[openssl-dev] Are the point-at-infinity checks in ecp_nistz256 correct?
Brian Smith
brian at briansmith.org
Fri Jul 22 22:35:20 UTC 2016
Brian Smith <brian at briansmith.org> wrote:
> The issue is particularly clear when we multiply the generator by
> zero. Note that in general, an application shouldn't multiply the
> generator by zero since there's no useful cryptographic purpose for
> doing so. But, this is a convenient example.
Sorry, I was wrong. From the definition of ECDSA:
H = Hash(M).
Convert the bit string H to an integer e.
w = s**−1 mod n
u1 = (e * w) mod n
R = u1*G + u2*Q
If the highest 256 bits of Hash(M) are zero, then e == 0 and then u1
== 0 * w == 0. So, it probably is important to handle g_scalar == 0 in
the way I described in my earlier message, using the conditional copy.
Cheers,
Brian
More information about the openssl-dev
mailing list