Comments (4)
Thanks for pinging me @paulmillr !
@mratsim My project supports a wide range of operations including pairing cryptography and bignum operations and it has found hundreds of bugs in major libraries. Let me know if you'd like to integrate a module for constantine..
from constantine.
Some progress towards fuzzing.
There is a new bindings generator, which can be called with nimble bindings
which will generate a DLL for BLS12_381 and the Pasta curves and the accompanying headers.
For now serialization is restricted to only field elements Fp and Fr and the dll wasn't tested at all.
Before running the actual code the "NimMain" function like ctt_bls12381_NimMain
should be called, it populates CPU runtime detection (for now that's the only runtime stuff). On that note, I might add a pure C compilation target for fuzzing that as well.
Example bindings: https://github.com/mratsim/constantine/blob/37354e9/bindings/generated/constantine_bls12_381.h
Some example C code to load that and property-based test the code or differential fuzz vs GMP in the CI will be added in the future as an example.
from constantine.
Easy initial fuzzing targets:
- Multiplication against Squaring
- pow(prime-2) against Euclid inversion
- pow((p-1)/2) should always be 0, 1 or p-1 (Euler's Criterion, Legendre Symbol, Quadratic Residuosity test)
- squaring against sqrt
- isSquare against sqrt_if_square
- multiplication against inversion
- EC add against EC double
Note: Coverage-guided fuzzers like libFuzzer try to trigger all codepaths based on branches in the code.
Constantine doesn't have branch which makes fuzzing harder.
Have to find the article/paper that mentioned that, apparently for fuzzing they reintroduced branches (how?) to help the fuzzer.
Fuzzing versus branch-free code
After reporting the bug I was asked by the OpenSSL developers if I could do a similar test on their HMAC implementation. I did that and the result is interesting. At first I was confused: A while after the fuzzing started american fuzzy lop was only reporting two code paths. Usually it finds dozends of code paths within seconds.
This happens because cryptographic code is often implemented in a branch-free way. That means that there are no if-blocks that will execute different parts of the code depending on the input. The reason this is done is to protect against all sorts of sidechannel attacks. This conflicts with the way modern fuzzers like american fuzzy lop or libfuzzer work. They use the detection of new code paths as a way to be smart about their inputs.
Pascal Cuoq on Friday, December 4. 2015:
You can re-introduce, for the purpose of fuzzing, the if-then-elses that, for the purpose of avoiding timing attacks, have been made into constant-time selections with a patch similar to the one shown here for an old version of OpenSSL:
from constantine.
cc @guidovranken who is a world-class fuzzer - he may find this library and fuzzing ideas interesting
from constantine.
Related Issues (20)
- Protocol: EIP2333 - BLS12-381 Ethereum Consensus Key Generation
- Scalar-mul: Constant-Time double-and-add
- Perf: `isSquare` - constant-time Jacobi/Kronecker/Legendre symbol using fast GCD
- Perf: Assembly code generator for ARM and ARM64 HOT 1
- Accelerate Merkle tree hashing
- [Fuzz fail] Fused sumproduct failure HOT 1
- Protocol: Chaum-Pedersen BLS aggregation proof without pairings for light client
- [Hash Table] Provide SipHash (stretch: Highway hash)
- [CSPRNG] Provides CSPRNGs HOT 1
- [Fuzz fail] WNAF (used only for randomization) HOT 1
- GCC miscompiles Fp2 with --opt:size flag HOT 1
- GCC miscompiles Fp6 Frobenius with -flto flag HOT 9
- [Perf] 11% regression on BLS12-381 G2 signing (impacting Ethereum) HOT 4
- [RFC] A compiler approach for finite fields, elliptic curves and pairings HOT 2
- Faster point decompression HOT 1
- ZKML: Proving Machine Learning HOT 3
- Folding schemes
- BigInt division/reduction returns wrong result for values < 64-bit HOT 1
- Reactivate 32-bit CI HOT 1
- [LTO] Montgomery squaring with full bits curves miscompile with LTO HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from constantine.