diff options
| author | David Leon Gil <coruus@gmail.com> | 2015-01-06 21:07:24 -0800 |
|---|---|---|
| committer | Adam Langley <agl@golang.org> | 2015-04-26 21:11:50 +0000 |
| commit | d86b8d34d069c3895721ba47cac664f8bbf2b8ad (patch) | |
| tree | 5be6f6a662efdf73b25c97e054b52c7bd152e689 /src/debug | |
| parent | 54bb4b9fd771f793c623e82afcb769068736495a (diff) | |
| download | go-d86b8d34d069c3895721ba47cac664f8bbf2b8ad.tar.xz | |
crypto/elliptic: don't unmarshal points that are off the curve
At present, Unmarshal does not check that the point it unmarshals
is actually *on* the curve. (It may be on the curve's twist.)
This can, as Daniel Bernstein has pointed out at great length,
lead to quite devastating attacks. And 3 out of the 4 curves
supported by crypto/elliptic have twists with cofactor != 1;
P-224, in particular, has a sufficiently large cofactor that it
is likely that conventional dlog attacks might be useful.
This closes #2445, filed by Watson Ladd.
To explain why this was (partially) rejected before being accepted:
In the general case, for curves with cofactor != 1, verifying subgroup
membership is required. (This is expensive and hard-to-implement.)
But, as recent discussion during the CFRG standardization process
has brought out, small-subgroup attacks are much less damaging than
a twist attack.
Change-Id: I284042eb9954ff9b7cde80b8b693b1d468c7e1e8
Reviewed-on: https://go-review.googlesource.com/2421
Reviewed-by: Adam Langley <agl@golang.org>
Diffstat (limited to 'src/debug')
0 files changed, 0 insertions, 0 deletions