alt Hacker NewsWe found cryptography bugs in the elliptic library using Wycheproof
Comments
It's very hard to get stuff right with the secp curves. That's one of the reasons for the move to curve25519 and similar. The book "Guide to Elliptic Curve Cryptography" by Hankerson, Menezes, and Vanstone is mostly very careful step by step instruction of how to do secp* arithmetic properly. It would still be useful to have some formal verification to help the assurance of of any particular implementation.
FYI: two vulnerabilities in elliptic, a widely used JavaScript library for elliptic curve cryptography
> One vulnerability is still not fixed after a 90-day disclosure window that ended in October 2024. It remains unaddressed as of this publication.
curious why now. should they public it last year after 90-day disclosure window ended?
[flagged]
(2024).
There are other vulnerabilities in that library too. I reported some (with some PRs) https://github.com/indutny/elliptic/pull/338, https://github.com/indutny/elliptic/pull/337, https://github.com/indutny/elliptic/issues/339 but I assume they'll never get fixed.
The library is dead and should be marked as vulnerable on npmjs tbh.