fix: X25519 cofactor malleability (#843)

huitseeker · web-flow · commit 6f87a329c9a4 · 2026-02-24T11:00:27.000-05:00
* test x25519 torsion

* bind ies kdf

* reject x25519 torsion

* chore: Changelog

* test: cover x25519 torsion rejection

* chore: debug-assert x25519 all-zero shared secret

* docs: clarify HKDF info context
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@
 - Added `Signature::from_der()` for ECDSA signatures over secp256k1 ([#842](https://github.com/0xMiden/crypto/pull/842)).
 - Fix possible panic in `XChaCha::decrypt_bytes_with_associated_data` and harden deserialization with fuzzing across 7 new targets ([#836](https://github.com/0xMiden/crypto/pull/836)).
 - Use read_from_bytes_with_budget instead of read_from_bytes for deserialization from untrusted sources, setting the budget to the actual input byte slice length. ([#846](https://github.com/0xMiden/crypto/pull/846)).
+- [BREAKING] Added info context field to secret box, bind IES HKDF info to a stable context string, scheme identifier, and ephemeral public key bytes. ([#843](https://github.com/0xMiden/crypto/pull/843)).
 
 ## 0.22.3 (2026-02-23)
 
diff --git a/miden-crypto/src/ecdh/k256.rs b/miden-crypto/src/ecdh/k256.rs
@@ -218,10 +218,11 @@ impl KeyAgreementScheme for K256 {
     fn extract_key_material(
         shared_secret: &Self::SharedSecret,
         length: usize,
+        info: &[u8],
     ) -> Result<Vec<u8>, super::KeyAgreementError> {
         let hkdf = shared_secret.extract(None);
         let mut buf = vec![0_u8; length];
-        hkdf.expand(&[], &mut buf)
+        hkdf.expand(info, &mut buf)
             .map_err(|_| super::KeyAgreementError::HkdfExpansionFailed)?;
         Ok(buf)
     }
diff --git a/miden-crypto/src/ecdh/mod.rs b/miden-crypto/src/ecdh/mod.rs
@@ -43,9 +43,13 @@ pub(crate) trait KeyAgreementScheme {
     ) -> Result<Self::SharedSecret, KeyAgreementError>;
 
     /// Extracts key material from shared secret.
+    ///
+    /// `info` is the HKDF context string for domain separation and binding to the IES scheme and
+    /// ephemeral public key (see `CryptoBox::build_kdf_info`).
     fn extract_key_material(
         shared_secret: &Self::SharedSecret,
         length: usize,
+        info: &[u8],
     ) -> Result<Vec<u8>, KeyAgreementError>;
 }
 
diff --git a/miden-crypto/src/ecdh/x25519.rs b/miden-crypto/src/ecdh/x25519.rs
@@ -155,6 +155,17 @@ impl Serializable for EphemeralPublicKey {
 impl Deserializable for EphemeralPublicKey {
     fn read_from<R: ByteReader>(source: &mut R) -> Result<Self, DeserializationError> {
         let bytes: [u8; 32] = source.read_array()?;
+        // Reject twist points and low-order points. We intentionally avoid the more expensive
+        // torsion-free check; small-order rejection mitigates the most dangerous malleability
+        // issues, even though it does not guarantee torsion-freeness.
+        let mont = curve25519_dalek::montgomery::MontgomeryPoint(bytes);
+        let edwards = mont.to_edwards(0).ok_or_else(|| {
+            DeserializationError::InvalidValue("Invalid X25519 public key".into())
+        })?;
+        if edwards.is_small_order() {
+            return Err(DeserializationError::InvalidValue("Invalid X25519 public key".into()));
+        }
+
         Ok(Self {
             inner: x25519_dalek::PublicKey::from(bytes),
         })
@@ -188,23 +199,28 @@ impl KeyAgreementScheme for X25519 {
         ephemeral_sk: Self::EphemeralSecretKey,
         static_pk: &Self::PublicKey,
     ) -> Result<Self::SharedSecret, super::KeyAgreementError> {
-        Ok(ephemeral_sk.diffie_hellman(static_pk))
+        let shared = ephemeral_sk.diffie_hellman(static_pk);
+        debug_assert!(!shared.as_ref().iter().all(|byte| *byte == 0), "all-zero shared secret");
+        Ok(shared)
     }
 
