Small fix in nn_modinv_2exp for the 0 exponent (no inverse, result sh…

…ould be 0). Spotted thanks to Cryptofuzz.
libecc · Jun 3, 2023 · 049eb19 · 049eb19
1 parent 769984a
commit 049eb19
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/src/nn/nn_modinv.c b/src/nn/nn_modinv.c
@@ -303,7 +303,12 @@ ATTRIBUTE_WARN_UNUSED_RET static inline int _nn_sub_mod_2exp(nn_t A, nn_src_t B)
 /*
  * Invert x modulo 2^exp using Hensel lifting. Returns 0 on success, -1 on
  * error. On success, x_isodd is 1 if x is odd, 0 if it is even.
- * Operations are done in *constant time*. The function supports aliasing.
+ * Please note that the result is correct (inverse of x) only when x is prime
+ * to 2^exp, i.e. x is odd (x_odd is 1).
+ *
+ * Operations are done in *constant time*.
+ *
+ * Aliasing is supported.
  */
 int nn_modinv_2exp(nn_t _out, nn_src_t x, bitcnt_t exp, int *x_isodd)
 {
@@ -325,6 +330,11 @@ int nn_modinv_2exp(nn_t _out, nn_src_t x, bitcnt_t exp, int *x_isodd)
 	ret = nn_init(&tmp_sqr, 0); EG(ret, err);
 	ret = nn_init(&tmp_mul, 0); EG(ret, err);
 	ret = nn_isodd(x, &isodd); EG(ret, err);
+	if (exp == (bitcnt_t)0){
+		/* Specific case of zero exponent, output 0 */
+		(*x_isodd) = isodd;
+		goto err;
+	}
 	if (!isodd) {
 		ret = nn_zero(_out); EG(ret, err);
 		(*x_isodd) = 0;
@@ -474,7 +484,10 @@ ATTRIBUTE_WARN_UNUSED_RET static int _nn_modinv_fermat_common(nn_t out, nn_src_t
 	}
 
 	/* Else we compute (p-2) for the upper layer */
-	ret = nn_init(p_minus_two, 0); EG(ret, err);
+	if(p != p_minus_two){
+		/* Handle aliasing of p and p_minus_two */
+		ret = nn_init(p_minus_two, 0); EG(ret, err);
+	}
 
 	ret = nn_init(&two, 0); EG(ret, err);
 	ret = nn_set_word_value(&two, WORD(2)); EG(ret, err);