ECDSA signature verification fails when the y coordinate contains too many trailing 1s

Question

ECDSA signature verification fails when the y coordinate contains too many trailing 1s

adelapie opened this issue 5 years ago · 1 comments

coincurve 13.0.0 fails when the y coordinate contain too many trailing 0s. You can check this
with the following teste vectors from Google Wycheproof:

{
  "algorithm" : "ECDSA",
  "generatorVersion" : "0.8r12",
  "numberOfTests" : 380,
  "header" : [
    "Test vectors of type EcdsaVerify are meant for the verification",
    "of ASN encoded ECDSA signatures."
  ],
  "notes" : {
    "BER" : "This is a signature with correct values for (r, s) but using some alternative BER encoding instead of DER encoding. Implementations should not accept such signatures to limit signature malleability.",
    "EdgeCase" : "Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA implementation does not check boundaries and computes s^(-1)==0.",
    "MissingZero" : "Some implementations of ECDSA and DSA incorrectly encode r and s by not including leading zeros in the ASN encoding of integers when necessary. Hence, some implementations (e.g. jdk) allow signatures with incorrect ASN encodings assuming that the signature is otherwise valid.",
    "PointDuplication" : "Some implementations of ECDSA do not handle duplication and points at infinity correctly. This is a test vector that has been specially crafted to check for such an omission."
  },
  "schema" : "ecdsa_verify_schema.json",
  "testGroups" : [
    {
      "key" : {
        "curve" : "secp256k1",
        "keySize" : 256,
        "type" : "EcPublicKey",
        "uncompressed" : "04d12e6c66b67734c3c84d2601cf5d35dc097e27637f0aca4a4fdb74b6aadd3bb93f5bdff88bd5736df898e699006ed750f11cf07c5866cd7ad70c7121ffffffff",
        "wx" : "00d12e6c66b67734c3c84d2601cf5d35dc097e27637f0aca4a4fdb74b6aadd3bb9",
        "wy" : "3f5bdff88bd5736df898e699006ed750f11cf07c5866cd7ad70c7121ffffffff"
      },
      "keyDer" : "3056301006072a8648ce3d020106052b8104000a03420004d12e6c66b67734c3c84d2601cf5d35dc097e27637f0aca4a4fdb74b6aadd3bb93f5bdff88bd5736df898e699006ed750f11cf07c5866cd7ad70c7121ffffffff",
      "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAE0S5sZrZ3NMPITSYBz1013Al+J2N/CspK\nT9t0tqrdO7k/W9/4i9VzbfiY5pkAbtdQ8RzwfFhmzXrXDHEh/////w==\n-----END PUBLIC KEY-----",
      "sha" : "SHA-256",
      "type" : "EcdsaVerify",
      "tests" : [
        {
          "tcId" : 375,
          "comment" : "y-coordinate of the public key has many trailing 1's",
          "msg" : "4d657373616765",
          "sig" : "30450220592c41e16517f12fcabd98267674f974b588e9f35d35406c1a7bb2ed1d19b7b8022100c19a5f942607c3551484ff0dc97281f0cdc82bc48e2205a0645c0cf3d7f59da0",
          "result" : "valid",
          "flags" : []
        },
        {
          "tcId" : 376,
          "comment" : "y-coordinate of the public key has many trailing 1's",
          "msg" : "4d657373616765",
          "sig" : "3046022100be0d70887d5e40821a61b68047de4ea03debfdf51cdf4d4b195558b959a032b20221008266b4d270e24414ecacb14c091a233134b918d37320c6557d60ad0a63544ac4",
          "result" : "valid",
          "flags" : []
        },
        {
          "tcId" : 377,
          "comment" : "y-coordinate of the public key has many trailing 1's",
          "msg" : "4d657373616765",
          "sig" : "3046022100fae92dfcb2ee392d270af3a5739faa26d4f97bfd39ed3cbee4d29e26af3b206a02210093645c80605595e02c09a0dc4b17ac2a51846a728b3e8d60442ed6449fd3342b",
          "result" : "valid",
          "flags" : []
        }
      ]
    }
  ]
}

and proof of concept:

from coincurve.keys import PrivateKey, PublicKey
from coincurve.utils import bytes_to_int, int_to_bytes_padded, verify_signature

from cryptography import exceptions
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.asymmetric import utils

from hashlib import sha256


import json


def main():

    with open("ecdsa_secp256k1_sha256_test_y_coordinate_trail_1.json", "r") as read_file:
        secp256k1_sha256_test = json.load(read_file)

    for test_group in secp256k1_sha256_test["testGroups"]:
        comp_str = test_group["key"]["uncompressed"]
        co_x = test_group["key"]["wx"]
        co_y = test_group["key"]["wy"]

        public_key = PublicKey(bytes.fromhex(comp_str))

    
        for test in test_group["tests"]:
            print("Loading test", test["tcId"], "with result:", test["result"], "\n")

            ### using python coincurve

            signature = bytes.fromhex(test["sig"])
            message = bytes.fromhex(test["msg"])
            print("\tcoincurve: ", public_key.verify(signature, message))

            ### using python cryptography 

            curve = ec.SECP256K1()
            algo = ec.ECDSA(hashes.SHA256())

            pubnum = ec.EllipticCurvePublicNumbers(int(co_x, 16), int(co_y, 16), curve)
            
            data = bytes(bytearray.fromhex(test["msg"]))
            public_key_2 = pubnum.public_key(default_backend())
            signature = bytes(bytearray.fromhex(test["sig"]))
            
            try:
                public_key_2.verify(signature, data, ec.ECDSA(hashes.SHA256()))

            except exceptions.InvalidSignature:
                print("\tcryptography.io: False")
            else:
                print("\tcryptography.io: True")
  
if __name__ == "__main__":
    main()

where I compare the output of coincurve with the python cryptography
library.

Answer 1 · 2020-05-25T19:27:16.000Z

#68 (comment)