-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid using out-of-bounds field elements (in impossible cases) #282
base: master
Are you sure you want to change the base?
Avoid using out-of-bounds field elements (in impossible cases) #282
Conversation
secp256k1_fe_set_b32_limit says that when it returns 0, one is not allowed to use the resulting output value. This refactors the code so that the existing value of t is maintained in cases where sha256 would output an out-of-bounds hash value. Note: This situation is cryptographically impossible to occur.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, yeah, good catch! This is similar to bitcoin-core/secp256k1#1316 .
I wonder if there's a better fix in this case. Looking at the implementation of _limit
, the field element is actually a valid one. Just in the tests, we mark it as invalid by setting the magnitude to -1
, so that _fe_verify
will catch any read accesses to it.
I guess we could declassify ret
and return early when it's 0.
Since we are already changing cryptographically inaccessable behavior in #286, maybe we ought to switch to @apoelstra do you have an opinion? |
Ah this bug was introduced in #256 when Anyhow, I think we should seriously entertain just using the Honestly I don't understand why people insist on failing when hashes return values larger than the secp256k1 field size, rather than just wrapping. |
It's the other way around! |
Agreed, that's the best fix.
For the record, I fully agree. We have debated negligible cases a lot in the past, but I've personally settled on this conclusion: Since these cases won't occur in practice, we should not discuss what happens if we hit these cases. We instead just should do whatever is convenient for us. And in this case, this is for sure taking a mod. This avoids a branch (and an annoying branch because we cannot test it, etc...), it makes sure static analysis tools won't complain about invalid uses / out-of-bound fields, and it's faster... |
Okay. I will build and alternative PR that uses |
I wrote up a version that uses
|
secp256k1_fe_set_b32_limit says that when it returns 0, one is not allowed to use the resulting output value.
This refactors the code so that the existing value of t is maintained in cases where sha256 would output an out-of-bounds hash value.
Note: This situation is cryptographically impossible to occur.