     fn exchange_static_ephemeral(
         static_sk: &Self::SecretKey,
         ephemeral_pk: &Self::EphemeralPublicKey,
     ) -> Result<Self::SharedSecret, super::KeyAgreementError> {
-        Ok(static_sk.get_shared_secret(ephemeral_pk.clone()))
+        let shared = static_sk.get_shared_secret(ephemeral_pk.clone());
+        debug_assert!(!shared.as_ref().iter().all(|byte| *byte == 0), "all-zero shared secret");
+        Ok(shared)
     }
 
     fn extract_key_material(
         shared_secret: &Self::SharedSecret,
         length: usize,
+        info: &[u8],
     ) -> Result<Vec<u8>, super::KeyAgreementError> {
         let hkdf = shared_secret.extract(None);
         let mut buf = vec![0_u8; length];
-        hkdf.expand(&[], &mut buf)
+        hkdf.expand(info, &mut buf)
             .map_err(|_| super::KeyAgreementError::HkdfExpansionFailed)?;
         Ok(buf)
     }
@@ -215,8 +231,12 @@ impl KeyAgreementScheme for X25519 {
 
 #[cfg(test)]
 mod tests {
+    use curve25519_dalek::{constants::EIGHT_TORSION, montgomery::MontgomeryPoint};
+
     use super::*;
-    use crate::{dsa::eddsa_25519_sha512::SecretKey, rand::test_utils::seeded_rng};
+    use crate::{
+        dsa::eddsa_25519_sha512::SecretKey, rand::test_utils::seeded_rng, utils::Deserializable,
+    };
 
     #[test]
     fn key_agreement() {
@@ -242,4 +262,30 @@ mod tests {
         // Check that the computed shared secret keys are equal
         assert_eq!(shared_secret_key_1.inner.to_bytes(), shared_secret_key_2.inner.to_bytes());
     }
+
+    #[test]
+    fn ephemeral_public_key_rejects_small_order() {
+        let bytes = EIGHT_TORSION[1].to_montgomery().to_bytes();
+        let result = EphemeralPublicKey::read_from_bytes(&bytes);
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn ephemeral_public_key_rejects_twist_point() {
+        let bytes = find_twist_point_bytes();
+        let result = EphemeralPublicKey::read_from_bytes(&bytes);
+        assert!(result.is_err());
+    }
+
+    fn find_twist_point_bytes() -> [u8; 32] {
+        let mut bytes = [0u8; 32];
+        for i in 0u16..=u16::MAX {
+            bytes[0] = (i & 0xff) as u8;
+            bytes[1] = (i >> 8) as u8;
+            if MontgomeryPoint(bytes).to_edwards(0).is_none() {
+                return bytes;
+            }
+        }
+        panic!("no twist point found in 16-bit search space");
+    }
 }
diff --git a/miden-crypto/src/ies/crypto_box.rs b/miden-crypto/src/ies/crypto_box.rs
@@ -8,8 +8,13 @@ use alloc::vec::Vec;
 
 use rand::{CryptoRng, RngCore};
 
-use super::IesError;
-use crate::{Felt, aead::AeadScheme, ecdh::KeyAgreementScheme, utils::zeroize::Zeroizing};
+use super::{IesError, IesScheme};
+use crate::{
+    Felt,
+    aead::AeadScheme,
+    ecdh::KeyAgreementScheme,
+    utils::{Serializable, zeroize::Zeroizing},
+};
 
 // CRYPTO BOX
 // ================================================================================================
@@ -20,12 +25,27 @@ pub(super) struct CryptoBox<K: KeyAgreementScheme, A: AeadScheme> {
 }
 
 impl<K: KeyAgreementScheme, A: AeadScheme> CryptoBox<K, A> {
+    const KDF_CONTEXT: &'static [u8] = b"miden-crypto/ies/hkdf-v1";
+
+    /// Builds the HKDF `info` used for IES key derivation.
+    /// Layout: `[KDF_CONTEXT || scheme_id || ephemeral_public_key]` where `scheme_id = scheme as
+    /// u8`.
+    fn build_kdf_info(scheme: IesScheme, ephemeral_public_key: &K::EphemeralPublicKey) -> Vec<u8> {
+        let mut info =
+            Vec::with_capacity(Self::KDF_CONTEXT.len() + 1 + ephemeral_public_key.to_bytes().len());
+        info.extend_from_slice(Self::KDF_CONTEXT);
+        info.push(scheme as u8);
+        info.extend_from_slice(&ephemeral_public_key.to_bytes());
+        info
+    }
+
     // BYTE-SPECIFIC METHODS
     // --------------------------------------------------------------------------------------------
 
     pub fn seal_bytes_with_associated_data<R: CryptoRng + RngCore>(
         rng: &mut R,
         recipient_public_key: &K::PublicKey,
+        scheme: IesScheme,
         plaintext: &[u8],
         associated_data: &[u8],
     ) -> Result<(Vec<u8>, K::EphemeralPublicKey), IesError> {
@@ -36,8 +56,9 @@ impl<K: KeyAgreementScheme, A: AeadScheme> CryptoBox<K, A> {
                 .map_err(|_| IesError::KeyAgreementFailed)?,
         );
 
+        let kdf_info = Self::build_kdf_info(scheme, &ephemeral_public);
         let encryption_key_bytes = Zeroizing::new(
-            K::extract_key_material(&shared_secret, <A as AeadScheme>::KEY_SIZE)
+            K::extract_key_material(&shared_secret, <A as AeadScheme>::KEY_SIZE, &kdf_info)
                 .map_err(|_| IesError::FailedExtractKeyMaterial)?,
         );
 
@@ -55,6 +76,7 @@ impl<K: KeyAgreementScheme, A: AeadScheme> CryptoBox<K, A> {
     pub fn unseal_bytes_with_associated_data(
         recipient_private_key: &K::SecretKey,
         ephemeral_public_key: &K::EphemeralPublicKey,
+        scheme: IesScheme,
         ciphertext: &[u8],
         associated_data: &[u8],
     ) -> Result<Vec<u8>, IesError> {
@@ -63,8 +85,9 @@ impl<K: KeyAgreementScheme, A: AeadScheme> CryptoBox<K, A> {
                 .map_err(|_| IesError::KeyAgreementFailed)?,
         );
 
+        let kdf_info = Self::build_kdf_info(scheme, ephemeral_public_key);
         let decryption_key_bytes = Zeroizing::new(
-            K::extract_key_material(&shared_secret, <A as AeadScheme>::KEY_SIZE)
+            K::extract_key_material(&shared_secret, <A as AeadScheme>::KEY_SIZE, &kdf_info)
                 .map_err(|_| IesError::FailedExtractKeyMaterial)?,
         );
 
@@ -83,6 +106,7 @@ impl<K: KeyAgreementScheme, A: AeadScheme> CryptoBox<K, A> {
     pub fn seal_elements_with_associated_data<R: CryptoRng + RngCore>(
         rng: &mut R,
         recipient_public_key: &K::PublicKey,
+        scheme: IesScheme,
         plaintext: &[Felt],
         associated_data: &[Felt],
     ) -> Result<(Vec<u8>, K::EphemeralPublicKey), IesError> {
@@ -93,8 +117,9 @@ impl<K: KeyAgreementScheme, A: AeadScheme> CryptoBox<K, A> {
                 .map_err(|_| IesError::KeyAgreementFailed)?,
         );
 
+        let kdf_info = Self::build_kdf_info(scheme, &ephemeral_public);
         let encryption_key_bytes = Zeroizing::new(
-            K::extract_key_material(&shared_secret, <A as AeadScheme>::KEY_SIZE)
+            K::extract_key_material(&shared_secret, <A as AeadScheme>::KEY_SIZE, &kdf_info)
                 .map_err(|_| IesError::FailedExtractKeyMaterial)?,
         );
 
@@ -112,6 +137,7 @@ impl<K: KeyAgreementScheme, A: AeadScheme> CryptoBox<K, A> {
     pub fn unseal_elements_with_associated_data(
         recipient_private_key: &K::SecretKey,
         ephemeral_public_key: &K::EphemeralPublicKey,
+        scheme: IesScheme,
         ciphertext: &[u8],
         associated_data: &[Felt],
     ) -> Result<Vec<Felt>, IesError> {
@@ -120,8 +146,9 @@ impl<K: KeyAgreementScheme, A: AeadScheme> CryptoBox<K, A> {
                 .map_err(|_| IesError::KeyAgreementFailed)?,
         );
 
