Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

k256: fix edge case in Scalar::is_high #385

Merged
merged 1 commit into from
Jul 19, 2021

Conversation

tarcieri
Copy link
Member

Per BIP62, the valid range for "low" scalars is:

https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki#Low_S_values_in_signatures

The value S in signatures must be between 0x1 and 0x7FFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF 5D576E73 57A4501D DFE92F46 681B20A0 (inclusive).

...where the large hex constant is the scalar modulus / 2.

However, the previous implementation was exclusive. There were tests for this particular case, but the tests confirmed it was exclusive instead of inclusive.

This commit fixes both the tests and the implementation to confirm that the scalar modulus / 2 is NOT considered high by Scalar::is_high, however scalar modulus / 2 + 1 is high.

@tarcieri tarcieri requested a review from fjarri July 19, 2021 19:00
@tarcieri
Copy link
Member Author

Note: I'm guessing this was an oversight in my original implementation of low-S normalization. Mea culpa.

@codecov-commenter
Copy link

Codecov Report

Merging #385 (5d4a802) into master (fdb4135) will increase coverage by 0.26%.
The diff coverage is 83.33%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #385      +/-   ##
==========================================
+ Coverage   58.18%   58.44%   +0.26%     
==========================================
  Files          29       29              
  Lines        4087     4096       +9     
==========================================
+ Hits         2378     2394      +16     
+ Misses       1709     1702       -7     
Impacted Files Coverage Δ
k256/src/arithmetic/scalar/scalar_4x64.rs 0.00% <0.00%> (ø)
k256/src/arithmetic/scalar/scalar_8x32.rs 91.48% <50.00%> (-0.20%) ⬇️
k256/src/arithmetic/scalar.rs 78.03% <100.00%> (+0.93%) ⬆️
k256/src/ecdsa/normalize.rs 100.00% <100.00%> (ø)
k256/src/ecdsa/verify.rs 60.00% <100.00%> (+16.60%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fdb4135...5d4a802. Read the comment docs.

Per BIP62, the valid range for "low" scalars is:

https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki#Low_S_values_in_signatures

> The value S in signatures must be between 0x1 and 0x7FFFFFFF FFFFFFFF
> FFFFFFFF FFFFFFFF 5D576E73 57A4501D DFE92F46 681B20A0 (inclusive).

...where the large hex constant is the scalar modulus / 2.

However, the previous implementation was exclusive. There were tests for
this particular case, but the tests confirmed it was exclusive instead
of inclusive.

This commit fixes both the tests and the implementation to confirm that
the scalar modulus / 2 is *NOT* considered high by `Scalar::is_high`,
however scalar modulus / 2 + 1 is high.
@tarcieri tarcieri force-pushed the k256/fix-edge-case-in-scalar-is-high branch from 5d4a802 to f5064b0 Compare July 19, 2021 19:06
@tarcieri tarcieri merged commit 3640681 into master Jul 19, 2021
@tarcieri tarcieri deleted the k256/fix-edge-case-in-scalar-is-high branch July 19, 2021 19:12
@tarcieri tarcieri mentioned this pull request Jul 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants