Cryptographic Issues in Cloudflare's Circl FourQ Implementation (CVE-2025-8556)

1. csmantle ◴[22 Oct 25 15:37 UTC] No.45670755[source]▶

User-supplied EC point validation is one of the most basic yet crucial steps in a sound implementation. I wonder why no one (and no tests) at CloudFlare caught these carelessnesses pre-signoff and pre-release.

replies(1): >>45671101 #

2. bri3d ◴[22 Oct 25 15:57 UTC] No.45671101[source]▶

>>45670755 (TP) #

The article's deep dive into the math does it a disservice IMO, by making this seem like an arcane and complex issue. This is an EC Cryptography 101 level mistake.

Reading the actual CIRCL library source and README on GitHub: https://github.com/cloudflare/circl makes me see it as just fundamentally unserious, though; there's a big "lol don't use this!" disclaimer and no elaboration about considerations applied to each implementation to avoid common pitfalls, mention of third or first-party audit reports, or really anything I'd expect to see from a cryptography library.

replies(1): >>45671875 #

3. tptacek ◴[22 Oct 25 16:50 UTC] No.45671875[source]▶

>>45671101 #

It's more subtle than that and is not actually that simple (though the attack is). The "modern" curve constructions pioneered by Bernstein are supposed to be misuse-resistant in this regard; Bernstein popularized both Montgomery and Edwards curves. His two major curve implementations are Curve25519 and Ed25519, which are different mathematical representations of the same underlying curve. Curve25519 famously isn't vulnerable to this attack!

replies(1): >>45677244 #

4. edelbitter ◴[23 Oct 25 01:36 UTC] No.45677244{3}[source]▶

>>45671875 #

Bernstein also published a simple checklist [1] of what people are likely to do wrong if not ruled out by design. Bullet point 2 on that list was:

> Your implementation leaks secret data when the input isn't a curve point.

[1]: https://safecurves.cr.yp.to/