[openssl-dev] ecp_nistz256 correctness/constant-timedness

Emilia Käsper emilia at openssl.org
Fri Apr 24 13:00:42 UTC 2015

Thanks for the report! Let me clarify a few points, and then I'll fix it.

On Thu, Apr 23, 2015 at 11:07 PM, Brian Smith <brian at briansmith.org> wrote:

> Hi,
> I have some questions regarding this implementation.
> https://github.com/openssl/openssl/blob/e0e920b1a063f14f36418f8795c96f2c649400e1/crypto/ec/ecp_nistz256.c
> 1. In ecp_nistz256_points_mul, we have this code:
>     if ((BN_num_bits(scalar) > 256) {
>             ...
>             if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) {...}
>             scalar = tmp_scalar;
>     }
> I think it would be useful to add a comment about why this is OK in terms
> of the constant-time-correctness of the code, because it isn't obvious.
Yes, this needs a comment. Basically we treat overlong scalars as
malformed, and don't guarantee constant-timeness for them. (It'd be too
hard.) In the ecp_nistp***.c modules, this is commented.

> 2. Later in the same function, we have this code:
>     bn_correct_top(r->X);
>     bn_correct_top(r->Y);
>     bn_correct_top(r->Z);
> Again, it isn't clear why it is OK to call bn_correct_top given that
> bn_correct_top isn't a constant-time function. I think either this code
> should be changed so that it is constant time, or a comment should be added
> explaining why it doesn't need to be.

I think that's fine and just needs a comment. It happens in the end and
basically strips leading zero-words from the (presumably public) output.
The ecp_nistp***.c code just calls
EC_POINT_set_Jprojective_coordinates_GFp() at this point.

> 3. When doing the initial adaptation of the code to get it working inside
> of BoringSSL, I had to make this change:
>     bn_correct_top(r->X);
>     bn_correct_top(r->Y);
>     bn_correct_top(r->Z);
> +  r->Z_is_one = is_one(p.p.Z);
> (Alternatively, maybe one can change BoringSSL's implementation
> of EC_POINT_is_at_infinity to ignore r->Z_is_one like OpenSSL's
> implementation does.)

Yep, that's a bug because r->Z_is_one may remain incorrectly set.

I don't know why BoringSSL does that extra check in
EC_POINT_is_at_infinity, though; it precedes their public git history. I'll
check with the authors.
I agree with you that this appears an optimization flag, so what should
always be guaranteed is that point->Z_is_one => BN_is_one(point->Z). But
!point->Z_is_one => inconclusive.

> Looking at the OpenSSL code, I can see that Z_is_one is only used for
> optimization purposes in the "simple" ECC implementation. Even ignoring
> BoringSSL being different, I found it confusing that sometimes Z_is_one
> *must* be set correctly and other times it *must* be ignored. Perhaps it is
> worth renaming this member to "simple_Z_is_one" and/or documenting more
> clearly when it is maintained and when it can and cannot be used.
> Alternatively, I noticed that BN_is_one is not a very expensive function,
> and probably can be made even less expensive, so the optimization of using
> the Z_is_one flag instead of just calling BN_is_one may not be worthwhile.
> Perhaps it would be better to remove it completely?

Quite likely! This'll go on a TODO list somewhere...

> 4. There seems to be quite a bit of missing error checking in this code.
> For example, the return values of calls to bn_wexpand are not checked in
> multiple functions. Further, a lot of the error checking in the
> probably-never-used ecp_nistz256_mult_precompute function is missing, e.g.
> calls to EC_POINT_new, EC_POINT_copy, and
> ec_GFp_simple_{add,dbl,make_affine}. I think this whole file needs to be
> combed for missing error checks.
> 5. In ecp_nistz256_mult_precompute, if the ctx parameter is null, a new
> context will be created with BN_CTX_new but BN_CTX_free is not called
> anywhere in the file.

Yep, these need fixing.


> All that aside, this code is very fast, and it is awesome that it got
> adapted to non-X64 platforms already!
> Cheers,
> Brian
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150424/332629b1/attachment-0001.html>

More information about the openssl-dev mailing list