-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EDDSA.decodePoint should fails on ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff #250
Comments
I'm working on implementing the following method on js: https://github.com/monero-project/monero/blob/v0.17.1.9/src/crypto/crypto-ops.c#L1334-L1424 There are several test cases: https://github.com/monero-project/monero/blob/v0.17.1.9/tests/crypto/tests.txt (rows starts with The following test reports false positive results using ✕ keyCheck 'edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f' is valid 'false'
✕ keyCheck 'edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' is valid 'false'
✕ keyCheck 'eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f' is valid 'false'
✕ keyCheck 'f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f' is valid 'false'
✕ keyCheck 'f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' is valid 'false'
✕ keyCheck 'f1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f' is valid 'false'
✕ keyCheck 'f1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' is valid 'false'
✕ keyCheck 'f2ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f' is valid 'false'
✕ keyCheck 'f2ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' is valid 'false'
✕ keyCheck 'f3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f' is valid 'false'
✕ keyCheck 'f3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' is valid 'false'
✕ keyCheck 'f6ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f' is valid 'false'
✕ keyCheck 'f6ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' is valid 'false'
✕ keyCheck 'f7ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f' is valid 'false'
✕ keyCheck 'f7ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' is valid 'false'
✕ keyCheck 'fbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f' is valid 'false'
✕ keyCheck 'fbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' is valid 'false'
✕ keyCheck 'fcffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f' is valid 'false'
✕ keyCheck 'fcffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' is valid 'false'
✕ keyCheck 'fdffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f' is valid 'false'
✕ keyCheck 'fdffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' is valid 'false'
✕ keyCheck 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f' is valid 'false'
✕ keyCheck 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' is valid 'false' |
One more observation: import BN from 'bn.js';
import elliptic from 'elliptic';
const hex = 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff';
console.log('original:', hex);
// original: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
const point = ec.decodePoint(hex);
console.log('encoded:', new BN(ec.encodePoint(point)).toString('hex'));
// encoded: 1200000000000000000000000000000000000000000000000000000000000080 |
@indutny congrats with the new job in signalapp but could you please have a look at this issue 😃 |
Or maybe @fanatid could assist? |
This happened because the input elliptic/lib/elliptic/curve/edwards.js Line 74 in 43ac7f2
Input y : 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff Red value: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed As result we get 0x12
|
@fanatid thank you for the clarification. Should it be considered as correct behaviour? Or maybe it is better to throw the error 'invalid point'? For now there is the following condition for several keys: ec.encodePoint(ec.decodePoint(key))) !== key |
Yep, I'm collecting issues/questions/suggestions related to
|
According to specification:
|
Hi @mahnunchik, I agree that we should fix decoding. |
Out of interest, did you consider using WASM instead of implementing already existed code on JS? |
No, for my task I've decided to implement it in JS because 12+ mb of WASM is too heavy. Also there are some existing libraries: elliptic 💥 https://github.com/chrisdickinson/varint https://github.com/jafalter/bulletproof-js I will use to implement. |
Related question: what is the purpose of elliptic/lib/elliptic/curve/edwards.js Lines 99 to 112 in e71b2d9
|
While dive deep and deeper, I'd like to ask: what is the reason to use Tonelli-Shanks algorithm here:
Instead of trick from spec: https://tools.ietf.org/html/rfc8032#section-5.1.3 I mean In my tests it is at least 5 times faster. If I decide to prepare fix for this issue, could you please provide some information: which tests is required, where it is better to place it. |
@mahnunchik hey, great job with all these notices. Fedor did some nice work with elliptic, but we need to move forward. Could you take a look at https://github.com/paulmillr/noble-ed25519? I'm using unwrapped pow to square root of curve P, it's super fast! |
Working with
ed25519
curve I've faced with strange behaviour:decodePoint
doesn't fails on points out of field.What do you think?
decodePoint
?The text was updated successfully, but these errors were encountered: