 01ad08b4a..5098d50ff 100644 --- a/pairing/bn256/README.md +++ b/pairing/bn256/README.md @@ -13,9 +13,11 @@ Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper. +### Warning This package previously claimed to operate at a 128-bit security level. However, recent improvements in attacks mean that is no longer true. See -https://moderncrypto.org/mail-archive/curves/2016/000740.html. +https://moderncrypto.org/mail-archive/curves/2016/000740.html. +We strongly recommend using the `BLS12-381` curve that still provide ~128-bit security and is not vulnerable to these improved attacks. ### Benchmarks From 857eaa0ee7b4c0354f2c2d03de1fdeb34f43fadb Mon Sep 17 00:00:00 2001 From: lauener Date: Tue, 6 Aug 2024 10:04:11 +0200 Subject: [PATCH 2/3] Add issue #439 warning --- pairing/bn256/README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pairing/bn256/README.md b/pairing/bn256/README.md index 5098d50ff..98813eeb2 100644 --- a/pairing/bn256/README.md +++ b/pairing/bn256/README.md @@ -13,13 +13,18 @@ Barreto-Naehrig curve as described in http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible with the implementation described in that paper. -### Warning +### Security Warnings +--- This package previously claimed to operate at a 128-bit security level. However, recent improvements in attacks mean that is no longer true. See https://moderncrypto.org/mail-archive/curves/2016/000740.html. We strongly recommend using the `BLS12-381` curve that still provide ~128-bit security and is not vulnerable to these improved attacks. +#### Modulo bias in Hash() +A modulo bias was found in [hashToPoint()](https://github.com/dedis/kyber/blob/9ac80102d756a21f318685e230e33791c44b5e2e/pairing/bn256/point.go#L239), for reason of backward compatibility we did not fix it. This problem was raised in issue [#439](https://github.com/dedis/kyber/issues/439). + ### Benchmarks +--- branch `master`: ``` From 22c752b40baf5abd12ab092ec60992b704f02de0 Mon Sep 17 00:00:00 2001 From: lauener Date: Tue, 6 Aug 2024 10:27:27 +0200 Subject: [PATCH 3/3] Add workaround suggestion --- pairing/bn256/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pairing/bn256/README.md b/pairing/bn256/README.md index 98813eeb2..9aa12eeba 100644 --- a/pairing/bn256/README.md +++ b/pairing/bn256/README.md @@ -21,7 +21,7 @@ https://moderncrypto.org/mail-archive/curves/2016/000740.html. We strongly recommend using the `BLS12-381` curve that still provide ~128-bit security and is not vulnerable to these improved attacks. #### Modulo bias in Hash() -A modulo bias was found in [hashToPoint()](https://github.com/dedis/kyber/blob/9ac80102d756a21f318685e230e33791c44b5e2e/pairing/bn256/point.go#L239), for reason of backward compatibility we did not fix it. This problem was raised in issue [#439](https://github.com/dedis/kyber/issues/439). +A modulo bias was found in [hashToPoint()](https://github.com/dedis/kyber/blob/9ac80102d756a21f318685e230e33791c44b5e2e/pairing/bn256/point.go#L239), for reason of backward compatibility we did not fix it. This problem was raised in issue [#439](https://github.com/dedis/kyber/issues/439). If backward compatibility is not a problem, and this is really the curve you want to use, a potential workaround is also suggested in the linked issue. Otherwise `BLS12-381` also provides `Hash()` as defined in [RFC9380](https://datatracker.ietf.org/doc/rfc9380/). ### Benchmarks ---