Add options to use blank external dependencies

[contrun]

This commit makes external dependencies unnecessary when WITH_BLANK_EXTERNAL_DEPENDENCIES is specified.
It is useful in some restricted environment or in some specific applications (e.g. deterministic signature generation).

I think it is something nice to have.

[rben-dev]

Hi @contrun,

Thanks for your interest and your PR to libecc.

Regarding this PR, although I understand the need for this WITH_BLANK_EXTERNAL_DEPENDENCIES toggle, I find it quite dangerous as proposed here as returning a random with zeroes can be catastrophic when used with non deterministic signatures. A non advised user of the library might not understand this and use it very badly. For get_random, it would be better to always return an error: this way, non deterministic signatures will fail as they should. We will have to check the side effects though: removing randomness will also break at least key generation as well as many countermeasures (against side-channel attacks, such as blinding) included in the core library, which makes this quite fragile. I doubt that as is, libecc will properly work without a proper randomness source.

The "shims" for ext_printf and get_ms_time are less critical, but using a "monotonic" counter for get_ms_time might be a better solution as it would prevent being stuck in time measurement loops.

Finally, I would be interested in understanding why and how this approach would solve integration in webassembly environment without breaking the non deterministic signatures?

Regards,

[contrun]

Hi @rb-anssi, thanks for the review.

I am not an expert on webassembly. My main use case is deterministic signature generation and verification. As far as I know, it is impossible to generate non-deterministic signatures with standard webassembly runtime. I think in some webassembly environment, many cryptography functions are provides as primitives to their specific runtime, while some webassembly runtimes use WebAssembly/wasi-random: Entropy source API for WASI.

I can add a thread-unsafe monotonic counter to get_ms_time, it that acceptable? I think adding a thread-safe counter does not worth the effort.

[rben-dev]

Hi @contrun,

Thanks for the clarification and for the patches.

I have taken some time to test get_random returning an error since yesterday and unfortunately this is not working as expected. As previously recalled, the libecc core operations (mainly scalar multiplication on elliptic curves) use randomized blinding primitives which make things fail even for deterministic signatures (DECDSA, EdDSA and so on). For now these protections are unavoidable, and I am not really keen on removing them as they are part of the library defenses against various security/side-channel threats. Bottom line: I don't see a proper way to keep libecc functional (even only for deterministic signatures) without a source of entropy, even of poor quality. Leaving this source as a responsibility to the user seems reasonable, although I can understand that in some cases such as the ones you cite as examples it would require some thinking and development ... Maybe discussing these cases thoroughly in the README and providing a "howto" (e.g. with Webassembly) could be of interest?

Regarding get_ms_time and ext_printf, providing "shims" is not critical and should not break the library (we should however discuss how the flag WITH_BLANK_EXTERNAL_DEPENDENCIES is interpreted when the platform is recognized). For get_ms_time, a simple static thread-unsafe global variable will be sufficient at it should be only used by this function.

EDIT: comment updated since the common.mk patch regarding WITH_BLANK_EXTERNAL_DEPENDENCIES is now part of the PR.

Regards,