-
Notifications
You must be signed in to change notification settings - Fork 978
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed in verify test cases of wycheproof #609
Comments
Thank you so much for testing the library. However the result you are getting appears to be both expected and correct behaviour from the library. Please see the documentation for secp256k1_ecdsa_verify: https://github.com/bitcoin-core/secp256k1/blob/master/include/secp256k1.h#L415
Adding a normalize call to your test case above the verify like this:
results in:
To further confirm that the normailzation wasn't simply bypassing the test intent, I modified secp256k1_ecdsa_verify to remove the secp256k1_scalar_is_high call, left the normalization out, and the test still passes. Any system which does not enforce a functionally equivalent normalization is vulnerable to malleation-- which may be irrelevant or serious vulnerabilities depending on the specific application. In OpenSSL this sort of malleation allows for trivial certificate blacklist bypassing, in Bitcoin before correction it resulted in moderately severe denial of service and in some cases could cause funds loss. Any implementation that does not do this would also now be consensus inconsistent with Bitcoin. In libsecp256k1 since we don't know what protocols we may be used from we can't decide that it's simply safe to allow this behaviour (and, in our primary application of Bitcoin, it is very much not safe) our intentional and documented behaviour is to fix this vulnerability. If a particular callee wants to preserve it (or they know it is harmless in their application) they can get the conventional behaviour with a normalize call. A quick look at the wycheproof vectors suggests to me that our existing tests already check most (all?) of those cases (and in some cases we have much stronger versions where curve specific magic made constructing them possible), but more tests is better so it it would probably be pretty nice if someone wanted to submit an addition to our tests that includes them, similar to your test harness. |
Thank for your patient explaination! |
For this case wycheproof ecdsa sha256 test case 218, the expected result is valid, however, it returns error.
public_key is
04b838ff44e5bc177bf21189d0766082fc9d843226887fc9760371100b7ee20a6ff0c9d75bfba7b31a6bca1974496eeb56de357071955d83c4b1badaa0b21832e9
Take test case 3 and test case 218 as examples:
the case 3 is
case 218 is:
My program is:
The result of test case 3 is as expected, but the result of test case 218 is wrong.
BTW, A go-version secp256k1 library can verify case 218 correctly.
The text was updated successfully, but these errors were encountered: