Cryptographic Issues in Cloudflare's Circl FourQ Implementation (CVE-2025-8556)

(www.botanica.software)

159 points botanica_labs | 2 comments | 22 Oct 25 14:22 UTC | HN request time: 0.495s | source

Show context

rdtsc ◴[22 Oct 25 17:06 UTC] No.45672098[source]▶

Does the “don’t implement your own cryptography” advice apply to multi-billion companies, or it’s just for regular, garden variety developers?

Some of the issues like validating input seem like should have been noticed. But of course one would need to understand how it works to notice it. And certainly, in a company like CF someone would know how this is supposed to work…

Surely the devs would have at least opened wikipedia to read

https://en.wikipedia.org/wiki/FourQ

> In order to avoid small subgroup attacks,[6] all points are verified to lie in an N-torsion subgroup of the elliptic curve, where N is specified as a 246-bit prime dividing the order of the group.

replies(2): >>45673910 #>>45676116 #

1. tptacek ◴[22 Oct 25 22:45 UTC] No.45676116[source]▶

>>45672098 #

CloudFlare gets to roll cryptography; they employ a bunch of serious cryptographers. This is a good attack, and it's subtler than it looks.

replies(1): >>45676966 #

2. donavanm ◴[23 Oct 25 00:48 UTC] No.45676966[source]▶

>>45676116 (TP) #

to wit even then the old maxim still applies to _most developers inside cloudflare_. Yes, some global/specialist corps can have actual applied crypto and security. But the vast vast majority of usage should still be using tools developed and tested by actual SMEs.

↑