*_is_valid() functions produce false negative for not normalized points #147

laurent-girod · 2020-05-20T09:28:49Z

While working on Petrelic, I noticed that some tests were no longer passing after updating Relic. We identified two likely bugs, one related to the *_is_valid() functions, and one related to the g2_map() function.

This issue is the bug related to the *_is_valid() functions.

After some checks, I noticed that some checks like these one

g1_get_gen(a);
g1_get_gen(b);

g1_neg(b);
g1_add(c, a, b);

res = g1_is_valid(c); // res = 0

indicated that c was an invalid point.

Wouter got the idea to normalize the point with g1_norm(c) before checking its validity, upon which g1_is_valid(c) returned that c was valid.

The text was updated successfully, but these errors were encountered:

dfaranha · 2020-05-20T09:58:02Z

Thanks! Scalar multiplication algorithms expect points in affine coordinates, and are the likely culprit. They should normalize them as well.

I plan to soon refactor the *_is_valid() code with just binary multiplication, as the current approach makes me nervous, so there will be an opportunity to fix this.

dfaranha · 2020-05-21T08:35:55Z

There is a semantic mismatch between the PC interface and the underlying modules. Functions g*_is_valid() are supposed to check if elements have the right order (and thus reject any elements of small order), while ep_is_valid() basically only checks if the point lies in the curve. That is something that also needs fixing.

dfaranha · 2021-02-08T16:37:42Z

Hi again,

I have recently updated the implementation, and I think it is more consistent now. Now g*_is_valid check that elements have a prime order r = |G1| = |G2| = |GT|, so identity elements are rejected (as this is commonly the case with cryptographic protocols).

The underlying modules now uses _on_curve() for checking point validity. Sometimes one coincides with the other (BN curves with prime order), but it is not necessarily the case.

Please let me know if this abstraction makes more sense for what you are doing. :)

laurent-girod · 2021-04-08T12:20:00Z

Hello Diego,

Sorry for the late reply!
Thank you for your work! That new interface makes sense.

