Crypto: ED_25519 base x order = infinity?

[adon-at-work]

The following code snippet is copied from https://github.com/google/end-to-end/blob/master/src/javascript/crypto/e2e/ecc/point/curve25519_test.html#L67-L76:

function testCurve25519Order() {
  var params = e2e.ecc.DomainParam.fromCurve(
      e2e.ecc.PrimeCurve.CURVE_25519);
  var base = params.g;
  var order = params.n;
  assertTrue(base.multiply(order).isInfinity());
  assertFalse(base.multiply(order.subtract(e2e.BigNum.ONE)).isInfinity());
}

In short, when I switch to use the e2e.ecc.PrimeCurve.ED_25519 instead of the e2e.ecc.PrimeCurve.CURVE_25519 above, the test case failed.

Expect base.multiply(order).isInfinity() should evaluate to true for both curves.
Any clues? Thanks.

c.c. @andres-erbsen @daniel-ziegler @diracdeltas

[adon-at-work]

Realized that such isInfinity() and the infinity point in ED_25519 is different from that of CURVE_25519, and that isIdentity() in ED_25519 fits our need of verifying public key. Some discussions can be found at: YahooArchive/end-to-end#58 (diff)

trying to ping @thaidn, the author of the ecc library. any wisdom/clues?

[thaidn]

Thanks for reporting this bug.

The isInfinity function is wrong. In Ed25519 the Z coordinate is never zero (because the parameter d in the Ed25519 equation is not a square). We're going to remove it. You should use isIdentity instead.

As far as I can tell, this bug doesn't cause any security problems.

[adon-at-work]

Thank you. :)