Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue#1675 #1701

Merged
merged 5 commits into from
Jul 10, 2024
Merged

Issue#1675 #1701

merged 5 commits into from
Jul 10, 2024

Conversation

mccleeary-galois
Copy link
Contributor

@mccleeary-galois mccleeary-galois commented Jul 10, 2024
edited
Loading

Closes #1675

This seems to be the root cause bug, but I think there are some other improvements @marsella had in mind as well that we should go ahead and get in.

@mccleeary-galois
Issue#1675, add failing test for ec_mult as y should be 0 rather than…
84194fc 
… 13.
@mccleeary-galois
Mod y variable by p in ec_sub
e1774d4 
It appears that a modulus was not happening in ec_sub that was causing the odd issue noted in #1675. This commit adds that modulus and fixes it.
@marsella
Copy link
Contributor

I haven't done a full audit of the EC stuff but here are some concerns I saw while poking into this bug:

  • The ec_negate function has the same bug as ec_sub -- it mis-handles any point whose y-coordinate is zero.
  • In ec_mult we deviate from the spec in the way that we iterate over the bits of (d, 3d). The spec initializes the result so that we can skip iterating over the most significant bits of those two values. The implementation does iterate over the MSBs, and based on a first look, I think it doesn't change the result initialization accordingly. Note that this wouldn't be triggered by the test case for PrimeEC::ec_mult can produce incorrect results #1675; I can poke at this a bit more to come up with a case that does fail.
  • In ec_mult, I think the error message on L297 is incorrect -- looks like it may have been pasted from a slightly different conditional in a previous iteration.

RyanGlScott
RyanGlScott reviewed Jul 10, 2024
View reviewed changes
Copy link
Contributor

@RyanGlScott RyanGlScott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix here looks quite plausible, although I am admittedly not an expert on elliptic curves. I do have one question about the implementation.

src/Cryptol/PrimeEC.hs Outdated Show resolved Hide resolved
marsella
marsella approved these changes Jul 10, 2024
View reviewed changes
Copy link
Contributor

@marsella marsella left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will fix the reported bug, thank you!

I spent some time looking around in the NIST document with EC algorithms you shared. In that doc, the subtraction algorithm matches what was here previously. I think the missing link is that the doc notes elsewhere that the three coordinates are all field elements, so the mod is implicit.

If we have users who depend on the elliptic curve operations in here, I would recommend making a separate issue to review the full file and bring it closer in line with a reference implementation. The two things I'd focus on are:

  1. Making sure there are no other places where BigNums are being used as normal numbers instead of the field elements they are supposed to represent.
  2. Reviewing the names and conditions in this file compared to the reference. I noticed a few checks that are either missing or are in different places than I expected, so it might be worth confirming that this is fully correct.

@mccleeary-galois mccleeary-galois marked this pull request as ready for review July 10, 2024 19:40
@mccleeary-galois mccleeary-galois mentioned this pull request Jul 10, 2024
Open
yav
yav approved these changes Jul 10, 2024
View reviewed changes
Copy link
Member

@yav yav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not an export, but the changes seem reasonable to me.

tests/issues/issue1675/issue1675.icry Outdated Show resolved Hide resolved
@mccleeary-galois mccleeary-galois merged commit f5fa503 into master Jul 10, 2024
11 checks passed
@mccleeary-galois mccleeary-galois deleted the issue#1675 branch July 10, 2024 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RyanGlScott RyanGlScott RyanGlScott left review comments

@marsella marsella marsella approved these changes

@yav yav yav approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PrimeEC::ec_mult can produce incorrect results
4 participants
@mccleeary-galois @marsella @yav @RyanGlScott