Regards,
Laurent

The diff contains: - a lot of changes that concern parts of the library we don't use (other curves a la BN, BLS24-X, BLS12-383 ...), integer protocols (ETRS), field extension machinery ... - otherwise irrelevant changes, e.g. CI/CD - some memory bug fixing [Full Changeset](https://github.com/relic-toolkit/relic/compare/7a9bba7f..9206ae5) **Fixed bugs:** - Unexpected failure of ep2\_mul\[\_lwnaf\] above the prime group order [\onflow#64](relic-toolkit/relic#64) **Closed issues:** - Other way to construct towered extension fields [\onflow#203](relic-toolkit/relic#203) - blake2.h:101:5: error: size of array element is not a multiple of its alignment [\onflow#202](relic-toolkit/relic#202) - ECIES 160bit [\onflow#201](relic-toolkit/relic#201) - Compilation with "ARITH gmp" fails [\onflow#200](relic-toolkit/relic#200) - Support for armv8-a ? [\onflow#198](relic-toolkit/relic#198) - Function name bn\_init conflicts with OpenSSL when used in tandem [\onflow#196](relic-toolkit/relic#196) - 16-bit MSP430 [\onflow#193](relic-toolkit/relic#193) - Modular exponentiation returns 1 if exponent is 0 and modulo is 1 [\onflow#185](relic-toolkit/relic#185) - Compilation of RELIC with bls12-446 and bls12-455 fails [\onflow#182](relic-toolkit/relic#182) - test\_bn fails with BLS12-381 preset [\onflow#181](relic-toolkit/relic#181) - \[BUG\] undefined reference to `bench_init', `bench\_clean' [\onflow#180](relic-toolkit/relic#180) - Tests FTBFS because of missing symbol in header [\onflow#179](relic-toolkit/relic#179) - Builds are broken [\onflow#178](relic-toolkit/relic#178) - compile error inlining failed in call to always\_inline ‘\_mm\_alignr\_epi8’ on unbantu20.04 gcc9 [\onflow#177](relic-toolkit/relic#177) - bn\_write\_str buffer overflow [\onflow#176](relic-toolkit/relic#176) - ECDSA verify succeeds when it should fail [\onflow#175](relic-toolkit/relic#175) - ec\_mul\_gen hangs with curve SECG\_K256 [\onflow#174](relic-toolkit/relic#174) - Wrong square root computation [\onflow#173](relic-toolkit/relic#173) - Out-of-bounds read via bn\_sqr\_basic [\onflow#172](relic-toolkit/relic#172) - OSS-Fuzz integration [\onflow#171](relic-toolkit/relic#171) - Building Relic with Curve NIST\_P256 throws FATAL ERROR in relic\_fp\_prime.c:120 [\onflow#170](relic-toolkit/relic#170) - Compressing \(packing\) a point to binary array does not comply with X9.62 standard [\onflow#169](relic-toolkit/relic#169) - ‘ctx\_t’ {aka ‘struct \_ctx\_t’} has no member named ‘total’ [\onflow#168](relic-toolkit/relic#168) - relic does not work with C++ [\onflow#167](relic-toolkit/relic#167) - Memory leak in ep2\_curve\_init/clean with ALLOC=DYNAMIC [\onflow#166](relic-toolkit/relic#166) - \*\_is\_valid\(\) functions produce false negative for not normalized points [\onflow#147](relic-toolkit/relic#147) - Bench and Test doesnt build [\onflow#122](relic-toolkit/relic#122) **Merged pull requests:** - Add pairing delegation protocols [\onflow#199](relic-toolkit/relic#199) ([dfaranha](https://github.com/dfaranha)) - Fix support for Win64/MSVC targets. [\onflow#197](relic-toolkit/relic#197) ([dfaranha](https://github.com/dfaranha)) - Simplify generator getting for Gt. [\onflow#194](relic-toolkit/relic#194) ([luozejiaqun](https://github.com/luozejiaqun)) - cmake: Always use user defined CFLAGS, not only for release builds [\onflow#187](relic-toolkit/relic#187) ([xdustinface](https://github.com/xdustinface)) - Fix MinGW build [\onflow#186](relic-toolkit/relic#186) ([xdustinface](https://github.com/xdustinface)) - Remove debug printf in bn\_mxp\_slide [\onflow#184](relic-toolkit/relic#184) ([guidovranken](https://github.com/guidovranken)) - Remove ALLOC = STACK to simplify memory allocation. [\onflow#183](relic-toolkit/relic#183) ([dfaranha](https://github.com/dfaranha)) - Update relic\_alloc.h [\onflow#165](relic-toolkit/relic#165) ([aguycalled](https://github.com/aguycalled)) - Add correct support for FreeBSD and NetBSD [\onflow#164](relic-toolkit/relic#164) ([hoffmang9](https://github.com/hoffmang9))

