Less Leaky ECDSA signature generation (in master)
Jacob Bachmeyer
jcb62281 at gmail.com
Fri Mar 28 03:30:22 CET 2025
On 3/27/25 20:21, NIIBE Yutaka wrote:
> [...]
>
> Because we expose the lower level API, it is possible for an application
> to violate the preconditions, by supplying an ECC point with larger MPIs.
>
> By the violation of the preconditions, it used to result the call of
> log_bug (emitting a message and abort). After the change of mine, it
> results wrong value, by using lower bits and ignoring upper bits.
Are the ignored upper bits definitely zero or could an application
reasonably expect libgcrypt to do something useful with such a point
(perhaps reducing a value between P and 2*P to its proper value mod P?)?
> [...]
>
> If we'd take an approach of more kindness, we could add the check for
> the external API to examine the field in ECC points for preconditions.
That is probably a good idea, along with making certain that the
preconditions are documented.
-- Jacob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20250327/a0863f45/attachment.html>
More information about the Gcrypt-devel
mailing list