tendermint-rs: Reject low order points (fixes #142)

[tarcieri]

This is a belt-and-suspenders approach which adds both a blacklist of points with low-order elements (sourced from the Curve25519 web site) as well as a check for all-zero outputs from X25519.

The primary rationale for the first comes from the "May the Fourth" paper:

https://eprint.iacr.org/2017/806.pdf

From Section 5 (under "Rejecting Known Bad Points"):

To protect against small subgroup attacks against Curve25519 and
related curves that have a small set of low-order elements, an
implementation can simply check if the received public key is in the
set. Bernstein [12] provides a full list of these points for
Curve25519, but suggests that rejecting these points is only necessary
for protocols that wish to ensure “contributory” behavior. Langley and
Hamburg [53] have a similar suggestion. We argue that rejecting these
points would also give better side-channel protection. While this
protection may seem unnecessary when used with constant-time code, as
Kaufmann et al. [50] demonstrate, constant-time code is fragile and
may fail to provide adequate protection.

Namely, as noted above, using a blacklist prevents the X25519 operation from ever occurring, meaning the attacker-controlled point never interacts with the D-H secret scalars.

Additionally, this change adds a constant-time check to ensure the computed shared secret is all zeroes. This shouldn't strictly be necessary if Secret Connection transcripts were't malleable (see #254), for example, the Noise protocol tolerates outputs of zero, because attacker malfeasance is caught via a transcript hash mismatch.

The "Prime, Order Please!" paper describes Tamarin proofs of the security of the Tendermint Secret Connection protocol, showing that either the addition of transcript hasing, or explicit checks for low
order points are sufficient for the desired security properties:

https://eprint.iacr.org/2019/526.pdf