The isogeny_map_G2() function excerpted below as implemented in hash_to_curve.nim implements the 3-isogeny map from a point P' (x', y') on G'2 to a point P(x, y) on the G2 curve of BLS12-381. The bulk of the logic relates to similar calculations of xNum, xDen, yNum and yDen with the first shown below.
For 58-bit limbs, the add function ultimately resolves to BIG_384_58_add() in the csources, which does not reduce its result. Thus, the final result is missing a norm() operation prior to its return. This can impact correct operation as the xNum and yNum values subsequently become operands in a multiplication where the comments in the FP2_BLS381_mul() execution path state that inputs must be normed. A similar scenario applies to the case of 29-bit limbs.
Exploit Scenario
The logic may calculate incorrect results that will be extremely difficult to debug.
Mitigation Recommendation
Add a final norm to the calculation of xNum, xDen, yNum and yDen.
labels: nbc-audit-2020-1, status:reported labels: difficulty:high, severity:medium, type:bug
Description
The
isogeny_map_G2()function excerpted below as implemented inhash_to_curve.nimimplements the 3-isogeny map from a point P' (x', y') on G'2 to a point P(x, y) on the G2 curve of BLS12-381. The bulk of the logic relates to similar calculations ofxNum,xDen,yNumandyDenwith the first shown below.For 58-bit limbs, the add function ultimately resolves to
BIG_384_58_add()in the csources, which does not reduce its result. Thus, the final result is missing anorm()operation prior to its return. This can impact correct operation as thexNumandyNumvalues subsequently become operands in a multiplication where the comments in theFP2_BLS381_mul()execution path state that inputs must be normed. A similar scenario applies to the case of 29-bit limbs.Exploit Scenario
The logic may calculate incorrect results that will be extremely difficult to debug.
Mitigation Recommendation
Add a final
normto the calculation ofxNum,xDen,yNumandyDen.References