Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/ecdsa: Sign output differs using 1.18 #52510

Closed
glerchundi opened this issue Apr 23, 2022 · 6 comments
Closed

crypto/ecdsa: Sign output differs using 1.18 #52510

glerchundi opened this issue Apr 23, 2022 · 6 comments
Labels
FrozenDueToAge

Comments

@glerchundi
Copy link

glerchundi commented Apr 23, 2022
edited

What version of Go are you using (go version)?

1.18

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

arm64 but I would say it does reproduce in other environments as we detected in a failing test in our CI which uses linux/amd64.

What did you do?

1.18: https://go.dev/play/p/d-e_UyfTK9B
1.17: https://go.dev/play/p/d-e_UyfTK9B?v=goprev

What did you expect to see?

Same result in both.

What did you see instead?

Different output:

ecdsa.Sign using go1.17:

r: 78c77cb0899fb055898722d9c9f5cc88ce9a31da2a3aa7b4263097a69745e31e
s: 1a2d024dfe843792a9681760d0b88ffa26d313b564f01869b04c8e451c3e7922

ecdsa.Sign using go1.18:

r: d467f26b6da925b26a84094a80b7d2d89580fc799ced84ef3b248c0e5e46c487
s: 50920862dd5acc1b6270406eb731cdd2ec7da627464a1254e65d9657a89520ce

The hardcoded key is a PKCS8 key for an underlying P256 elliptic curve. Generated using crypto/rand and 1.18 although I don't think this would be an important detail as it was caught in our CI using a previously generated key using 1.17.

Code for key generation if that helps:

k, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
kBytes, _ := x509.MarshalPKCS8PrivateKey(k)
@glerchundi
Copy link
Author

Friendly cc'ing @FiloSottile 🙏

@glerchundi
Copy link
Author

glerchundi commented Apr 23, 2022
edited

This output mismatch could to be related to this commit: crypto/ecdsa: draw a fixed amount of entropy while signing.

@FiloSottile
Copy link
Contributor

You should not expect the signature value to be stable relatively to a specific randomness input stream. We actually go out of our way to draw an extra byte or not to not always generate the same signature, but since your randomness input is all zeroes, it will still look stable-ish. Anyway, the algorithm will sometimes change between releases, that's to be expected.

@glerchundi
Copy link
Author

Thanks for the quick response & clarification! Although I need to get my head around your words as I don't understand how the same input could output different results and they continue to be verifiable! I will take a look to the verify internals. Thanks!

@FiloSottile
Copy link
Contributor

Unlike hashes, there can be multiple valid signatures for a (message, public key) pair. Some algorithms like Ed25519 are deterministic in that they will always generate the same one when signing, but that's just an implementation choice. You could add randomness to Ed25519 and get many valid signatures for the same message. If you need that not to be true, you want a Verifiable Random Function, not a signature scheme.

@glerchundi
Copy link
Author

Thanks for the detailed comment @FiloSottile, it's really appreciated!

@golang golang locked and limited conversation to collaborators Apr 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@FiloSottile @glerchundi @gopherbot