Tim Ruffing [ARCHIVE] on Nostr: 📅 Original date posted:2023-05-14 🗒️ Summary of this message: Libsecp256k1 ...
📅 Original date posted:2023-05-14
🗒️ Summary of this message: Libsecp256k1 version 0.3.2 has been released, fixing a bug in the ECDH code that could leave applications vulnerable to a side-channel attack.
📝 Original message:Hello,
We'd like to announce the release of version 0.3.2 of libsecp256k1:
https://github.com/bitcoin-core/secp256k1/releases/tag/v0.3.2
This is a bugfix release after 0.3.1. The impetus for this release is
the discovery that GCC 13 became smart enough to optimize out a
specific timing side-channel protection mechanism in the ECDH code that
could leave applications vulnerable to a side-channel attack. This has
been fixed in 0.3.2 [1].
For the full changelog, see
https://github.com/bitcoin-core/secp256k1/blob/master/CHANGELOG.md
We strongly recommend any users of the library to upgrade if their code
may end up being compiled with GCC >=13. Bitcoin Core is not affected
because it does not use libsecp256k1's ECDH module.
Note: The underlying side-channel issue is very similar to the issue
that lead to the previous 0.3.1 release. Unfortunately, there is no
generic way to prevent compilers from "optimizing" code by adding
secret-dependent branches (which are undesired in cryptographic
applications), and it is hard to predict what optimizations future
compiler versions will add. There's ongoing work [2] to test on
unreleased development snapshots of GCC and Clang, which would make it
possible to catch similar cases earlier in the future.
[1]: https://github.com/bitcoin-core/secp256k1/pull/1303
[2]: https://github.com/bitcoin-core/secp256k1/pull/1313
🗒️ Summary of this message: Libsecp256k1 version 0.3.2 has been released, fixing a bug in the ECDH code that could leave applications vulnerable to a side-channel attack.
📝 Original message:Hello,
We'd like to announce the release of version 0.3.2 of libsecp256k1:
https://github.com/bitcoin-core/secp256k1/releases/tag/v0.3.2
This is a bugfix release after 0.3.1. The impetus for this release is
the discovery that GCC 13 became smart enough to optimize out a
specific timing side-channel protection mechanism in the ECDH code that
could leave applications vulnerable to a side-channel attack. This has
been fixed in 0.3.2 [1].
For the full changelog, see
https://github.com/bitcoin-core/secp256k1/blob/master/CHANGELOG.md
We strongly recommend any users of the library to upgrade if their code
may end up being compiled with GCC >=13. Bitcoin Core is not affected
because it does not use libsecp256k1's ECDH module.
Note: The underlying side-channel issue is very similar to the issue
that lead to the previous 0.3.1 release. Unfortunately, there is no
generic way to prevent compilers from "optimizing" code by adding
secret-dependent branches (which are undesired in cryptographic
applications), and it is hard to predict what optimizations future
compiler versions will add. There's ongoing work [2] to test on
unreleased development snapshots of GCC and Clang, which would make it
possible to catch similar cases earlier in the future.
[1]: https://github.com/bitcoin-core/secp256k1/pull/1303
[2]: https://github.com/bitcoin-core/secp256k1/pull/1313