RustCrypto SM2 Public Key Encryption Vulnerability Allows Plaintext Recovery

A critical vulnerability exists in the RustCrypto SM2 Public Key Encryption (PKE) implementation, specifically in versions 0.14.0-pre.0 and 0.14.0-rc.0. The issue arises because the ephemeral nonce 'k' is generated with significantly reduced entropy due to a unit mismatch error. This error causes the nonce generation function to request only 32 bits of randomness instead of the required 256 bits, compromising the encryption's security. As a result, an attacker can recover the nonce 'k' and decrypt any ciphertext using just the public key and ciphertext.

Impact

Exploitation of this vulnerability allows for the recovery of the nonce 'k', leading to decryption of the ciphertext without the need for the recipient's secret key. This vulnerability breaks the confidentiality of the encrypted data, as all ciphertexts encrypted with the vulnerable PKE implementation are affected.

Reproduction

The vulnerability can be reproduced by encrypting a message using the SM2 PKE implementation in the affected versions. After encryption, the ciphertext can be analyzed to extract the ephemeral public key, which is then used to recover the nonce 'k' using a Baby-Step Giant-Step algorithm. Once 'k' is recovered, the ciphertext can be decrypted, demonstrating the vulnerability.

Remediation

Users can update to the latest version of the RustCrypto SM2 library, where this vulnerability has been fixed. Instructions for updating can be found in the RustCrypto SM2 repository.