From 6fbf29a87cce47800c431fa513c5be9e693118fc Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Wed, 27 Jun 2018 17:36:39 -0400 Subject: Correct computing of discriminant in EC_Group::verify_group It was checking 4*a+27*b instead of 4*a^3 + 27*b^2 --- src/lib/pubkey/ec_group/ec_group.cpp | 50 ++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 16 deletions(-) (limited to 'src/lib') diff --git a/src/lib/pubkey/ec_group/ec_group.cpp b/src/lib/pubkey/ec_group/ec_group.cpp index 1ad2fbb6d..586603507 100644 --- a/src/lib/pubkey/ec_group/ec_group.cpp +++ b/src/lib/pubkey/ec_group/ec_group.cpp @@ -701,24 +701,49 @@ bool EC_Group::verify_public_element(const PointGFp& point) const bool EC_Group::verify_group(RandomNumberGenerator& rng, bool) const { - //compute the discriminant - Modular_Reducer p(get_p()); - BigInt discriminant = p.multiply(4, get_a()); - discriminant += p.multiply(27, get_b()); - discriminant = p.reduce(discriminant); - //check the discriminant + const BigInt& p = get_p(); + const BigInt& a = get_a(); + const BigInt& b = get_b(); + const BigInt& order = get_order(); + const PointGFp& base_point = get_base_point(); + + if(a < 0 || a >= p) + return false; + if(b <= 0 || b >= p) + return false; + if(order <= 0) + return false; + + //check if field modulus is prime + if(!is_prime(p, rng, 128)) + { + return false; + } + + //check if order is prime + if(!is_prime(order, rng, 128)) + { + return false; + } + + //compute the discriminant: 4*a^3 + 27*b^2 which must be nonzero + const Modular_Reducer mod_p(p); + + const BigInt discriminant = mod_p.reduce( + mod_p.multiply(4, mod_p.cube(a)) + + mod_p.multiply(27, mod_p.square(b))); + if(discriminant == 0) { return false; } + //check for valid cofactor if(get_cofactor() < 1) { return false; } - const PointGFp base_point = get_base_point(); - //check if the base point is on the curve if(!base_point.on_the_curve()) { @@ -728,19 +753,12 @@ bool EC_Group::verify_group(RandomNumberGenerator& rng, { return false; } - - const BigInt& order = get_order(); - - //check if order is prime - if(!is_prime(order, rng, 128)) - { - return false; - } //check if order of the base point is correct if(!(base_point * order).is_zero()) { return false; } + return true; } -- cgit v1.2.3