search

cloudflare / circl

CIRCL: Cloudflare Interoperable Reusable Cryptographic Library
http://blog.cloudflare.com/introducing-circl
Other
1.28k stars 143 forks source link

Inadequate scalar reduction in p384 leads to panic #312

Closed guidovranken closed 2 years ago

guidovranken commented 2 years ago

https://github.com/cloudflare/circl/blob/15f39042039a5d953aa3d11650576df0fcd0ecfd/ecc/p384/p384opt.go#L55

reduceScalar is supposed to "shorten a scalar modulo the order of the curve" but it doesn't do that for all inputs and this can lead to a panic in wnaf.go.

PoC:

package main

import (
    "github.com/cloudflare/circl/ecc/p384"
    "math/big"
)

func main() {
    a_x, _ := new(big.Int).SetString("2197194086093689212280862101867524553402030273258457080984175289262818302155461584526794911762464589043284585654550", 10)
    a_y, _ := new(big.Int).SetString("27340319491623798325691320370638865713982009585794110374349453846146179674941474386159930807215381526124834607054138", 10)
    b, _ := new(big.Int).SetString("39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942684", 10)

    curve := p384.P384()
    curve.ScalarMult(a_x, a_y, b.Bytes())
}
armfazh commented 2 years ago

Thanks for reporting @guidovranken , we will investigate the fix.