ecc: Discrepancy of handling MPI for the interpretation of signed and unsigned
Open, WishlistPublic


In the code of ECC with SEXP, some parts are handled as signed, other parts are handled as unsigned.
While having this inconsistency, it works.
Because it (computation result) never emits negative value (writing is handled as signed data with leading zero octet,
and reading is done by signed or unsigned).

In the code for curve Ed25519, we use negative constants unfortunately in its domain parameters, and it affects the computation of keygrip.
<-- only this part should be kept for the use of negative value.
Except this part of Ed25519, other parts are all unsigned.

gniibe created this task.Jun 1 2020, 7:23 AM
gniibe renamed this task from ecc: Disrepancy of handling MPI for the interpretation of signed and unsigned to ecc: Discrepancy of handling MPI for the interpretation of signed and unsigned.Nov 16 2020, 8:09 AM
werner added a subscriber: werner.Thu, Jan 7, 11:33 AM

Do we really need this for 1.9?

gniibe updated the task description. (Show Details)Fri, Jan 8, 2:16 AM
gniibe added a comment.Fri, Jan 8, 3:13 AM

I describe about rC6f8b1d4cb798: ecc: Consistently handle parameters as unsigned value..

rC6f8b1d4cb798 is important (for me), as it is the removal of the last place which (somehow explicitly) allows use of negative value.

After this change, the ECC computation can assume that integers are all non-negative.

My intention of this task directly relates to:

  • curve specific optimization
  • introduce of redundant representation of integer (in future version of libgcrypt), for internal computation of modern ECC

which uses fixed number of limbs, assuming non-negative.

gniibe added a comment.EditedFri, Jan 8, 6:58 AM

For printing SEXP, it would be good to have this change:

diff --git a/src/sexp.c b/src/sexp.c
index de28aedc..864916be 100644
--- a/src/sexp.c
+++ b/src/sexp.c
@@ -1483,6 +1483,12 @@ do_vsexp_sscan (gcry_sexp_t *retsexp, size_t *erroff,
+                  if (mpifmt == GCRYMPI_FMT_USG && mpi_cmp_ui (m, 0) < 0)
+                    {
+                      err = GPG_ERR_INV_ARG;
+                      goto leave;
+                    }
                   err = _gcry_mpi_print (mpifmt, NULL, 0, &nm, m);
                   if (err)
                     goto leave;

This change makes sure not to write wrong value, but to raise an error.

werner added a comment.Fri, Jan 8, 9:43 AM

I agree to the sexp change - but it should not be backported to 1.8