Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
crypto/elliptic: invalid handling for infinity point #37294
What did you do?
I have been doing differential fuzzing on elliptic curve cryptography.
Worse : the infinity point is not considered to be on the curve... Any scalar multiplication of a point on the curve must be on the curve.
Reproducer code is here :
What did you expect to see?
The reproducer code should output
What did you see instead?
Does this issue reproduce with the latest release (go1.13.8)?
Thank you for raising this. I spent some time thinking about this while implementing
In abelian coordinates (x, y) there is no valid representation of the infinity point. (0, 0) is not a valid point on the curve, it's just adopted by convention in many APIs. An API can just as well decide not to represent it at all, if it's not required for its use cases.
If we accept that (0, 0) is not a valid point in our API,
The unfortunate part is that the arithmetic functions can return an invalid representation if fed specific inputs. That's definitely bad. It would be dangerous to change the API to support (0, 0) now, because there might be applications that rely on
Not a fan of either. @agl any opinions?
(@catenacyber it's always ok to be conservative and email security@, I think this one is ok to discuss publicly.)
Ok, I will be conservative next time (I had not noticed this security email the first time)
So, I understand the problem about backward compatibility.