Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implementation of ed25519-dalek::VerifyingKey::verify_strict seemingly inconsistent with documentation #663

Open
fspreiss opened this issue Jun 25, 2024 · 0 comments
Open

Implementation of ed25519-dalek::VerifyingKey::verify_strict seemingly inconsistent with documentation #663

fspreiss opened this issue Jun 25, 2024 · 0 comments

Comments

@fspreiss
Copy link

There is a seeming discrepancy between the documentation of ed25519-dalek::VerifyingKey::verify_strict and its implementation.

The documentation of verify_strict suggests that verify_strict uses the verification equation with the cofactors (i.e., [8][S]B = [8]R + [8][k]A'), while the implementation uses the verification equation without the cofactors (i.e., [S]B = R + [k]A'). This is because the documentation says: "This method performs both of the above signature malleability checks", where "both" refers to a "Scalar Malleability" check and a "Point malleability" check, where the documentation of the latter suggests that the actual check is done through the use of the equation with the cofactors.

While one could argue there is some ambiguity in the documentation on "Point malleability" as to whether the equation with or without the cofactors is used, the belief that the one with the cofactors is used is further strengthened by @isislovecruft (one of the original library authors) stating the following in dalek-cryptography/ed25519-dalek#115 (comment):

Note that we currently multiply by the cofactor in verify_strict()

Possibly the latter was true at some point, but it doesn't seem to be the case any more.

That all verification functions (e.g., verify and verify_strict) use the equation without the cofactors was also pointed out earlier in dalek-cryptography/ed25519-dalek#20 (comment) and dalek-cryptography/ed25519-dalek#115 (comment).

Note that verify_strict does fail verification if signature_R.is_small_order() || self.point.is_small_order(). However, as pointed out in dalek-cryptography/ed25519-dalek#20 (comment), this is not equivalent to using the verification equation with the cofactors.

Do you see it as option to adapt verify_strict so that it actually uses the verification equation with the cofactors as (somewhat) suggested by the documentation and as stated by one of the original library authors?

In any case, it would make sense to remove the ambiguity from the documentation of verify_strict's "Point malleablity" section by making clear which of the two mentioned equations is used in the implementation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fspreiss