Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implementation of verify_strict seemingly inconsistent with documentation #318

Closed
fspreiss opened this issue Jun 25, 2024 · 1 comment
Closed

Implementation of verify_strict seemingly inconsistent with documentation #318

fspreiss opened this issue Jun 25, 2024 · 1 comment

Comments

@fspreiss
Copy link

There is a seeming discrepancy between the documentation of verify_strict and its implementation.

The documentation of verify_strict suggests that verify_strict uses the verification equation with the cofactors (i.e., [8][S]B = [8]R + [8][k]A'), while the implementation uses the verification equation without the cofactors (i.e., [S]B = R + [k]A'). This is because the documentation says: "This method performs both of the above signature malleability checks", where "both" refers to a "Scalar Malleability" check and a "Point malleability" check, where the documentation of the latter suggests that the actual check is done through the use of the equation with the cofactors.

While one could argue there is some ambiguity in the documentation on "Point malleability" as to whether the equation with or without the cofactors is used, the belief that the one with the cofactors is used is further strengthened by @isislovecruft (one of the original library authors) stating the following in #115 (comment):

Note that we currently multiply by the cofactor in verify_strict()

Possibly the latter was true at some point, but it doesn't seem to be the case any more.

That all verification functions (e.g., verify and verify_strict) use the equation without the cofactors was also pointed out earlier in #20 (comment) and #115 (comment).

Note that verify_strict does fail verification if signature_R.is_small_order() || self.point.is_small_order(). However, as pointed out in #20 (comment), this is not equivalent to using the verification equation with the cofactors.

Do you see it as option to adapt verify_strict so that it actually uses the verification equation with the cofactors as (somewhat) suggested by the documentation and as stated by one of the original library authors?

In any case, it would make sense to remove the ambiguity from the documentation of verify_strict's "Point malleablity" section by making clear which of the two mentioned equations is used in the implementation.
@fspreiss
Copy link
Author

Re-filed as dalek-cryptography/curve25519-dalek#663, as the repo has moved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fspreiss