search

kmackay / micro-ecc

ECDH and ECDSA for 8-bit, 32-bit, and 64-bit processors.
BSD 2-Clause "Simplified" License
1.26k stars 459 forks source link

secp160r1 incorrect signatures on ARM Cortex M0 #214

Open J08nY opened 1 year ago

J08nY commented 1 year ago

micro-ecc computes a wrong signature on secp160r1 on ARM Cortex M0.

The compile-time settings are:

-DuECC_SUPPORTS_secp160r1=1
-DuECC_SUPPORTS_secp192r1=0
-DuECC_SUPPORTS_secp224r1=0
-DuECC_SUPPORTS_secp256r1=0
-DuECC_SUPPORTS_secp256k1=0
-DuECC_SUPPORT_COMPRESSED_POINT=0
-DuECC_OPTIMIZATION_LEVEL=3
-DuECC_SQUARE_FUNC=1
-fomit-frame-pointer

with arm-none-eabi-gcc version 13.1.0 and optimization level -O3 (but also reproduced with levels [s, 1, 2]).

For a pubkey of: (1248267197097365432264186274468065254236796158617, 518980666782735319294616719874128744577850778311)

and a hash of cdfd35e9983ed989984e026546b241803bebd02b, it produces a signature of: (1012199123568660032231186032600072213159176233822, 416085392951447075179638451199529832674058226010), which is invalid.

When compiled to target the host (x86_64) it produces valid signatures. Other curves also work correctly.

mrx23dot commented 10 months ago

Yeah it's essential to be portable.

What if you turn -DuECC_OPTIMIZATION_LEVEL=0 ?

J08nY commented 9 months ago

I vaguely remember that the optimization level was important for the error to show up (i.e. the error did not show up with optimization level 0).