[anti-censorship-team] obfs4proxy-0.0.12 (2021-12-31) fixes the Elligator2 bug

David Fifield david at bamsoftware.com
Fri Jan 14 02:27:09 UTC 2022

The upstream obfs4 repository has a fix to the Elligator2 public key
representative leak (https://github.com/agl/ed25519/issues/27).


	All releases prior to this commit are trivially distinguishable
	with simple math, so upgrading is strongly recommended. The
	upgrade is fully backward-compatible with existing
	implementations, however the non-upgraded side will emit traffic
	that is trivially distinguishable from random.

The file internal/README.md elaborates:

	All existing versions prior to the migration to the new code
	(anything that uses agl's code) are fatally broken, and trivial
	to distinguish via some simple math. For more details see Loup
	Vaillant's writings on the subject. Any bugs in the
	implementation are mine, and not his.

	Representatives created by this implementation will correctly be
	decoded by existing implementations. Public keys created by this
	implementation be it via the modified scalar basepoint multiply
	or via decoding a representative will be somewhat non-standard,
	but will interoperate with a standard X25519 scalar-multiply.

	As the obfs4 handshake does not include the decoded
	representative in any of it's authenticated handshake digest
	calculations, this change is fully-backward compatible (though
	the non-upgraded side of the connection will still be trivially
	distinguishable from random).

More information about the anti-censorship-team mailing list