end-to-end icon indicating copy to clipboard operation
end-to-end copied to clipboard
verified publisher icon google

Crypto: ED_25519 base x order = infinity?

Open adon-at-work opened this issue 10 years ago • 3 comments

The following code snippet is copied from https://github.com/google/end-to-end/blob/master/src/javascript/crypto/e2e/ecc/point/curve25519_test.html#L67-L76:

function testCurve25519Order() {
  var params = e2e.ecc.DomainParam.fromCurve(
      e2e.ecc.PrimeCurve.CURVE_25519);
  var base = params.g;
  var order = params.n;
  assertTrue(base.multiply(order).isInfinity());
  assertFalse(base.multiply(order.subtract(e2e.BigNum.ONE)).isInfinity());
}

In short, when I switch to use the e2e.ecc.PrimeCurve.ED_25519 instead of the e2e.ecc.PrimeCurve.CURVE_25519 above, the test case failed.

Expect base.multiply(order).isInfinity() should evaluate to true for both curves. Any clues? Thanks.

c.c. @andres-erbsen @daniel-ziegler @diracdeltas

adon-at-work avatar Sep 11 '15 20:09 adon-at-work

Realized that such isInfinity() and the infinity point in ED_25519 is different from that of CURVE_25519, and that isIdentity() in ED_25519 fits our need of verifying public key. Some discussions can be found at: https://github.com/yahoo/end-to-end/pull/58#discussion-diff-39459701

trying to ping @thaidn, the author of the ecc library. any wisdom/clues?

adon-at-work avatar Sep 17 '15 09:09 adon-at-work

Thanks for reporting this bug.

The isInfinity function is wrong. In Ed25519 the Z coordinate is never zero (because the parameter d in the Ed25519 equation is not a square). We're going to remove it. You should use isIdentity instead.

As far as I can tell, this bug doesn't cause any security problems.

thaidn avatar May 01 '16 20:05 thaidn

Thank you. :)

adon-at-work avatar May 02 '16 07:05 adon-at-work