libsnark icon indicating copy to clipboard operation
libsnark copied to clipboard
verified publisher icon scipr-lab

Allow curve parameters to bound Fp/Fp2 sqrt

Open ebfull opened this issue 9 years ago • 2 comments

The Tonelli-Shanks Algorithm used in Fp/Fp2 is currently unbounded, so an attack vector exists if someone provides you with a compressed curve point, and you attempt to decompress it, and the sqrt does not terminate. There are provable bounds on the cost for this algorithm that the curve parameters should be able to configure to prevent this kind of attack.

See http://stanford.edu/~jbooher/expos/sqr_qnr.pdf and https://eprint.iacr.org/2012/685.pdf.

See https://github.com/zcash/zcash/issues/1073 as well.

ebfull avatar Jul 07 '16 22:07 ebfull

Instead we've decided to enable the "DEBUG" lines which check if it's a square using euler's criterion. (We throw an exception instead of asserting.) This is fine for performance because we don't need to sqrt that often. (We don't perform point compression on the proving/verifying keys.)

ebfull avatar Aug 21 '16 03:08 ebfull

New location of the Booher square roots paper https://www.math.arizona.edu/~jeremybooher/expos/sqr_qnr.pdf

daira avatar Jun 26 '19 06:06 daira