Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secp112r2 point validation discrepancy with Crypto++ and OpenSSL #3723

Closed
guidovranken opened this issue Oct 4, 2023 · 3 comments
Closed

secp112r2 point validation discrepancy with Crypto++ and OpenSSL #3723

guidovranken opened this issue Oct 4, 2023 · 3 comments

Comments

@guidovranken
Copy link 

#include <botan/system_rng.h>
#include <botan/ecdsa.h>

int main(void)
{
    ::Botan::System_RNG rng;

    const ::Botan::BigInt P("4451685225093714772084598273548427");

    {
        const ::Botan::OID secp112r2_oid("1.3.132.0.7");
        const ::Botan::EC_Group secp112r2(
                P,
                ::Botan::BigInt("1970543761890640310119143205433388"),
                ::Botan::BigInt("1660538572255285715897238774208265"),
                ::Botan::BigInt("1534098225527667214992304222930499"),
                ::Botan::BigInt("3525120595527770847583704454622871"),
                ::Botan::BigInt("1112921306273428674967732714786891"),
                4,
                secp112r2_oid);
        ::Botan::OID::register_oid(secp112r2_oid, "secp112r2");

        if ( !secp112r2.verify_group(rng) ) {
            abort();
        }
    }

    ::Botan::EC_Group group("secp112r2");

#if 0
    /* The generator point validates as expected */
    const ::Botan::BigInt pub_x("1534098225527667214992304222930499");
    const ::Botan::BigInt pub_y("3525120595527770847583704454622871");
#endif

    const ::Botan::BigInt pub_x("3442185213147111329368355265766312");
    const ::Botan::BigInt pub_y("3035790070451486434651648738331985");

    /* Ensure coordinates are within bounds */
    if ( pub_x >= P ) abort();
    if ( pub_y >= P ) abort();

    const ::Botan::PointGFp public_point = group.point(pub_x, pub_y);
    std::unique_ptr<::Botan::Public_Key> pub = nullptr;
    pub = std::make_unique<::Botan::ECDSA_PublicKey>(::Botan::ECDSA_PublicKey(group, public_point));

    printf("Valid: %d\n", pub->check_key(rng, true));

    return 0;
}

This point validates in OpenSSL and Crypto++ but not in Botan. secp112r2 is the only curve I've observed this for.

When I manually derive the Y coordinate (3035790070451486434651648738331985) from the X coordinate (3442185213147111329368355265766312), I get the expected result, which also implies the point is valid:

#include <botan/bigint.h>
#include <botan/numthry.h>
#include <cassert>

int main(void)
{
    using namespace Botan;
    const BigInt P("4451685225093714772084598273548427");
    const BigInt A("1970543761890640310119143205433388");
    const BigInt B("1660538572255285715897238774208265");
    assert(P % 4 == 3);

    /* x to find y for */
    const BigInt x("3442185213147111329368355265766312");

    const BigInt expected_y("3035790070451486434651648738331985");

    const BigInt Z = ((x*x*x) + (A*x) + B) % P;
    const BigInt y = power_mod(Z, (P+1) / 4, P);

    assert(y == expected_y);

    return 0;
}

Am I overlooking something?
@guidovranken
Copy link
Author

The following check is failing:

botan/src/lib/pubkey/ec_group/ec_group.cpp

Lines 701 to 703 in 5ccf554

if((point * get_order()).is_zero() == false) {
return false;
}

Does this imply that Botan is correct and that the validation code in OpenSSL/Crypto++ is inadequate?

@guidovranken
Copy link
Author

Yes, that seems to be it. Closing this.

@randombit
Copy link
Owner

Cofactors strike again 😭

@guidovranken guidovranken mentioned this issue Nov 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@randombit @guidovranken