secp256r1: check for point equality before using incomplete formula

Author: Rexicon226

src/ballet/secp256r1/fd_secp256r1_s2n.c

@@ -41,7 +41,7 @@ fd_secp256r1_scalar_from_digest( fd_secp256r1_scalar_t * r,
 }
 
 static inline fd_secp256r1_scalar_t *
-fd_secp256r1_scalar_mul( fd_secp256r1_scalar_t *       r, 
+fd_secp256r1_scalar_mul( fd_secp256r1_scalar_t *       r,
                          fd_secp256r1_scalar_t const * a,
                          fd_secp256r1_scalar_t const * b ) {
   ulong t[ 8 ];
@@ -51,7 +51,7 @@ fd_secp256r1_scalar_mul( fd_secp256r1_scalar_t *       r,
 }
 
 static inline fd_secp256r1_scalar_t *
-fd_secp256r1_scalar_inv( fd_secp256r1_scalar_t       * r, 
+fd_secp256r1_scalar_inv( fd_secp256r1_scalar_t       * r,
                          fd_secp256r1_scalar_t const * a ) {
   ulong t[ 12 ];
   bignum_modinv( 4, r->limbs, (ulong *)a->limbs, (ulong *)fd_secp256r1_const_n[0].limbs, t );
@@ -131,7 +131,7 @@ fd_secp256r1_point_frombytes( fd_secp256r1_point_t * r,
   }
 
   bignum_tomont_p256( r->x->limbs, r->x->limbs );
-  
+
   /* y^2 = x^3 + ax + b */
   bignum_montsqr_p256( y2->limbs, r->x->limbs );
   bignum_add_p256    ( y2->limbs, y2->limbs, (ulong *)fd_secp256r1_const_a_mont[0].limbs );
@@ -176,6 +176,41 @@ fd_secp256r1_point_eq_x( fd_secp256r1_point_t const *  p,
   return FD_SECP256R1_FAILURE;
 }
 
+/* Given the projective point `r` and the affine point `p`,
+   returns 1 if they are equal and 0 otherwise.
+   Assumes that `p` X and Y coordinates are in Montgomery domain. */
+static inline int
+fd_secp256r1_point_eq_mixed( fd_secp256r1_point_t const * a,
+                             ulong                const   b[ 8 ] ) {
+  fd_secp256r1_fp_t x[1], y[1];
+  fd_memcpy( x->limbs, b+0, sizeof(fd_secp256r1_fp_t) );
+  fd_memcpy( y->limbs, b+4, sizeof(fd_secp256r1_fp_t) );
+  /* Indicates if the affine point is zero. */
+  int is_zero = fd_uint256_eq( x, fd_secp256r1_const_zero ) & fd_uint256_eq( y, fd_secp256r1_const_zero );
+
+  /* Easy cases */
+  if( FD_UNLIKELY( fd_uint256_eq( a->z, fd_secp256r1_const_zero ) ) ) {
+    return is_zero;
+  }
+  if( FD_UNLIKELY( is_zero ) ) {
+    return 0;
+  }
+
+  fd_secp256r1_fp_t z1z1[1];
+  bignum_montsqr_p256( z1z1->limbs, (ulong *)a->z->limbs );
+
+  fd_secp256r1_fp_t temp[1];
+  bignum_montmul_p256( temp->limbs, (ulong *)x->limbs, z1z1->limbs );
+
+  if( FD_UNLIKELY( fd_uint256_eq( a->x, temp ) ) ) {
+    bignum_montmul_p256( temp->limbs, z1z1->limbs,  (ulong *)a->z->limbs );
+    bignum_montmul_p256( temp->limbs, temp->limbs, (ulong *)y->limbs );
+    return fd_uint256_eq( a->y, temp );
+  } else {
+    return 0;
+  }
+}
+
 static inline void
 fd_secp256r1_double_scalar_mul_base( fd_secp256r1_point_t *        r,
                                      fd_secp256r1_scalar_t const * u1,
@@ -189,5 +224,9 @@ fd_secp256r1_double_scalar_mul_base( fd_secp256r1_point_t *        r,
 
   p256_montjscalarmul( (ulong *)r, (ulong *)u2->limbs, (ulong *)a );
 
-  p256_montjmixadd( (ulong *)r, (ulong *)r, rtmp );
+  if( FD_UNLIKELY( fd_secp256r1_point_eq_mixed( r, rtmp ) ) ) {
+    p256_montjdouble( (ulong *)r, (ulong *)r );
+  } else {
+    p256_montjmixadd( (ulong *)r, (ulong *)r, rtmp );
+  }
 }

src/ballet/secp256r1/test_secp256r1.c

@@ -16,7 +16,7 @@ test_secp256r1_scalar_frombytes( FD_FN_UNUSED fd_rng_t * rng ) {
   uchar _sig[ 64 ] = { 0 }; uchar * sig = _sig;
   fd_hex_decode( sig, "a940d67c9560a47c5dafb45ab1f39eb68c8fac9b51fc8c4e30b1f0e63e4967d3586569a56364c3b03eefd421aa7fc750f6fa187210c3206c55602f96e0ecaa4d", 64 );
   fd_secp256r1_scalar_t _r[1]; fd_secp256r1_scalar_t * r = _r;
-  
+
   FD_TEST( fd_secp256r1_scalar_frombytes( r, sig )==r );
   FD_TEST( fd_secp256r1_scalar_frombytes_positive( r, sig+32 )==r );
   FD_TEST( fd_secp256r1_scalar_frombytes_positive( r, sig )==NULL );
@@ -105,7 +105,7 @@ test_secp256r1_fp_frombytes( FD_FN_UNUSED fd_rng_t * rng ) {
   uchar _buf[ 32 ] = { 0 }; uchar * buf = _buf;
   fd_hex_decode( buf, "d8c82b3791c8b51cfe44aa50226217159596ca26e6075aaf8bf8be2d351b96ae", 32 );
   fd_secp256r1_fp_t _r[1]; fd_secp256r1_fp_t * r = _r;
-  
+
   FD_TEST( fd_secp256r1_fp_frombytes( r, buf )==r );
 
   // bench
@@ -129,7 +129,7 @@ test_secp256r1_fp_sqrt( FD_FN_UNUSED fd_rng_t * rng ) {
   fd_hex_decode( sqrt1, "f942f2008adaab3a98ad4af432f97b2cc45170a9051574304e12c6b461c012e8", 32 );
   fd_secp256r1_fp_t _r[1]; fd_secp256r1_fp_t * r = _r;
   fd_secp256r1_fp_t a[1];
-  
+
   FD_TEST( fd_secp256r1_fp_frombytes( a, sqrt1 )==a );
   FD_TEST( fd_secp256r1_fp_sqrt( r, a )==NULL );
 
@@ -222,6 +222,33 @@ test_secp256r1_point_eq_x( FD_FN_UNUSED fd_rng_t * rng ) {
   }
 }
 
+static void
+test_secp256r1_double_scalar_mul_base_equal_points( FD_FN_UNUSED fd_rng_t * rng ) {
+  /* edge case in fd_secp256r1_double_scalar_mul_base where the point
+     addition at the end receives equal points. without special handling,
+     performing a point addition in incomplete jacobian coordinates results
+     in an invalid result. */
+  uchar _buf[ 33 ] = { 0 }; uchar * buf = _buf;
+  fd_secp256r1_scalar_t u1[1], u2[1], expected_x[1];
+  fd_secp256r1_point_t pub[1], result[1];
+
+  fd_hex_decode( buf, "cdfa20ffc3bcdc92cdf4f96552b30a2f775d4353d857fab82729f140b16fbb07", 32 );
+  fd_secp256r1_scalar_frombytes( u1, buf );
+
+  fd_hex_decode( buf, "5f811cb929645f8b6facaa5090e5e945452ec40a3193ca54ee8971105e503a69", 32 );
+  fd_secp256r1_scalar_frombytes( u2, buf );
+
+  fd_hex_decode( buf, "03578af9bfb68e75c0f38fa2b4af3815164ec0acfb1e111fe9bc425b373735d62e", 33 );
+  FD_TEST( fd_secp256r1_point_frombytes( pub, buf )==pub );
+
+  /* x-coordinate of 2*(u1*G) = u1*G + u2*A */
+  fd_hex_decode( buf, "aa30744d8384e6c20a67418b687ab2a0f049368917e15ef9832fe61d3bf2b622", 32 );
+  fd_secp256r1_scalar_frombytes( expected_x, buf );
+
+  fd_secp256r1_double_scalar_mul_base( result, u1, pub, u2 );
+  FD_TEST( fd_secp256r1_point_eq_x( result, expected_x )==FD_SECP256R1_SUCCESS );
+}
+
 static void
 test_secp256r1_verify( FD_FN_UNUSED fd_rng_t * rng ) {
 
@@ -297,6 +324,8 @@ main( int     argc,
   test_secp256r1_point_frombytes ( rng );
   test_secp256r1_point_eq_x      ( rng );
 
+  test_secp256r1_double_scalar_mul_base_equal_points( rng );
+
   test_secp256r1_verify          ( rng );
 
   FD_LOG_NOTICE(( "pass" ));