crypto/elliptic: reduce subtraction term to prevent long busy loop

If beta8 is unusually large, the addition loop might take a very long
time to bring x3-beta8 back positive.

This would lead to a DoS vulnerability in the implementation of the
P-521 and P-384 elliptic curves that may let an attacker craft inputs
to ScalarMult that consume excessive amounts of CPU.

This fixes CVE-2019-6486.

Fixes #29903

Change-Id: Ia969e8b5bf5ac4071a00722de9d5e4d856d8071a
Reviewed-by: Adam Langley <>
Reviewed-by: Julie Qiu <>
Reviewed-by: Julie Qiu <>
1 file changed
tree: 3a37276359c683e8270394e562b281f894c9c3cf
  1. .gitattributes
  2. .github/
  3. .gitignore
  10. api/
  11. doc/
  12. favicon.ico
  13. lib/
  14. misc/
  15. robots.txt
  16. src/
  17. test/

The Go Programming Language

Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.

Gopher image Gopher image by Renee French, licensed under Creative Commons 3.0 Attributions license.

Our canonical Git repository is located at There is a mirror of the repository at

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Download and Install

Binary Distributions

Official binary distributions are available at

After downloading a binary release, visit or load doc/install.html in your web browser for installation instructions.

Install From Source

If a binary distribution is not available for your combination of operating system and architecture, visit or load doc/install-source.html in your web browser for source installation instructions.


Go is the work of thousands of contributors. We appreciate your help!

To contribute, please read the contribution guidelines:

Note that the Go project uses the issue tracker for bug reports and proposals only. See for a list of places to ask questions about the Go language.