cryptography icon indicating copy to clipboard operation
cryptography copied to clipboard

Published 20 hours ago verified publisher icon pyca

Expose EC group order

Open DavidBuchanan314 opened this issue 1 year ago • 5 comments

Here's a patch to expose the group order of EllipticCurve objects. As mentioned on IRC, this makes it easier to write code to enforce "Low-S" ECDSA signatures without hard-coding parameters (but does not itself implement anything of the sort).

Assuming I cleaned this up and added a test or two, is this something you'd consider merging?

DavidBuchanan314 avatar Mar 18 '24 01:03 DavidBuchanan314

I have not had a chance to review this in any detail, but I wanted to flag that we are (slowly) migrating away from cffi, so new PRs shouldn't be introducing any new usages of it.

alex avatar Mar 18 '24 11:03 alex

If we want to add group order is there any reason to do it dynamically or should we just add it as a class constant on the curve classes?

reaperhulk avatar Mar 18 '24 15:03 reaperhulk

That makes sense to me.

On Mon, Mar 18, 2024, 11:28 AM Paul Kehrer @.***> wrote:

If we want to add group order is there any reason to do it dynamically or should we just add it as a class constant on the curve objects?

— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/pull/10600#issuecomment-2004218807, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBC23FH7C22QNCZDHCDYY4BZZAVCNFSM6AAAAABE2VONFSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBUGIYTQOBQG4 . You are receiving this because you commented.Message ID: @.***>

alex avatar Mar 18 '24 15:03 alex

The main reason I didn't just add them as constants is because it's kinda hard to demonstrate their correctness/legitimacy. Someone has to hard-code them somewhere (or calculate from first principles I suppose), and since openssl has already done that (in openssl/crypto/ec/ec_curve.c) I thought it'd be best to piggyback off that effort.

But, if you're happy to just have them as constants, then that works for me.

As for testing for correctness, it just occurred to me that an easy test would be to generate a signature, replace s with group_order-s, and check that the signature is still valid.

DavidBuchanan314 avatar Mar 21 '24 01:03 DavidBuchanan314

I think we're fine with constants -- we can check them against authoritative sources as part of review 😄

reaperhulk avatar Mar 24 '24 18:03 reaperhulk

Are you still interested in doing this @DavidBuchanan314?

reaperhulk avatar Jul 20 '24 15:07 reaperhulk

Yes, thanks for the reminder. I'll close this PR for now, and open a new one following your suggested approach of adding constants.

DavidBuchanan314 avatar Jul 20 '24 16:07 DavidBuchanan314