x/crypto/ed25519: GeDoubleScalarMultVartime returns wrong value for low scalar #34122
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Reused package to access internal implementation (internal/edwards25519) for implementing ECDHE with Ed25519 keys. This involves the use of the 'GeDoubleScalarMultVartime()' method to compute the shared secret.
According to the docs 'GeDoubleScalarMultVartime sets r = aA + bB'. This method does not return the correct point 'r' if the bitlength of 'a' is less than 249.
You can check the source code here: https://git.wauland.de/brf/gnunet-go. The relevant code is in src/gnunet/crypto/key_exchange.go
What did you expect to see?
The correct Ed25519 curve point for any value of 'a'
What did you see instead?
A wrong curve point if 'a' has its most significant byte set to zero.
The text was updated successfully, but these errors were encountered: