Interesting story here, h/t @kristapsk , apparently latest openssl has in some sense 'deprecated' RIPEMD160 (which is used in creating legacy bitcoin addresses), in the sense that it won't be available in the default configuration of the newest openssl.

openssl is one of those scary things you try hard to not use because it's a bunch of dependency cruft.

But ! In python, hashlib is apparently using it under the hood ... (1/2)

· · Web · 1 · 3 · 2

@kristapsk ... so the idea of replacing with a custom implementation arises. This is being discussed for python-bitcointx: ,

and the question of: is it constant time? arose. I see that as not an issue since this hash only protects public keys/scripts, not secret key material. There's no attack worth mentioning. It's also interesting that the openssl people consider this hash 'broken', although I'm not sure of details (collisions or preimage or?).

@waxwing @kristapsk this Python issue also broke Bitcoin Core's continuous integration system (as mentioned in the issue you link).

Bitcoin's tests don't care about contant-timeness, so this was a relatively easy fix.

@sjors @waxwing @kristapsk isn't this part of the #Bitcoin doesn't care about or need conventional time because it is time?

Like, when a block is mined that's an epoch?

@Ogfomk @sjors @kristapsk the 'constant time' thing is about what's generally called 'sidechannel attacks'. Basic idea is: if I have *some* access to your system, and I want to steal your private keys, there might not be a direct bug I can exploit, but if I can see a difference in processing time for different signatures/operations, I can use sophisticated algorithms to convert that tiny bit of information, into information about your private key. It's extremely difficult but possible. (1/2)

@Ogfomk @sjors @kristapsk there are other sidechannel attacks like 'power sidechannel' where you analyse voltage/power of the machine if you have physical access to do so.

Libraries like libsecp256k1 have to take this seriously, since they get used across all kinds of devices, any of which might be vulnerable to sidechannel analysis. Writing cryptographic code so it takes the same amount of time independent of secret key material is a (2/3)

@Ogfomk @sjors @kristapsk

very sophisticated process, especially because they still want it to be fast/high performance. (3/3)

@Ogfomk @sjors @kristapsk

(PS note 'some access to your system' does *not* always imply physical proximity, timing sidechannel attacks can sometimes be performed over the network, although it makes it a lot more difficult).

@waxwing @sjors @kristapsk

Thank you for taking the time to explain that. It makes sense. Kind of like the ability to listen to cat5/6 or window panes without a physical connection (or am Orthodox connection).

This attack vector is reserved for big fish.

Or it is reserved for low hanging fruit.

Better to make security cheap and attacks expensive!

@Ogfomk @sjors @kristapsk yeah mostly these attacks are very sophisticated. But they could be 'easy' in some situations like if you had physical access to a hardware wallet, for example.

@waxwing @sjors @kristapsk Oh, yeah, all security is based on proximity. If you are sitting inside of an armed tank you have the ability to circumnavigate the keys quite easily because there are none. The keys are ability and knowledge.

Sign in to participate in the conversation
unidentified instance

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!