The diff contains: - a lot of changes that concern parts of the library we don't use (other curves a la BN, BLS24-X, BLS12-383 ...), integer protocols (ETRS), field extension machinery ... - otherwise irrelevant changes, e.g. CI/CD - some memory bug fixing [Full Changeset](https://github.com/relic-toolkit/relic/compare/7a9bba7f..9206ae5) **Fixed bugs:** - Unexpected failure of ep2\_mul\[\_lwnaf\] above the prime group order [\#64](relic-toolkit/relic#64) **Closed issues:** - Other way to construct towered extension fields [\#203](relic-toolkit/relic#203) - blake2.h:101:5: error: size of array element is not a multiple of its alignment [\#202](relic-toolkit/relic#202) - ECIES 160bit [\#201](relic-toolkit/relic#201) - Compilation with "ARITH gmp" fails [\#200](relic-toolkit/relic#200) - Support for armv8-a ? [\#198](relic-toolkit/relic#198) - Function name bn\_init conflicts with OpenSSL when used in tandem [\#196](relic-toolkit/relic#196) - 16-bit MSP430 [\#193](relic-toolkit/relic#193) - Modular exponentiation returns 1 if exponent is 0 and modulo is 1 [\#185](relic-toolkit/relic#185) - Compilation of RELIC with bls12-446 and bls12-455 fails [\#182](relic-toolkit/relic#182) - test\_bn fails with BLS12-381 preset [\#181](relic-toolkit/relic#181) - \[BUG\] undefined reference to `bench_init', `bench\_clean' [\#180](relic-toolkit/relic#180) - Tests FTBFS because of missing symbol in header [\#179](relic-toolkit/relic#179) - Builds are broken [\#178](relic-toolkit/relic#178) - compile error inlining failed in call to always\_inline ‘\_mm\_alignr\_epi8’ on unbantu20.04 gcc9 [\#177](relic-toolkit/relic#177) - bn\_write\_str buffer overflow [\#176](relic-toolkit/relic#176) - ECDSA verify succeeds when it should fail [\#175](relic-toolkit/relic#175) - ec\_mul\_gen hangs with curve SECG\_K256 [\#174](relic-toolkit/relic#174) - Wrong square root computation [\#173](relic-toolkit/relic#173) - Out-of-bounds read via bn\_sqr\_basic [\#172](relic-toolkit/relic#172) - OSS-Fuzz integration [\#171](relic-toolkit/relic#171) - Building Relic with Curve NIST\_P256 throws FATAL ERROR in relic\_fp\_prime.c:120 [\#170](relic-toolkit/relic#170) - Compressing \(packing\) a point to binary array does not comply with X9.62 standard [\#169](relic-toolkit/relic#169) - ‘ctx\_t’ {aka ‘struct \_ctx\_t’} has no member named ‘total’ [\#168](relic-toolkit/relic#168) - relic does not work with C++ [\#167](relic-toolkit/relic#167) - Memory leak in ep2\_curve\_init/clean with ALLOC=DYNAMIC [\#166](relic-toolkit/relic#166) - \*\_is\_valid\(\) functions produce false negative for not normalized points [\#147](relic-toolkit/relic#147) - Bench and Test doesnt build [\#122](relic-toolkit/relic#122) **Merged pull requests:** - Add pairing delegation protocols [\#199](relic-toolkit/relic#199) ([dfaranha](https://github.com/dfaranha)) - Fix support for Win64/MSVC targets. [\#197](relic-toolkit/relic#197) ([dfaranha](https://github.com/dfaranha)) - Simplify generator getting for Gt. [\#194](relic-toolkit/relic#194) ([luozejiaqun](https://github.com/luozejiaqun)) - cmake: Always use user defined CFLAGS, not only for release builds [\#187](relic-toolkit/relic#187) ([xdustinface](https://github.com/xdustinface)) - Fix MinGW build [\#186](relic-toolkit/relic#186) ([xdustinface](https://github.com/xdustinface)) - Remove debug printf in bn\_mxp\_slide [\#184](relic-toolkit/relic#184) ([guidovranken](https://github.com/guidovranken)) - Remove ALLOC = STACK to simplify memory allocation. [\#183](relic-toolkit/relic#183) ([dfaranha](https://github.com/dfaranha)) - Update relic\_alloc.h [\#165](relic-toolkit/relic#165) ([aguycalled](https://github.com/aguycalled)) - Add correct support for FreeBSD and NetBSD [\#164](relic-toolkit/relic#164) ([hoffmang9](https://github.com/hoffmang9))

laurent-girod mentioned this issue May 20, 2020

Add validation checks to tests. #149

Merged

laurent-girod mentioned this issue May 25, 2020

Add a cmp test in G1 for non-normalized points. #150

Merged

laurent-girod closed this as completed Apr 8, 2021

huitseeker mentioned this issue Jun 16, 2021

[crypto] Update relic to 9206ae5 onflow/flow-go#846

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

*_is_valid() functions produce false negative for not normalized points #147

*_is_valid() functions produce false negative for not normalized points #147

laurent-girod commented May 20, 2020

dfaranha commented May 20, 2020

dfaranha commented May 21, 2020

dfaranha commented Feb 8, 2021 •

edited

Loading

laurent-girod commented Apr 8, 2021

*_is_valid() functions produce false negative for not normalized points #147

*_is_valid() functions produce false negative for not normalized points #147

Comments

laurent-girod commented May 20, 2020

dfaranha commented May 20, 2020

dfaranha commented May 21, 2020

dfaranha commented Feb 8, 2021 • edited Loading

laurent-girod commented Apr 8, 2021

dfaranha commented Feb 8, 2021 •

edited

Loading