P-256 failing cases about micro-ecc HOT 5 OPEN

I see the same problem...
I can't verify the signature below using uECC_secp256r1
With these input rx also becomes = 0 during the uECC_verify process.
apply_z(tx, ty, z, curve); // Here tx becomes same value as rx so on the next line Z becomes 0 because rx and tx are equal
uECC_vli_modSub(tz, rx, tx, curve->p, num_words); /* Z = x2 - x1 */

I can verify the signature below with python using https://pypi.org/project/ecdsa/

HASH (SHA256): 797601B76D29603D167FA1062CC27B00BB0E39493BF3B7BBAFA610C2B24F4A20

Public Key:
7CF27B188D034F7E8A52380304B51AC3C08969E277F21B35A60B48FC4766997807775510DB8ED040293D9AC69F7430DBBA7DADE63CE982299E04B79D227873D1

Signature:
56CD9CF152BCCC3A64E41E2B2BF91ED0661E0821B14B50ABE93C05EA889AFED3F93452957106BAB410617E306D876BB58FA7D7B5A515AC6B6181D8D638651FC7

from micro-ecc.

@jojotds
I think the root cause is this line: uECC_vli_modMult_fast(z, z, tz, curve);
As soon as tz gets 0 once, it stays at 0 forever.

On a higher level, the issue is that this implementation is handling the identity element incorrectly. Let O be the identity element and P a point on curve. Usually O + P = P, but in this implementation O + P = O, which leads to the rejection of the signature.

In line 1579 to 1585, the point t is added to the point r. This point addition shows the above described behavior.
Probably this point addition algorithm has to be substituted with another algorithm, e.g. https://en.wikibooks.org/wiki/Cryptography/Prime_Curve/Jacobian_Coordinates

Please note this issue does not only exist for the inputs described above, but also for other inputs from test libraries (e.g. Wycheproof).

from micro-ecc.

There seem to be an issue with the optimized uECC_vli_modMult_fast function. If you replace it with "slow" version then everything works fine.

from micro-ecc.

OMG, thanks for figuring this out. The slow version should be definitely the standard in the mainline and we should warn the user about this when using the faster version.

from micro-ecc.

OMG, thanks for figuring this out. The slow version should be definitely the standard in the mainline and we should warn the user about this when using the faster version.

It wouldn't do any good since the generic version of MMod function is impractically slow to use. Like ten times slower or so. Anyway, this glitch is only relevant if you need to verify the signatures that have been made by different implementations. If you have a closed ecosystem then you can just ignore it. Because there is no problem with signatures made by uECC and the other implementations can verify the signatures generated by the uECC.

from micro-ecc.