mirror of
https://github.com/monero-project/monero.git
synced 2025-01-09 19:32:02 +02:00
fix ge_p3_is_point_at_infinity(), which is evaluating field elements that haven't been reduced by the field order
This commit is contained in:
parent
eec3a6014c
commit
c36ea26e5c
@ -3830,15 +3830,51 @@ int sc_isnonzero(const unsigned char *s) {
|
||||
s[27] | s[28] | s[29] | s[30] | s[31]) - 1) >> 8) + 1;
|
||||
}
|
||||
|
||||
int ge_p3_is_point_at_infinity(const ge_p3 *p) {
|
||||
// X = 0 and Y == Z
|
||||
int n;
|
||||
for (n = 0; n < 10; ++n)
|
||||
int ge_p3_is_point_at_infinity_vartime(const ge_p3 *p) {
|
||||
// https://eprint.iacr.org/2008/522
|
||||
// X == T == 0 and Y/Z == 1
|
||||
// note: convert all pieces to canonical bytes in case rounding is required (i.e. an element is > q)
|
||||
// note2: even though T = XY/Z is true for valid point representations (implying it isn't necessary to
|
||||
// test T == 0), the input to this function might NOT be valid, so we must test T == 0
|
||||
char result_X_bytes[32];
|
||||
fe_tobytes((unsigned char*)&result_X_bytes, p->X);
|
||||
|
||||
// X != 0
|
||||
for (int i = 0; i < 32; ++i)
|
||||
{
|
||||
if (p->X[n] | p->T[n])
|
||||
return 0;
|
||||
if (p->Y[n] != p->Z[n])
|
||||
if (result_X_bytes[i])
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
|
||||
char result_T_bytes[32];
|
||||
fe_tobytes((unsigned char*)&result_T_bytes, p->T);
|
||||
|
||||
// T != 0
|
||||
for (int i = 0; i < 32; ++i)
|
||||
{
|
||||
if (result_T_bytes[i])
|
||||
return 0;
|
||||
}
|
||||
|
||||
char result_Y_bytes[32];
|
||||
char result_Z_bytes[32];
|
||||
fe_tobytes((unsigned char*)&result_Y_bytes, p->Y);
|
||||
fe_tobytes((unsigned char*)&result_Z_bytes, p->Z);
|
||||
|
||||
// Y != Z
|
||||
for (int i = 0; i < 32; ++i)
|
||||
{
|
||||
if (result_Y_bytes[i] != result_Z_bytes[i])
|
||||
return 0;
|
||||
}
|
||||
|
||||
// is Y nonzero? then Y/Z == 1
|
||||
for (int i = 0; i < 32; ++i)
|
||||
{
|
||||
if (result_Y_bytes[i] != 0)
|
||||
return 1;
|
||||
}
|
||||
|
||||
// Y/Z = 0/0
|
||||
return 0;
|
||||
}
|
||||
|
@ -162,4 +162,4 @@ void fe_add(fe h, const fe f, const fe g);
|
||||
void fe_tobytes(unsigned char *, const fe);
|
||||
void fe_invert(fe out, const fe z);
|
||||
|
||||
int ge_p3_is_point_at_infinity(const ge_p3 *p);
|
||||
int ge_p3_is_point_at_infinity_vartime(const ge_p3 *p);
|
||||
|
@ -235,7 +235,7 @@ rct::key bos_coster_heap_conv_robust(std::vector<MultiexpData> data)
|
||||
heap.reserve(points);
|
||||
for (size_t n = 0; n < points; ++n)
|
||||
{
|
||||
if (!(data[n].scalar == rct::zero()) && !ge_p3_is_point_at_infinity(&data[n].point))
|
||||
if (!(data[n].scalar == rct::zero()) && !ge_p3_is_point_at_infinity_vartime(&data[n].point))
|
||||
heap.push_back(n);
|
||||
}
|
||||
points = heap.size();
|
||||
@ -457,7 +457,7 @@ rct::key straus(const std::vector<MultiexpData> &data, const std::shared_ptr<str
|
||||
MULTIEXP_PERF(PERF_TIMER_START_UNIT(skip, 1000000));
|
||||
std::vector<uint8_t> skip(data.size());
|
||||
for (size_t i = 0; i < data.size(); ++i)
|
||||
skip[i] = data[i].scalar == rct::zero() || ge_p3_is_point_at_infinity(&data[i].point);
|
||||
skip[i] = data[i].scalar == rct::zero() || ge_p3_is_point_at_infinity_vartime(&data[i].point);
|
||||
MULTIEXP_PERF(PERF_TIMER_STOP(skip));
|
||||
#endif
|
||||
|
||||
|
