[ed25519/eddsa] Malleable signature #311
Comments
|
@Daeinar could you please comment on this? To me it seems like a nice-to-have, but not critical before v3 (because it is not a backwards incompatible change) |
This was referenced Jul 22, 2020
gnarula
added a commit
that referenced
this issue
Aug 6, 2020
Added `edda.VerifyWithChecks` which checks if the scalars and points are canonical and ensures the points do not have a small order. Refer: RFC8032§5.1.7 and https://eprint.iacr.org/2020/823.pdf Builds on top of #427 and closes #426 and #311. Co-authored-by: David Cerezo <david@calctopia.com> Co-authored-by: Linus Gasser <linus.gasser@epfl.ch>
janbormet
pushed a commit
to janbormet/kyber
that referenced
this issue
Aug 22, 2023
Added `edda.VerifyWithChecks` which checks if the scalars and points are canonical and ensures the points do not have a small order. Refer: RFC8032§5.1.7 and https://eprint.iacr.org/2020/823.pdf Builds on top of dedis#427 and closes dedis#426 and dedis#311. Co-authored-by: David Cerezo <david@calctopia.com> Co-authored-by: Linus Gasser <linus.gasser@epfl.ch>
K1li4nL
pushed a commit
that referenced
this issue
May 16, 2024
Added `edda.VerifyWithChecks` which checks if the scalars and points are canonical and ensures the points do not have a small order. Refer: RFC8032§5.1.7 and https://eprint.iacr.org/2020/823.pdf Builds on top of #427 and closes #426 and #311. Co-authored-by: David Cerezo <david@calctopia.com> Co-authored-by: Linus Gasser <linus.gasser@epfl.ch>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We should enforce that the ed25519 and eddsa packages enforce non-malleability of the signatures.
See agl's commit for example.
Unfortunately, it is not straightforward to do that at the current state of the code, because we currently don't have a way to get the field order (to check if the scalar is in the range
[0,order[).See #259 for a related issue.
The text was updated successfully, but these errors were encountered: