Conceptual feedback on new ECC JEP
Adam Petcher
adam.petcher at oracle.com
Tue Sep 4 12:57:59 UTC 2018
On 9/1/2018 2:03 PM, Michael StJohns wrote:
> On 8/23/2018 1:50 PM, Adam Petcher wrote:
>> It will only support a subset of the API that is supported by the
>> implementation in SunEC. In particular, it will reject any private
>> keys with scalar values specified using BigInteger (as in
>> ECPrivateKeySpec), and its private keys will not return scalar values
>> as BigInteger (as in ECPrivateKey.getS()).
>
> Um... why? EC Private keys are integers.... I've said this multiple
> times and - with the single exception of EDDSA keys because of a very
> idiosyncratic (and IMHO short-sighted) RFC specification - all of the
> EC private keys of whatever curve can be expressed as integers.
>
The explanation is in the JEP:
"The existing API for ECC private keys has some classes that specify
private scalar values using BigInteger. There is no way to get a value
out of a BigInteger (into, for example, a fixed-length array) without
branching."
There is no problem with making private keys integers in the API. The
problem is specifically with BigInteger and its implementation.
BigInteger stores the value in the shortest int array possible. To
access the value, you need to branch on the length of the array, which
leaks whether the high-order bits of the private key are 0.
More information about the security-dev
mailing list