From f5e46026d8ac5c0db0d6426ad6854e98019e8812 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Wed, 25 Oct 2023 13:28:44 +0700 Subject: EdDSA: extra guards against faults --- crypto/src/math/ec/rfc8032/Ed25519.cs | 19 +++++++++++-------- crypto/src/math/ec/rfc8032/Ed448.cs | 9 ++++++--- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/crypto/src/math/ec/rfc8032/Ed25519.cs b/crypto/src/math/ec/rfc8032/Ed25519.cs index bf3a1a8d8..7318a8a7e 100644 --- a/crypto/src/math/ec/rfc8032/Ed25519.cs +++ b/crypto/src/math/ec/rfc8032/Ed25519.cs @@ -167,13 +167,14 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 F.Sqr(p.x, u); F.Sqr(p.y, v); F.Mul(u, v, t); - F.Sub(v, u, v); + F.Sub(u, v, u); F.Mul(t, C_d, t); F.AddOne(t); - F.Sub(t, v, t); + F.Add(t, u, t); F.Normalize(t); + F.Normalize(v); - return F.IsZero(t); + return F.IsZero(t) & ~F.IsZero(v); } private static int CheckPoint(PointAccum p) @@ -187,15 +188,17 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 F.Sqr(p.y, v); F.Sqr(p.z, w); F.Mul(u, v, t); - F.Sub(v, u, v); - F.Mul(v, w, v); + F.Sub(u, v, u); + F.Mul(u, w, u); F.Sqr(w, w); F.Mul(t, C_d, t); F.Add(t, w, t); - F.Sub(t, v, t); + F.Add(t, u, t); F.Normalize(t); + F.Normalize(v); + F.Normalize(w); - return F.IsZero(t); + return F.IsZero(t) & ~F.IsZero(v) & ~F.IsZero(w); } #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER @@ -950,7 +953,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 F.Normalize(p.y); F.Normalize(p.z); - return F.IsZeroVar(p.x) && F.AreEqualVar(p.y, p.z); + return F.IsZeroVar(p.x) && !F.IsZeroVar(p.y) && F.AreEqualVar(p.y, p.z); } private static void PointAdd(ref PointExtended p, ref PointExtended q, ref PointExtended r, ref PointTemp t) diff --git a/crypto/src/math/ec/rfc8032/Ed448.cs b/crypto/src/math/ec/rfc8032/Ed448.cs index 54321e37d..589d532b4 100644 --- a/crypto/src/math/ec/rfc8032/Ed448.cs +++ b/crypto/src/math/ec/rfc8032/Ed448.cs @@ -140,8 +140,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 F.SubOne(t); F.Add(t, u, t); F.Normalize(t); + F.Normalize(v); - return F.IsZero(t); + return F.IsZero(t) & ~F.IsZero(v); } private static int CheckPoint(PointProjective p) @@ -162,8 +163,10 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 F.Sub(t, w, t); F.Add(t, u, t); F.Normalize(t); + F.Normalize(v); + F.Normalize(w); - return F.IsZero(t); + return F.IsZero(t) & ~F.IsZero(v) & ~F.IsZero(w); } #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER @@ -868,7 +871,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 F.Normalize(p.y); F.Normalize(p.z); - return F.IsZeroVar(p.x) && F.AreEqualVar(p.y, p.z); + return F.IsZeroVar(p.x) && !F.IsZeroVar(p.y) && F.AreEqualVar(p.y, p.z); } private static void PointAdd(ref PointAffine p, ref PointProjective r, ref PointTemp t) -- cgit 1.4.1