[android] [throwable] arithmetic error in scalar multiplication #224
Comments
Interesting. Can you provide the private key? The check is a defense against arithmetic errors which normally shouldn't happen. |
@thaidn private key base64 is |
Was there a resolution on this one? We are experiencing a similar error in some cases |
I've added tests with the private key above to Wycheproof.
So far, I'm unable to reproduce the issue.
Maybe there is an old version involved.
…On Tue, Aug 20, 2019 at 4:25 PM Shivansh Srivastava < ***@***.***> wrote:
Was there a resolution on this one? We are experiencing a similar error in
some cases
Though we are using it in our service running in AWS .
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#224>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGGH7XXBQVKUG4MFLXNZFK3QFP5HJANCNFSM4HWSL5BQ>
.
|
We've updated the version and we can still see this issue. It is not happening regularly but in scale we can see it happening 3 times in over a million request. We tried to replicate this issue but couldn't. Earlier we thought that as it has happened only once and it could be a faulty CPU as stated in the comment. But it has occurred multiple times now. Can someone please help us out what might be the cause here? And how can it be resolved ? |
Is this deterministic?
E.g. one way to determine when the bug happens is to add additional checks
to the code.
I.e. change the line above the place where the error is thrown
// scalar by 4 bits.
for (int i = 1; i < e.length; i += 2) {
CachedXYT t = new CachedXYT(CACHED_NEUTRAL);
select(t, i / 2, e[i]);
add(ret, XYZT.fromPartialXYZT(xyzt, ret), t);
}
to something like this:
// Add multiples of B for even indices of e.
for (int i = 0; i < e.length; i += 2) {
// Make a copy of ret for comparison.
PartialXYZT ret_copy = new PartialXYZT(ret);
CachedXYT t = new CachedXYT(CACHED_NEUTRAL);
select(t, i / 2, e[i]);
add(ret, XYZT.fromPartialXYZT(xyzt, ret), t);
// Check for arithmetic bug:
if (!new XYZ(ret).isOnCurve()) {
... dump t, i, ret_copy and ret_old
}
}
…On Sat, Sep 7, 2019 at 1:59 AM Shivansh Srivastava ***@***.***> wrote:
We've updated the version and we can still see this issue. It is not
happening regularly but in scale we can see it happening 3 times in over a
million request. We tried to replicate this issue but couldn't. Earlier we
thought that as it has happened only once and it could be a faulty CPU as
stated in the comment. But it has occurred multiple times now. Can someone
please help us out what might be the cause here? And how can it be resolved
?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#224>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGGH7XRO4SXWZ7FHZJMT3O3QILVHLANCNFSM4HWSL5BQ>
.
|
@shiv4nsh so you got this exception even on AWS? Could you please provide us with the message, the signature, and the private key that cause the error? |
Hey guys @thaidn , @bleichen, In both the cases we had the same key signing the tokens. Here is the private key: |
Thanks a lot. Is it possible to share a code snippet or a unit test that triggers the error? |
Sure. you can use the following code to recreate this error:
|
@thaidn, just as an extra data point, the failure rate we've seen over the last two weeks is 1 failure per ~35,000,000 signing operations. So it's happening rarely, but often enough to be an issue. |
One more data point (although this one isn't a huge surprise, it seemed worth confirming): changing the input by e.g. regenerating the JWT ID and then retrying the signing call results in success. |
Cool, thanks for the all the info. We're investigating! |
Just an update, we can reliably reproduce it now. Still haven't identified the root cause, but this looks bad :(. |
We spend the afternoon debugging, and found the issue: the isOnCurve check did not reduce the coefficients before comparing. The good news is that this isn't a vulnerability, it merely means our test to check that our math was correct was a bit overeager. Fix will be out soon. |
Problem was: isOnCurve did not reduce the limbs before checking for equality. PiperOrigin-RevId: 272245293
This should be fixed at HEAD and will be included in 1.3.0 release. We may also backport it to 1.2.3. |
@chuckx Charles, what do you think about backporting this to 1.2.3? |
I meant to say before - thank you for the quick investigation and fix. We're looking forward to a 1.2.3 or 1.3.0 release - and happy to contribute help if there's a way we can do that (e.g. preparing a backport to 1.2.3?). |
Problem was: isOnCurve did not reduce the limbs before checking for equality. PiperOrigin-RevId: 272245293
Although we have a mitigation in place in our own code for this, we'd really like to upgrade to a release that includes this fix. Can I help with getting a 1.2.3 or 1.3.0 release out? |
Thanks for reaching out. We've been slowly working through an unfortunately long series of issues with our build/test/repository tooling. I'm attempting to publish 1.3.0-rc2 today (which is the reason for the burst of pull request activity... getting changes integrated in anticipation of cutting a new release branch). Barring any surprises, the final release 1.3.0 release should follow a week or so later. Regarding making a patch release of the 1.2 branch (i.e. 1.2.3), that is made a bit more complicated due to the the same build tooling issues (i.e. we'd need to cherry pick changes to replicate the Bazel version pinning approach we've taken). At this point, I'm prioritizing getting 1.3.0 moving along, since it's overdue and cleanly cherry-picking to 1.2 is complicated due to its age (particularly for the iOS release artifacts, which relies on an internal workflow and is its own can of worms). |
tink-crypto/tink#224 So far I haven't been able to reproduce the bug. However, a lot of tests just check the signature verification. NOKEYCHECK=True PiperOrigin-RevId: 260466789 GitOrigin-RevId: bc252d53eaede4ec4eb89fef072dc5d19d17dbf5
jdk11 did add ED25519 and ED448. BC supports ED25519, but is slightly malleable. Conscrypt supports none (rsp. uses different algorithm names). This is related to tink-crypto/tink#224 However, tests for signatures are still missing. NOKEYCHECK=True PiperOrigin-RevId: 260726100 GitOrigin-RevId: c4c5855aa3e86c0e47ad88f16e6496b98149364f
Ah, thanks @chuckx, that makes sense! I can see 1.3.0-rc2 is out now. We may try that ahead of 1.3.0 itself. |
FYI, we're working through an issue that affects Tink-Android inc 1.3.0-rc2 (see #289). As mentioned in that issue, we're working through integrating the necessary dependency upgrades to fix the issue. We'll put together another release candidate to verify things are in working order before finalizing the release. |
Thanks @chuckx. We updated to 1.3.0-rc2 and have been using it in production for five days now - and we've not seen any recurrences of this issue. We'll update to newer release candidates/releases as they become ready too. |
1.3.0-RC3 is out. It should work as well as 1.3.0-RC2. |
we use Tink-Android to generate keyPair and sign our information. it work well in common case.
but there is a crash in Android device
M1 E
when we useand we find the throwable is
https://github.com/google/tink/blob/09fc71c45dc7c4ecc7fb0df3414b0fb3a9ca52c3/java/src/main/java/com/google/crypto/tink/subtle/Ed25519.java#L626
Android version: 7.0
cpu: Helio P10
gpu: ARM Mali-T860
Tink-Android Version: 1.2.2
Is there anyone can help me ? thanks !
The text was updated successfully, but these errors were encountered: