PROBLEM: The following function in ECKeyPair.cs allows one to obtain the public key from an input private key.
public static ECPoint publicPointFromPrivate(BigInteger privKey)
{
/*
* TODO: FixedPointCombMultiplier currently doesn't support scalars longer than the group
* order, but that could change in future versions.
*/
if (privKey.BitLength > CURVE.N.BitLength)
{
privKey = privKey.Mod(CURVE.N);
}
return new FixedPointCombMultiplier().Multiply(CURVE.G, privKey);
}
If the input privKey has a bit length that is larger than the bit length of the group order N, then privKey is reduced modulo N. There are couple of issues here: 1) Any input privKey that does not fall between 1 and N-1 (both inclusive) should be outright rejected. 2) Comparing the bit length of N and privKey is not correct. One should rather compare their values directly.
SOLUTION: Replace the if condition by instead checking whether the input privKey is valid or not. A valid privKey is simply a scalar value that is between 1 and N-1. If privKey is invalid, then the function should simply throw an error instead of reducing privKey modulo N.
yanbin007
commented
5 years ago
PROBLEM: The following function in
ECKeyPair.csallows one to obtain the public key from an input private key.If the input
privKeyhas a bit length that is larger than the bit length of the group orderN, thenprivKeyis reduced moduloN. There are couple of issues here: 1) Any inputprivKeythat does not fall between1andN-1(both inclusive) should be outright rejected. 2) Comparing the bit length ofNandprivKeyis not correct. One should rather compare their values directly.SOLUTION: Replace the
ifcondition by instead checking whether the inputprivKeyis valid or not. A validprivKeyis simply a scalar value that is between1andN-1. IfprivKeyis invalid, then the function should simply throw an error instead of reducingprivKeymoduloN.@neeboo @yanbin007