Should ECDH re-check pubkey is a curve point to avoid leaking private key? #555

issue markblundeberg opened this issue on September 15, 2018
  1. markblundeberg commented at 4:54 AM on September 15, 2018: none

    I am thinking of the 'invalid curve' attack mentioned here: https://safecurves.cr.yp.to/twist.html

    It looks like secp256k1_ecdh is supposed to be fool-proof so it may be good if it checks that the provided pubkey is actually a curve point. I know that secp256k1_pubkey is supposed to be opaque and thus already checked, but I suspect some people may try to shove in the key data directly.

  2. sipa commented at 1:33 AM on September 16, 2018: contributor

    The internal structure in secp256k1_pubkey is platform dependent, and doesn't usually match the common EC serialization, so if someone is pushing raw pubkeys directly into secp256_pubkey, it's already very unlikely that anything works at all.

  3. markblundeberg commented at 9:54 PM on September 18, 2018: none

    Sounds good. :+1:

  4. markblundeberg closed this on Sep 18, 2018
Contributors
markblundebergsipa
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-05 04:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me