-
Notifications
You must be signed in to change notification settings - Fork 481
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EdwardsPoint::decompress accepts y higher than field modulo #380
Comments
RFC8032 is about EdDSA, while this repo is really "just" about Curve25519, so I'd argue that this is not an issue for curve25519, but rather for the ed25519 repo. That being said, it seems that currently https://github.com/dalek-cryptography/ed25519-dalek is directly using the
Also the struct curve25519-dalek/src/edwards.rs Lines 199 to 201 in 967d8b6
E.g. what if I consider the CompressedEdwardsY value
And both are equal once converted into affine coordinate, since (X/Z, Y/Z) is equal to (X'/Z', Y'/Z'). It's also worth noticing that the On my side I don't really see any issue with that as long as we are using valid points. It's just about its encoding in the end and whether we accept "non-canonical" encodings or not I guess. |
It's behavior that defies specification. If dalek wants to behave by its own, it's cool, but a note in documentation should be added. |
That's for ed25519-dalek, not for curve25519-dalek IMO. |
Right, I should have probably opened it in ed repository... |
Issues like this matter primarily for consensus protocols with implementations in other languages. There are other reasons the ed25519-dalek is not ideal for consensus, so the best place maybe https://github.com/ZcashFoundation/ed25519-zebra It does not adhere to the standard or have equivalent libs in other languages, but at least it makes implementing everything you'd want in consensus possible. |
There is also at least one implementation in Go that is compatible with the validation criteria implemented in |
I'd personally prefer dalek include a decompress_canonical function due to the application of this outside of just EdDSA, with the hopes it can be more performant than the current solution (reserializing entirely). Such a function would need to check for both lack of reduction and if the sign bit was set for 0. |
FWIW NIST defines public key validation criteria in SP 800-186 Appendix D.1.3: Twisted Edwards Curves:
Per that description, allowing y to be higher than the field modulus is not correctly implementing step 1 of partial validation |
Ugh yup I think this merits breaking change in ed- |
The ZIP-215 rules require the current behavior which allows an unreduced y-coordinate:
So unfortunately there is a conflict between the ZIP-215 rules and the NIST rules. Based on some Zulip discussion, one option we're considering is adding a separate set of "strict" methods which implement the NIST validation criteria. |
My latest recommendation for this issue would be to add That's a purely additive change and not a blocker for a 4.0 release. |
yeah, sounds good. what about naming? just nist? it's also rfc8032, innit? |
Yes, though I imagine people concerned with following particular validation rules are going to be more concerned with NIST than RFC8032 |
I'm more concerned with it being strict, not any specific standards. That means not only would it reject anything exceeding the modulus, yet also the negative identity. |
We can call it "strict" but that's a little nonspecific, especially when NIST has a further set of "strict" verification criteria. If someone has a better suggestion for a name which covers RFC8032 vs NIST point validation criteria (or can spot any discrepancies between the two) that'd be good to know. |
My highlight wasn't on the naming, yet on the note NIST allows negative identity. Accordingly, I don't care to use a NIST-matching function, I care to use a strict function offering canonicity. While such a check could be added to My proposal is for a |
I'm going to close this issue in favor of #626 which is a new feature tracking issue for implementing NIST's validation criteria. Notably So closing this as "working as intended". |
EdwardsPoint::decompress accepts y higher than field modulo
Which is invalid as per RFC8032 5.1.3.
The text was updated successfully, but these errors were encountered: