3

I'm using EC_POINT_mul in OpenSSL, and I would like to avoid an invalid curve attack. I can see that there is a check for ec_point_is_compat in EC_POINT_mul; which is also in EC_POINT_is_on_curve - but it's not the only check, there's also group->meth->is_on_curve (which is not in EC_POINT_mul).

That implies to me that it is still necessary to check EC_POINT_is_on_curve. However from tons of random github results I don't see anyone actually doing that check. I've got to assume that while some of these projects might be unaffected (no attacker-controlled point) or vulnerable (random github project, after-all) - some of them are both attacker-accessible and valuable/notable enough (e.g. cryptocurrency) to do things the right way. But I can't find any real examples of people using EC_POINT_is_on_curve.

John
  • 31
  • 1

1 Answers1

1

In general, especially if an Elliptic Curve public key comes from a remote side (e.g. in an EC Diffie Hellman scenario), you always have to check this public key for two conditions:

  1. Is the public key, the point ($X$,$Y$) on the curve? If no, then discard it.
  2. Is the public key, the point ($X$,$Y$) at 'infinity'? If yes, then discard it.
  3. ELSE: Use or process it, respectively.

For a deep 'point at infinity discussion', see here: crypto.stackexchange

Devvy
  • 21
  • 3