Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider signatures with invalid or small-order elements invalid #21

Merged
merged 1 commit into from
Jun 21, 2023

Conversation

twiss
Copy link
Collaborator

@twiss twiss commented Jun 20, 2023

When verifying an Ed25519 or Ed448 signature, if the public key or the first half of the signature (R) is an invalid or small-order element, return false.

Resolves #10; replaces #13 and #17.


Preview | Diff

@panva
Copy link
Contributor

panva commented Jun 21, 2023

I don't believe these are necessary as the boolean outcome would IIUC always be false for these elements.

This was originally proposed as a way to short curcuit the operation but implementation shows us that it is anything but fast for implementations that don't have an identity check in their underlying crypto.

@twiss
Copy link
Collaborator Author

twiss commented Jun 21, 2023

I don't believe these are necessary as the boolean outcome would IIUC always be false for these elements.

I don't think that's required by RFC8032. In fact, the main problem with small-order points is that more things might verify than you'd expect (e.g. a single signature might verify multiple messages - see https://eprint.iacr.org/2020/823.pdf).

But, it's true that if you have an implementation that does the check and then returns false (or the equivalent of a normal signature verification failure), it's a bit annoying to have to return an error instead. So, I'll change it to returning false.

When verifying an Ed25519 or Ed448 signature, if the public key or the
first half of the signature (`R`) is an invalid or small-order element,
return false.
@twiss twiss force-pushed the eddsa-reject-small-order-points branch from 83a62ca to d4c0252 Compare June 21, 2023 08:43
@twiss twiss changed the title Reject invalid and small-order elements on signature verification Consider signatures with invalid or small-order elements invalid Jun 21, 2023
@twiss twiss merged commit 36c0f23 into main Jun 21, 2023
@twiss twiss deleted the eddsa-reject-small-order-points branch June 21, 2023 17:31
github-actions bot added a commit that referenced this pull request Jun 21, 2023
SHA: 36c0f23
Reason: push, by twiss

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Small order elements in EdDSA
2 participants