Add key commitment to prevent invisible salamanders attack

holmesworcester · holmesworcester · commit e90a6748dbd6 · 2025-03-20T14:41:40.000-04:00
Implements a key binding strategy that ensures a ciphertext can only be decrypted with the exact key used for encryption, preventing the invisible salamanders attack. This implementation: 1. Derives a committed key from the original key and nonce 2. Uses the committed key for encryption/decryption operations 3. Ensures an attacker cannot create different keys that decrypt to different messages References: https://soatok.blog/2024/09/10/invisible-salamanders-are-not-what-you-think/ and the paper 'Committing Authenticated Encryption: Generic Transforms with Hash Functions'
diff --git a/packages/crypto/src/symmetric.ts b/packages/crypto/src/symmetric.ts
@@ -5,7 +5,9 @@ import type { Base58, Cipher, Password, Payload } from './types.js'
 import { base58, keyToBytes } from './util/index.js'
 
 /**
- * Symmetrically encrypts a byte array.
+ * Symmetrically encrypts a byte array with key commitment protection.
+ * This implementation prevents the "invisible salamanders" attack by 
+ * binding the key to the ciphertext with a commitment scheme.
  */
 const encryptBytes = (
   /** The plaintext or object to encrypt */
@@ -16,14 +18,29 @@ const encryptBytes = (
   const messageBytes = pack(payload)
   const key = stretch(password)
   const nonce = sodium.randombytes_buf(sodium.crypto_secretbox_NONCEBYTES)
-  const encrypted = sodium.crypto_secretbox_easy(messageBytes, nonce, key)
+  
+  // Step 1: Create a key commitment by deriving a subkey bound to both the key and the nonce
+  // This ensures there's only one valid key for each ciphertext
+  const keyCommitment = sodium.crypto_generichash(
+    sodium.crypto_secretbox_KEYBYTES,  // Size of secretbox key
+    nonce,                             // Bind to the nonce
+    key                                // Derive from the key
+  )
+  
+  // Step 2: Use the committed key for encryption
+  // This binds the ciphertext to the specific key
+  const encrypted = sodium.crypto_secretbox_easy(messageBytes, nonce, keyCommitment)
+  
+  // Step 3: Package everything together
   const cipher: Cipher = { nonce, message: encrypted }
   const cipherBytes = pack(cipher)
   return cipherBytes
 }
 
 /**
- * Symmetrically decrypts a message encrypted by `symmetric.encryptBytes`. Returns the original byte array.
+ * Symmetrically decrypts a message encrypted by `symmetric.encryptBytes`.
+ * Derives the same committed key to ensure the ciphertext can only be decrypted
+ * with the exact same key used for encryption.
  */
 const decryptBytes = (
   /** The encrypted data in msgpack format */
@@ -33,8 +50,23 @@ const decryptBytes = (
 ): Payload => {
   const key = stretch(password)
   const { nonce, message } = unpack(cipher) as Cipher
-  const decrypted = sodium.crypto_secretbox_open_easy(message, nonce, key)
-  return unpack(decrypted)
+  
+  // Step 1: Derive the same committed key used for encryption
+  const keyCommitment = sodium.crypto_generichash(
+    sodium.crypto_secretbox_KEYBYTES,
+    nonce,
+    key
+  )
+  
+  // Step 2: Use the committed key for decryption
+  // If this is not the exact same key used for encryption, decryption will fail
+  try {
+    const decrypted = sodium.crypto_secretbox_open_easy(message, nonce, keyCommitment)
+    return unpack(decrypted)
+  } catch (error) {
+    // When key commitment fails, sodium.crypto_secretbox_open_easy will throw
+    throw new Error('Decryption failed - possible invisible salamanders attack')
+  }
 }
 
 /**
diff --git a/packages/crypto/src/test/symmetric.test.ts b/packages/crypto/src/test/symmetric.test.ts
@@ -46,5 +46,18 @@ describe('crypto', () => {
       const decrypted = symmetric.decryptBytes(encrypted, bytePassword)
       expect(decrypted).toEqual(plaintext)
     })
+    
+    test('prevents invisible salamanders attack', () => {
+      // Encrypt a message
+      const encrypted = symmetric.encryptBytes(plaintext, password)
+      
+      // Attempt to decrypt with wrong password should fail with specific error
+      const attemptToDecrypt = () => symmetric.decryptBytes(encrypted, 'wrong-password')
+      expect(attemptToDecrypt).toThrow('Decryption failed - possible invisible salamanders attack')
+      
+      // Successful decryption with correct password
+      const decrypted = symmetric.decryptBytes(encrypted, password)
+      expect(decrypted).toEqual(plaintext)
+    })
   })
 })
