Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/secp256k1: fix undefined behavior in BitCurve.Add #22621

Merged
merged 7 commits into from
May 27, 2021

Conversation

MariusVanDerWijden
Copy link
Member

This PR fixes the behavior of (BitCurve).Add() to be more inline
with btcd and the standard library. It changes two different bugs that occured.

  1. When adding a point at infinity to another point, the other point
    should be returned. While this is undefined behavior, it is better
    to be more inline with the go standard library.
    Thus (0,0) + (a, b) = (a,b)

  2. Adding the same point to itself produced the point at infinity.
    This is incorrect, now doubleJacobian is used to correctly calculate it.
    This is also similar to the go standard library.
    Thus (a,b) + (a,b) == 2* (a,b) and not (0,0) anymore

It also adds a differential fuzzer to test it against btcd.

This commit fixes the behavior of (BitCurve).Add() to be more inline
with btcd. It changes two different bugs that occured.

1) When adding a point at infinity to another point, the other point
should be returned. While this is undefined behavior, it is better
to be more inline with the go standard library.
Thus (0,0) + (a, b) = (a,b)

2) Adding the same point to itself produced the point at infinity.
This is incorrect, now doubleJacobian is used to correctly calculate it.
This is also similar to the go standard library.
Thus (a,b) + (a,b) == 2* (a,b) and not (0,0) anymore.
@fjl
Copy link
Contributor

fjl commented Apr 7, 2021

We need to find a way to not copy the code into the fuzzer. If it's absolutely not possible to build the fuzzer with cgo, we can do it with build tags in crypto/secp256k1.

@MariusVanDerWijden
Copy link
Member Author

@fjl It's absolutely not possible to build it with cgo, see also dvyukov/go-fuzz#101 dvyukov/go-fuzz#171

We would need to either modify Add to make it independent from the bitCurve
or/and move the scalar_mult into a subpackage.
For the other secp fuzzer (signatures), we use nocgo and btcd.

@fjl fjl self-assigned this Apr 21, 2021
@fjl fjl added this to the 1.10.4 milestone May 11, 2021
@fjl fjl removed their assignment May 27, 2021
@fjl fjl changed the title crypto/secp256k1: fix undefined behavior crypto/secp256k1: fix undefined behavior in BitCurve.Add May 27, 2021
@fjl fjl merged commit 0703ef6 into ethereum:master May 27, 2021
atif-konasl pushed a commit to frozeman/pandora-execution-engine that referenced this pull request Oct 15, 2021
)

This commit changes the behavior of BitCurve.Add to be more inline
with btcd. It fixes two different bugs:

1) When adding a point at infinity to another point, the other point
   should be returned. While this is undefined behavior, it is better
   to be more inline with the go standard library.
   Thus (0,0) + (a, b) = (a,b)

2) Adding the same point to itself produced the point at infinity.
   This is incorrect, now doubleJacobian is used to correctly calculate it.
   Thus (a,b) + (a,b) == 2* (a,b) and not (0,0) anymore.

The change also adds a differential fuzzer for Add, testing it against btcd.

Co-authored-by: Felix Lange <fjl@twurst.com>
@MariusVanDerWijden MariusVanDerWijden deleted the secp-fuzzer branch November 30, 2021 15:33
gzliudan added a commit to gzliudan/XDPoSChain that referenced this pull request Nov 29, 2024
gzliudan added a commit to gzliudan/XDPoSChain that referenced this pull request Dec 2, 2024
gzliudan added a commit to gzliudan/XDPoSChain that referenced this pull request Dec 2, 2024
gzliudan added a commit to gzliudan/XDPoSChain that referenced this pull request Dec 4, 2024
gzliudan added a commit to gzliudan/XDPoSChain that referenced this pull request Dec 9, 2024
JukLee0ira pushed a commit to JukLee0ira/XDPoSChain that referenced this pull request Jan 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants