Looks like ECC sign/verify has a bug.

Konstantin Andreev Fri, 18 Dec 2009 05:01:02 -0800

Hello.

I have noticed, the following method is used in the ECC sign/verify routines to 
derive 'e' integer from a digest:


----( begin cite )----
    /* In the definition of EC signing, digests are truncated
     * to the length of n in bits.
     * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/
    if (digest->len*8 > ecParams->fieldID.size) {  /* u1 = HASH(M') */
        mpl_rsh( &u1, &u1, digest->len*8 - ecParams->fieldID.size );
    }
----( end   cite )----

See the same at cvs blame:

  
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/ec.c&rev=1.20&mark=758-763,979-984#751
  
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/ec.c&rev=1.20&mark=758-763,979-984#972

In the code above, the field size is used instead of base point order length. 
For most curves they are the identical, not not for all. This looks like a bug 
for me.

Best regards,
--
Konstantin Andreev, software engineer.
Swemel JSC
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Looks like ECC sign/verify has a bug.

Reply via email to