tink: [android] [throwable] arithmetic error in scalar multiplication

we use Tink-Android to generate keyPair and sign our information. it work well in common case. but there is a crash in Android device M1 E when we use

Ed25519Sign(private_key)

and we find the throwable is

   // This check is to protect against flaws, i.e. if there is a computation error through a
    // faulty CPU or if the implementation contains a bug.
    XYZ result = new XYZ(ret);
    if (!result.isOnCurve()) {
      throw new IllegalStateException("arithmetic error in scalar multiplication");
    }

https://github.com/google/tink/blob/09fc71c45dc7c4ecc7fb0df3414b0fb3a9ca52c3/java/src/main/java/com/google/crypto/tink/subtle/Ed25519.java#L626

Android version: 7.0 cpu: Helio P10 gpu: ARM Mali-T860 Tink-Android Version: 1.2.2

Is there anyone can help me ? thanks !

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 24 (13 by maintainers)

Commits related to this issue

Fixing issue https://github.com/google/tink/issues/224. Problem was: isOnCurve did not reduce the limbs before checking for equality. PiperOrigin-RevId: 272245293 — committed to google/tink by sophieschmieg 5 years ago
Fixing issue https://github.com/google/tink/issues/224. Problem was: isOnCurve did not reduce the limbs before checking for equality. PiperOrigin-RevId: 272245293 — committed to tholenst/tink by sophieschmieg 5 years ago
Fixing issue https://github.com/google/tink/issues/224. (#268) Problem was: isOnCurve did not reduce the limbs before checking for equality. PiperOrigin-RevId: 272245293 — committed to google/tink by tholenst 5 years ago
Adding a new test vector. https://github.com/google/tink/issues/224 So far I haven't been able to reproduce the bug. However, a lot of tests just check the signature verification. NOKEYCHECK=True Pip... — committed to google/wycheproof by bleichen 5 years ago
Adding tests for EDDSA to Wycheproof. jdk11 did add ED25519 and ED448. BC supports ED25519, but is slightly malleable. Conscrypt supports none (rsp. uses different algorithm names). This is related ... — committed to google/wycheproof by bleichen 5 years ago

Most upvoted comments

We spend the afternoon debugging, and found the issue: the isOnCurve check did not reduce the coefficients before comparing.

The good news is that this isn’t a vulnerability, it merely means our test to check that our math was correct was a bit overeager. Fix will be out soon.

sophieschmieg on Sep 28, 2019

Although we have a mitigation in place in our own code for this, we’d really like to upgrade to a release that includes this fix. Can I help with getting a 1.2.3 or 1.3.0 release out?

dhpiggott on Nov 25, 2019

This should be fixed at HEAD and will be included in 1.3.0 release. We may also backport it to 1.2.3.

thaidn on Oct 1, 2019

1.3.0-RC3 is out. It should work as well as 1.3.0-RC2.

thaidn on Dec 20, 2019

Thanks @chuckx. We updated to 1.3.0-rc2 and have been using it in production for five days now - and we’ve not seen any recurrences of this issue. We’ll update to newer release candidates/releases as they become ready too.

dhpiggott on Dec 9, 2019