@ -46,4 +46,6 @@ void random_scalar(crypto::ec_scalar &res);
|
||||
void hash_to_scalar(const void *data, std::size_t length, crypto::ec_scalar &res);
|
||||
void hash_to_point(const crypto::hash &h, crypto::ec_point &res);
|
||||
void hash_to_ec(const crypto::public_key &key, crypto::ec_point &res);
|
||||
bool check_ge_p3_identity_failure(const crypto::public_key &point);
|
||||
bool check_ge_p3_identity_success(const crypto::public_key &point);
|
||||
#endif
|
||||
|
@ -32,6 +32,36 @@
|
||||
|
||||
#include "crypto-tests.h"
|
||||
|
||||
static void get_ge_p3_for_identity_test(const crypto::public_key &point, crypto::ge_p3 &result_out_p3)
|
||||
{
|
||||
// compute (K + K) - K - K to get a specific ge_p3 point representation of identity
|
||||
crypto::ge_cached temp_cache;
|
||||
crypto::ge_p1p1 temp_p1p1;
|
||||
|
||||
crypto::ge_frombytes_vartime(&result_out_p3, &point); // K
|
||||
crypto::ge_p3_to_cached(&temp_cache, &result_out_p3);
|
||||
crypto::ge_add(&temp_p1p1, &result_out_p3, &temp_cache); // K + K
|
||||
crypto::ge_p1p1_to_p3(&result_out_p3, &temp_p1p1);
|
||||
crypto::ge_sub(&temp_p1p1, &result_out_p3, &temp_cache); // (K + K) - K
|
||||
crypto::ge_p1p1_to_p3(&result_out_p3, &temp_p1p1);
|
||||
crypto::ge_sub(&temp_p1p1, &result_out_p3, &temp_cache); // ((K + K) - K) - K
|
||||
crypto::ge_p1p1_to_p3(&result_out_p3, &temp_p1p1);
|
||||
}
|
||||
|
||||
static int ge_p3_is_point_at_infinity_vartime_bad(const crypto::ge_p3 *p) {
|
||||
// X = 0 and Y == Z
|
||||
// bad: components of 'p' are not reduced mod q
|
||||
int n;
|
||||
for (n = 0; n < 10; ++n)
|
||||
{
|
||||
if (p->X[n] | p->T[n])
|
||||
return 0;
|
||||
if (p->Y[n] != p->Z[n])
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
bool check_scalar(const crypto::ec_scalar &scalar) {
|
||||
return crypto::sc_check(crypto::operator &(scalar)) == 0;
|
||||
}
|
||||
@ -55,3 +85,19 @@ void hash_to_ec(const crypto::public_key &key, crypto::ec_point &res) {
|
||||
crypto::hash_to_ec(key, tmp);
|
||||
crypto::ge_p3_tobytes(crypto::operator &(res), &tmp);
|
||||
}
|
||||
|
||||
bool check_ge_p3_identity_failure(const crypto::public_key &point)
|
||||
{
|
||||
crypto::ge_p3 ident_p3;
|
||||
get_ge_p3_for_identity_test(point, ident_p3);
|
||||
|
||||
return ge_p3_is_point_at_infinity_vartime_bad(&ident_p3) == 1;
|
||||
}
|
||||
|
||||
bool check_ge_p3_identity_success(const crypto::public_key &point)
|
||||
{
|
||||
crypto::ge_p3 ident_p3;
|
||||
get_ge_p3_for_identity_test(point, ident_p3);
|
||||
|
||||
return crypto::ge_p3_is_point_at_infinity_vartime(&ident_p3) == 1;
|
||||
}
|
||||
|
@ -259,6 +259,16 @@ int main(int argc, char *argv[]) {
|
||||
if (expected != actual) {
|
||||
goto error;
|
||||
}
|
||||
} else if (cmd == "check_ge_p3_identity") {
|
||||
cerr << "Testing: " << cmd << endl;
|
||||
public_key point;
|
||||
bool expected_bad, expected_good, result_badfunc, result_goodfunc;
|
||||
get(input, point, expected_bad, expected_good);
|
||||
result_badfunc = check_ge_p3_identity_failure(point);
|
||||
result_goodfunc = check_ge_p3_identity_success(point);
|
||||
if (expected_bad != result_badfunc || expected_good != result_goodfunc) {
|
||||
goto error;
|
||||
}
|
||||
} else {
|
||||
throw ios_base::failure("Unknown function: " + cmd);
|
||||
}
|
||||
|
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue
Block a user