Broken elliptic curve identities

[mkskeller]

It seems that c9ef942 breaks basic elliptic curve identities. The following outputs three times 1 before and three times 0 after:

#include "eccrypto.h"
#include "oids.h"
#include <iostream>

int main()
{
  using namespace CryptoPP;
  auto params = DL_GroupParameters_EC<ECP>(ASN1::secp256k1());
  auto id = params.ExponentiateBase(0);
  std::cout << (id == params.GetCurve().Add(id, id)) << std::endl;
  auto gen = params.ExponentiateBase(1);
  std::cout << (gen == params.GetCurve().Add(id, gen)) << std::endl;
  std::cout << (params.ExponentiateBase(2) == params.GetCurve().Add(gen, gen)) << std::endl;
  return not (id == params.GetCurve().Add(id, id));
}

I'm using Ubuntu 20.04 with the system GCC.

[noloader]

Ugh, thanks @mkskeller.

I'm going to back out most of the constant-time changes. My thinking is, the lesser of the two evils is the timing leak. The worse case is arriving at an incorrect result, and that is what currently happens.

Revert at Commit 4e56a6393dce.

For the upcoming Crypto++ 8.4 release, we re-activated CVE-2019-14318. The release notes can be found here.

Ping @mouse07410 .

---

Here is a simpler test program. It takes advantage of the fact the default constructor yields the identity element:

DL_GroupParameters_EC<ECP> params(oid);
DL_GroupParameters_EC<ECP>::Element id;
id = params.GetCurve().Add(id, id);
bool res = params.IsIdentity(id);

[noloader]

Distro maintainers,

Here is the patch needed to back-out the broken code. The patch is a git diff. It can be applied against the Crypto++ 8.3.0 release.

cryptopp-gh994-fix.diff.zip.

[mouse07410]

I concur.