+        let kdf_info = Self::build_kdf_info(scheme, ephemeral_public_key);
         let decryption_key_bytes = Zeroizing::new(
-            K::extract_key_material(&shared_secret, <A as AeadScheme>::KEY_SIZE)
+            K::extract_key_material(&shared_secret, <A as AeadScheme>::KEY_SIZE, &kdf_info)
                 .map_err(|_| IesError::FailedExtractKeyMaterial)?,
         );
 
diff --git a/miden-crypto/src/ies/keys.rs b/miden-crypto/src/ies/keys.rs
@@ -47,9 +47,11 @@ macro_rules! impl_seal_bytes_with_associated_data {
             match self {
                 $(
                     $variant(key) => {
+                        let scheme = self.scheme();
                         let (ciphertext, ephemeral) = <$crypto_box>::seal_bytes_with_associated_data(
                             rng,
                             key,
+                            scheme,
                             plaintext,
                             associated_data,
                         )?;
@@ -82,9 +84,11 @@ macro_rules! impl_seal_elements_with_associated_data {
             match self {
                 $(
                     $variant(key) => {
+                        let scheme = self.scheme();
                         let (ciphertext, ephemeral) = <$crypto_box>::seal_elements_with_associated_data(
                             rng,
                             key,
+                            scheme,
                             plaintext,
                             associated_data,
                         )?;
@@ -130,7 +134,13 @@ macro_rules! impl_unseal_bytes_with_associated_data {
             match (self, ephemeral_key) {
                 $(
                     ($variant(key), $ephemeral_variant(ephemeral)) => {
-                        <$crypto_box>::unseal_bytes_with_associated_data(key, &ephemeral, &ciphertext, associated_data)
+                        <$crypto_box>::unseal_bytes_with_associated_data(
+                            key,
+                            &ephemeral,
+                            self.scheme(),
+                            &ciphertext,
+                            associated_data,
+                        )
                     }
                 )*
                 _ => Err(IesError::SchemeMismatch),
@@ -169,7 +179,13 @@ macro_rules! impl_unseal_elements_with_associated_data {
             match (self, ephemeral_key) {
                 $(
                     ($variant(key), $ephemeral_variant(ephemeral)) => {
-                        <$crypto_box>::unseal_elements_with_associated_data(key, &ephemeral, &ciphertext, associated_data)
+                        <$crypto_box>::unseal_elements_with_associated_data(
+                            key,
+                            &ephemeral,
+                            self.scheme(),
+                            &ciphertext,
+                            associated_data,
+                        )
                     }
                 )*
                 _ => Err(IesError::SchemeMismatch),
diff --git a/miden-crypto/src/ies/tests.rs b/miden-crypto/src/ies/tests.rs
@@ -230,6 +230,8 @@ mod k256_xchacha_tests {
 
 /// X25519 + XChaCha20-Poly1305 test suite
 mod x25519_xchacha_tests {
+    use curve25519_dalek::{constants::EIGHT_TORSION, montgomery::MontgomeryPoint};
+
     use super::*;
 
     #[test]
@@ -315,6 +317,41 @@ mod x25519_xchacha_tests {
         assert!(result.is_err());
     }
 
+    // Scenario: if anti-replay is based on sealed-message bytes rather than decrypted identity,
+    // malleability would allow repeated redemption of the same underlying coupon.
+    #[test]
+    fn test_x25519_ephemeral_torsion_rejected() {
+        let mut rng = rand::rng();
+        let plaintext = b"malleability check";
+
+        let secret_key = SecretKey25519::with_rng(&mut rng);
+        let public_key = secret_key.public_key();
+        let sealing_key = SealingKey::X25519XChaCha20Poly1305(public_key);
+        let unsealing_key = UnsealingKey::X25519XChaCha20Poly1305(secret_key);
+
+        let mut sealed = sealing_key.seal_bytes(&mut rng, plaintext).unwrap();
+
+        let eph_bytes = sealed.ephemeral_key.to_bytes();
+        let mut eph_array = [0u8; 32];
+        eph_array.copy_from_slice(&eph_bytes);
+
+        let mont = MontgomeryPoint(eph_array);
+        let edwards = mont.to_edwards(0).expect("ephemeral key should be on Curve25519");
+
+        let torsion = EIGHT_TORSION[1];
+        let altered = (edwards + torsion).to_montgomery().to_bytes();
+
+        assert_ne!(altered, eph_array);
+
+        let altered_key =
+            EphemeralPublicKey::from_bytes(IesScheme::X25519XChaCha20Poly1305, &altered).unwrap();
+
+        sealed.ephemeral_key = altered_key;
+
+        let result = unsealing_key.unseal_bytes(sealed);
+        assert!(result.is_err());
+    }
+
     proptest! {
         #[test]
         fn prop_x25519_xchacha_bytes_comprehensive(
