[PATCH 3/6] dpp_pkex: EC point mul w/ value < prime

Glenn Strauss gstrauss at gluelogic.com
Sun Nov 20 08:15:29 PST 2022

On Sun, Nov 20, 2022 at 05:53:20PM +0200, Jouni Malinen wrote:
> On Tue, Nov 08, 2022 at 12:05:51AM -0500, Glenn Strauss wrote:
> > crypto_ec_point_mul() with mbedtls requires point
> > be multiplied by a multiplicand with value < prime
> crypto_ec_point_mul() could be implemented to handle this internally for
> crypto libraries that have such constraints on their input values.

It might be costly for SAE and DPP to have crypto_ec_point_mul()
check range for every single SAE and DPP call to crypto_ec_point_mul().

> I'm
> not confident that this specific crypto_ec_point_mul() would be the only
> one that could reach this type of a case. For example, what about the
> similar construction in dpp_pkex_derive_Qi()?

I am not sure either.

I did not run into it in the hwsim test suite.

> Is that mbedtls constraint documented somewhere? A quick look at the
> mbedtls_ecp_mul() documentation did not seem to say anything about the
> allowed range for the integer (m).

mbedtls_ecp_mul() calls mbedtls_ecp_check_privkey() and
mbedtls_ecp_check_pubkey() on its input to validate the arguments.

mbedtls_ecp_mul() and other parts of mbedtls ecp operate on valid data
which is on the elliptic curve, and does not make guarantees about
operations on invalid data.

Cheers, Glenn

More information about the Hostap mailing list