Here is an incomplete list of defects in cryptographic implementations. We should make sure our verification rules out the possibility of similar mistakes appearing in our code.
| Reference | Specification | Implementation | Defect |
|---|---|---|---|
| openssl#3607 | P256 field element squaring | 64-bit Montgomery form, AMD64 | limb overflow |
| go#13515 | Modular exponentiation | uintptr-sized Montgomery form, Go | carry handling |
| NaCl ed25519 (p. 2) | F25519 mul, square | 64-bit pseudo-Mersenne, AMD64 | carry handling |
| openssl#0c687d7e | Poly1305 | 32-bit pseudo-Mersenne, x86 and ARM | bad truncation |
| openssl#ef5c9b11 | Modular exponentiation | 64-bit Montgomery form, AMD64 | carry handling |
| nettle#09e3ce4d | secp-256r1 modular reduction | carry handling | |
| socat#7 | DH in Z*p | irrelevant | non-prime p |
| invalid-curve | NIST ECDH | irrelevant | not onCurve |
| donna#8edc799f | F25519 internal to wire | 32-bit pseudo-Mersenne, C | non-canonical |
| end-to-end#340 | Curve25519 library | twisted Edwards coordinates | (0, 1) = ∞ |
| CVE-2006-4339 | RSA-PKCS-1 sig. verification | irrelevant | padding check |
| CVE-2014-3570 | Bignum squaring | asm | limb overflow |
| ic#237002094 | Barrett reduction for p256 | 1 conditional subtraction instead of 2 | unkown if ok |
| openssl#1593 | P384 modular reduction | carry handling | exploitable |
| go#fa09811d | poly1305 reduction | AMD64 asm, missing subtraction of 3 | found quickly |
| jose-adobe | ECDH-ES | 5 libraries | not onCurve |
| tweetnacl-m[15] | GF(2^255-19) freeze | bit-twiddly C | bounds? typo? |
| tweetnacl-U32 | irrelevant | bit-twiddly C | sizeof(long)!=32 |
| CVE-2017-3732 | x^2 mod m | Montgomery form, AMD64 assembly | carry, exploitable |
| openssl#c2633b8f | a + b mod p256 | Montgomery form, AMD64 assembly | non-canonical |
| openssl#59dfcabf | Weier. affine <-> Jacobian | Montgomery form, AMD64 and C | ∞ confusion |
| openssl#a970db05 | Poly1305 | Lazy reduction in x86 asm | lost bit 59 |
| openssl#6825d74b | Poly1305 | AVX2 addition and reduction | bounds? |
| openssl#74acf42c | Poly1305 | multiple implementations | incorrect carrying |
| ed25519.py | Ed25519 | accepts signatures other impls reject | missing h mod l |
| CryptoNote | Anti-double-spending tag | additive curve25519 curve point | need order(P) = l |
| bitcoin#eed71d85 | ECDSA-secp256k1 x*B | mixed addition Jacobian+Affine | missing case |
| openjdk#01781d7e | EC scalarmult | mixed addition Jacobian+Affine | missing case |
| openssl/openssl#6687 | Ed25519 | 64-bit pseudo-Mersenne, x86 | incorrect handling of partially reduced values |
| go#43786 / CVE-2021-3114 | P224 | confusion of > with >=?; underflow |
Not a bug, but still relevant:
| Reference | Specification | Implementation | Defect |
|---|---|---|---|
| ref/sc25519.c:84 | x mod (order of Curve25519) | Barrett reduction (code is likely correct) | "XXX" comment |
Not covered in the above list: memory mismanagement (buffer overrun, use-after-free, uninitialized read, null dereference), timing attacks (branch, cache, instruction). While these issues are very important, there are good programming disciplines for avoiding them without verifying intricate details of the computation.