1. 28
  1. 9

    Most of group theory gets really boring if you multiply everything by zero.

    1. 2

      You may be wondering why this is just coming to light now, when Java has had ECDSA support for a long time. Has it always been vulnerable?

      No. This is a relatively recent bug introduced by a rewrite of the EC code from native C++ code to Java, which happened in the Java 15 release. Although I’m sure that this rewrite has benefits in terms of memory safety and maintainability, it appears that experienced cryptographic engineers have not been involved in the implementation.

      Couldn’t an end-to-end fuzz test on the original and new code catch this? Not sure.

      I think it’s clear that security-sensitive code should be evaluated by experts. But the recent trend to rewrite other core infrastructure in Java / Go / Rust gives me pause.

      Fuzz both sides, get an expert, or just let the original code be?

      1. 3

        This is a very easy bug to find - just trying all-zeroes will work, and most testing strategies should test all-zeroes.

        In general, though, crypto code can break only on very particular inputs (e.g. carry-chain bugs). You want expert review, and/or a careful code comparison against the original code (which would have worked!), and probably something like Project Wycheproof, which collects a number of test vectors (etc.) for specific algorithms.