• David Leon Gil's avatar
    crypto/elliptic: don't unmarshal points that are off the curve · d86b8d34
    David Leon Gil authored
    At present, Unmarshal does not check that the point it unmarshals
    is actually *on* the curve. (It may be on the curve's twist.)
    
    This can, as Daniel Bernstein has pointed out at great length,
    lead to quite devastating attacks. And 3 out of the 4 curves
    supported by crypto/elliptic have twists with cofactor != 1;
    P-224, in particular, has a sufficiently large cofactor that it
    is likely that conventional dlog attacks might be useful.
    
    This closes #2445, filed by Watson Ladd.
    
    To explain why this was (partially) rejected before being accepted:
    
    In the general case, for curves with cofactor != 1, verifying subgroup
    membership is required. (This is expensive and hard-to-implement.)
    But, as recent discussion during the CFRG standardization process
    has brought out, small-subgroup attacks are much less damaging than
    a twist attack.
    
    Change-Id: I284042eb9954ff9b7cde80b8b693b1d468c7e1e8
    Reviewed-on: https://go-review.googlesource.com/2421Reviewed-by: default avatarAdam Langley <agl@golang.org>
    d86b8d34
elliptic.go 11.1 KB