Skip to content

Commit

Permalink
docs: prototype design and implementation risks
Browse files Browse the repository at this point in the history
  • Loading branch information
sander committed Mar 25, 2024
1 parent 7b9f94a commit a6c4650
Show file tree
Hide file tree
Showing 4 changed files with 43 additions and 3 deletions.
13 changes: 10 additions & 3 deletions src/api.rs
Original file line number Diff line number Diff line change
Expand Up @@ -34,13 +34,14 @@ pub type Mask = [u8; 32];

/// Entitlement to enroll.
///
/// Contains provider commitments `([a10]G, [a11]G)` and a proof of knowledge
/// of `a10`.
/// Contains provider commitments ([<i>a</i><sub>10</sub>]<i>G</i>,
/// [<i>a</i><sub>11</sub>]<i>G</i>) and a Schnorr zero-knowledge proof of
/// knowledge of <i>a</i><sub>10</sub>.
pub type Voucher = [u8; 131];

/// Attempt to redeem a [Voucher] to enroll.
///
/// Contains subscriber commitments `([a20]G, [a21]G)`, a proof of knowledge
/// Contains subscriber commitments () `([a20]G, [a21]G)`, a proof of knowledge
/// of `a20`, and a secret share `a20 + a21 * 1` for the provider.
pub type Redemption = [u8; 163];

Expand Down Expand Up @@ -147,6 +148,12 @@ pub unsafe extern "C" fn pay(
}

/// Releases a [Payload] from memory.
///
/// # Risk
///
/// - It is easy for users to forget releasing allocated memory. Possibly this
/// does not require a separate function anyway, since the functions consuming
/// a payload would release it anyway.
#[no_mangle]
#[export_name = "scal3_release"]
pub unsafe extern "C" fn release(
Expand Down
13 changes: 13 additions & 0 deletions src/api/provider.rs
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,11 @@ pub extern "C" fn vouch(
/// let process = provider::process(&randomness, &redemption, &mut info);
/// assert!(!process.is_null())
/// ```
///
/// # Risks
///
/// - The output `info` leaks implementation details. It could be better to
/// output a fixed-size digest for use with a pre-hashed signing function.
#[no_mangle]
#[export_name = "scal3_provider_process"]
pub extern "C" fn process(
Expand Down Expand Up @@ -259,6 +264,14 @@ pub extern "C" fn challenge(
/// # Ok(())
/// # }
/// ```
///
/// # Risks
///
/// - A person in the middle could change the subscriber’s signature share
/// before forwarding to the provider, potentially exhausting an attempt
/// rate limiting counter, and thereby causing a denial of service. This
/// could be mitigated by additionally verifying a checksum of input data
/// under the device signature.
#[export_name = "scal3_provider_prove"]
pub extern "C" fn prove(
randomness: &Randomness,
Expand Down
5 changes: 5 additions & 0 deletions src/api/subscriber.rs
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,11 @@ pub type Data = [u8; DATA_TO_SIGN_DOMAIN.len() + 32];
/// # Ok(())
/// # }
/// ```
///
/// # Risks
///
/// - The output `data` leaks implementation details. It could be better to
/// output a fixed-size digest for use with a pre-hashed signing function.
#[no_mangle]
#[export_name = "scal3_subscriber_authenticate"]
pub extern "C" fn authenticate(
Expand Down
15 changes: 15 additions & 0 deletions src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,21 @@
//! ## Auditing
//!
//! The [subscriber] or any other party with access can [verify] the [Evidence].
//!
//! # Risks
//!
//! - Not all hash functions are checked for proper domain separation. This risk
//! could be limited by centralizing all hash function definitions for easier
//! review.
//! - This library does not apply its dependencies everywhere in an idiomatic
//! way. For example, where dependency constructors are not exposed, the
//! implementation now relies on serialization/deserialization. Also,
//! sometimes too low-level types are used, such as `Scalar` instead of
//! `SecretKey` and `ProjectivePoint` instead of `PublicKey`, which
//! potentially means missing out on some security features.
//! - The implementation may still be vulnerability to side channel attacks,
//! such as timing attacks and reading memory that was not zeroized in time.
//! The security dependencies offer functions to implement this properly.
mod api;
mod group;
Expand Down

0 comments on commit a6c4650

Please sign in to comment.