-
-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LibCrypto/Curves/SECPxxxr1: Review/issues/areas for improvement #23918
Comments
As the one who wrote them, yes, I'll even sign the space gun sending them to the sun. |
😺 If someone wants to implement this the "right way" for fun from first principles, https://eprint.iacr.org/2009/129 and https://eprint.iacr.org/2009/191 are good starting points. |
For improved efficiency I would also suggest to change interface of |
Preamble:
Notes:
Bugs:
VERIFY
means (I didn't check, sorry). It is somewhat moot as r, s get reduced modulo the group order when converted to Montgomery-form, but this is spooky. ECDH checks that the point is on the curve early (compute_cooordinate_internal
) so is not affected.compute_coordinate_internal
FIXME
comment, reducing the scalar modulo group order when doing a scalar-point multiply results in bias, particularly for P-256 (the bias is insignificant for P-384/P-521). This currently has fairly minimal impact, but is a case that MUST be fixed when ECDSA sign is implemented (https://github.com/C2SP/CCTV/tree/main/RFC6979 has a test case), and SHOULD be fixed for ECDH.Performance issues:
convert_jacobian_to_affine
) does 2 inversions. Computing 1/Z and then multiplying repeatedly as necessary is significantly cheaper.General recommendations:
read_uncompressed_point
should be where theis_point_on_curve
check happens. (generate_public_key_internal
should bypass the check, and just cover it with test cases ass * G
is guaranteed to be valid). "Best practice" these days leans heavily toward "there is no way to create a point that is not on the curve", so early-rejection is better.ps: On an unrelated note,
Cipher/AES.h
andCipher/AES.cpp
need to be shot into the sun and burned. Please use AES-NI (or a bitsliced implementation cribbed from BearSSL), since the current code leaks the symmetric key via cache-timing sidechannels.The text was updated successfully, but these errors were encountered: