7 comments

[ 4.1 ms ] story [ 29.6 ms ] thread
FYI: two vulnerabilities in elliptic, a widely used JavaScript library for elliptic curve cryptography
> One vulnerability is still not fixed after a 90-day disclosure window that ended in October 2024. It remains unaddressed as of this publication.

curious why now. should they public it last year after 90-day disclosure window ended?

The 90-day disclosure window is an arbitrary courtesy, not a binding contract about the behavior of either party. They probably had other things to do.
It's very hard to get stuff right with the secp curves. That's one of the reasons for the move to curve25519 and similar. The book "Guide to Elliptic Curve Cryptography" by Hankerson, Menezes, and Vanstone is mostly very careful step by step instruction of how to do secp* arithmetic properly. It would still be useful to have some formal verification to help the assurance of of any particular implementation.
There are complete formulae for all prime-order Weierstrass curves. The work for secure implementation of prime-order curves is now simpler than for Edwards elliptic curves.