-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PublicKey::combine_keys
doesn't have to fail on long slices
#704
Comments
This method is basically deprecated and we would have deleted it long ago if the LN people hadn't baked it into their protocol. I do not want to improve the API. If anything I would like to make it worse. It is a dangerous function because it has no protection against rogue-key attacks. |
Yeah, I was wondering where the method is even useful since I know about the attacks. Does LN do some kind of pre-processing to avoid the attacks? Or is it used for something else? |
I checked rust-lightning and found:
So I think we could drop the In the PR that added this function #291 @Tibo-lg describes a discrete-log-contract construction that feels like it's into "roll your own crypto" territory (on the part of the DLC designers, not Tibo himself) but I don't know the details of that. But I think it's probably reasonable to say "if you want to do weird things like this you have to use unsafe code to call the |
Or we could keep |
@apoelstra I was not aware that there was a difference in security between calling
I don't think this use case is vulnerable to rogue key attacks, and it would be a big performance hit to call |
@Tibo-lg it's not a difference in security, it's the fact that both functions promote unsecure crypto schemes (AKA "rolling your own crypto") and this library doesn't want to promote that. You can use them securely but you must really, really know what you're doing. Regarding FFI, you could try to figure out cross-language LTO, though I've read that it only works on Debian. @apoelstra I was thinking if upstream could add a function for whatever LN does it'd move things forward but if people also use it for other things rugging them sucks. |
There is no difference in security between calling @Tibo-lg if we removed I don't know enough about your larger scheme, but it's definitely possible for an attacker oracle to grind a sum of anticipated signatures to equal the sum of a different set of anticipated signatures, using Wagner's algorithm. Is this a problem? I don't know. But this is the sort of thing that we don't want to expose in the rust-secp API. |
Ah sorry I guess I didn't understand what you were talking about...
Yeah that's no problem for me.
You're right there is that problem in the multi oracle setting, and IIRC the fix was to have oracle prove they know the pre-images of the nonces they will use to sign (though just checked and it looks like this was never merged into the specs, probably should be). |
Yep, that fix is sufficient to prevent rogue-key attacks. Glad we had this discussion :P. But it also illustrates why we want to keep our API limited to "things we are specifically support and are confident in". |
Hey folks, just discovered this and thought that I should chime in. I'm a dev working on a new wrapped BTC token and we use this function to combine public keys (we do so here). So it would be nice to either have this method here or have the FFI functions so that we could copy the implementation ourselves. Question following from @apoelstra #704 (comment):
I think I'm missing something really important here; what foot-gun does this method expose? From the conversation so far, my sense of things is that the issue is that the And is my understanding that the ideal here is that both of these methods would be removed, but users could implement it themselves using the FFI functions? Also, we cannot remove |
Yes.
Yes, at least until upstream drops them.
Kinda. We could just replace it with their scheme or some other better API so it wouldn't break them but it'd seal the API hole. |
Okay cool, makes sense.
Oh, are there any plans for them to be dropped in libsecp256k1, or is this just a general comment about the availability of the underlying functions? |
IIUC they'd love to but it's not easy. |
If my understanding is correct
combine_keys
does simply point addition. Therefore for any set of keyscombine_keys(&[k1, k2, k3, ... , ki, kj, ... kn]) == combine_keys(&[k1, k2, k3, ... , ki]).combine(combine_keys(&[kj, ... kn]))
which enables us to just split the slice and call the method multiple times. IIUC the reason to even have a special method is some optimized batch combining.The text was updated successfully, but these errors were encountered: