[Bug] Efficient Handling of the Infinity Point in Jacobian Curve Addition #2316
Labels
does not block mainnet
For when we make decisions that this will not block mainnet.
enhancement
New feature or request
🐛 Bug Report
Efficient Handling of the infinity point in jacobian curve addition and doubling
Summary:
Referring to CVE-2017-7781 that a https://blog.intothesymmetry.com/2017/08/cve-2017-7781cve-2017-10176-issue-with.html post discussing vulnerabilities in Jacobian addition misuse.
They used a madd-2004-hmv implementation to calcuate jacobian addition, missing the situtation U1 == U2
Similarly, in SnarkVM, SnarkVM use the add-2007-bl method for this calculation.
An issue arises when calculating two points (X1, Y1, Z1) and (X2, Y2, Z2) represented in Jacobian coordinates.
The condition S1 != S2 is missed, leading to this point at infinity.
https://github.com/AleoHQ/snarkVM/blob/testnet3/curves/src/templates/short_weierstrass_jacobian/projective.rs#L437
According to the referenced https://eprint.iacr.org/2021/1595.pdf infinity points
in projective coordinates are represented as (0:1:0). When S1 != S2, the method should return infinity, and the
remaining portion of the calculation not be processed.
Fortunately, if the case of s1 != s2 is ignored and the process continues, the outcome will still yield z3 = 0, which means the final result is still the point at infinity.
Same efficient way to calculate doubling, if Y == 0, return POINT_AT_INFINITY
https://en.wikibooks.org/wiki/Cryptography/Prime_Curve/Jacobian_Coordinates
Proof-of-Concept
Impact
This issue does not pose a security threat and cannot be exploited. It is a matter of achieving a more efficient calculation of the point at infinity.
The text was updated successfully, but these errors were encountered: