Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

schnorr.Verify must be fixed #431

Closed
calctopian opened this issue Aug 6, 2020 · 0 comments · Fixed by #434
Closed

schnorr.Verify must be fixed #431

calctopian opened this issue Aug 6, 2020 · 0 comments · Fixed by #434

Comments

@calctopian
Copy link
Contributor

As it was previously pointed out, schnorr.Verify must be fixed but the previous commit didn't fix it.

But why is it so important?

  • EdDSA is Schnorr instantiated with the Ed25519 curve: if you fix EdDSA, then you must also fix Schnorr when instantiated with the Ed25519 curve.
  • eddsa.Verify is hardly used (IdentityProxy), however schnorr.Verify is used everywhere: dedis/cothority (darcs, viewchanges, roster extension, authproxy, evoting, ...) and dedis/dela. The vulnerability is on schnorr.Verify, leaving it unpatched is irresponsible.
  • schnorr.Verify could verify signatures generated by third-party libraries that don't conform to the keys/signatures generated by this library: a defensive approach must be taken to prevent malicious signatures.
  • in kyber, the implementations of schnorr.Verify and eddsa.Verify are identical by design (i.e., what schnorr signs is verified by eddsa, et vice versa) except for eddsa.Sign having deterministic nonce generation and schnorr.Sign being random: as pointed out in the paper, "Ed25519 uses deterministic signing which removes the need for fresh random numbers during the signing process. This choice does not lead to any particular consequences for our security analysis since we model the key derivation function as a random oracle." ( Section 4.2.5
  • in fact, there is a test checking the compatibility between schnorr and eddsa signatures: thus, they both should receive equal treatment.
@calctopian calctopian mentioned this issue Aug 6, 2020
Closed
gnarula added a commit that referenced this issue Aug 12, 2020
@gnarula @calctopian
Schnorr Verification Checks
a6ee6e1 
Added `schnorr.VerifyWithChecks` which checks if the scalars and
points are canonical and ensures the points do not have a small
order.

Builds on top of #432 and closes #431

Co-authored-by: David Cerezo <david@calctopia.com>
gnarula added a commit that referenced this issue Aug 12, 2020
@gnarula @calctopian
Schnorr Verification Checks
ae2b6ff 
Added `schnorr.VerifyWithChecks` which checks if the scalars and
points are canonical and ensures the points do not have a small
order for Edwards25519 Group.

Builds on top of #432 and closes #431

Co-authored-by: David Cerezo <david@calctopia.com>
@gnarula gnarula mentioned this issue Aug 12, 2020
Merged
janbormet pushed a commit to janbormet/kyber that referenced this issue Aug 22, 2023
@gnarula @calctopian @janbormet
Schnorr Verification Checks
3f2ddfa 
Added `schnorr.VerifyWithChecks` which checks if the scalars and
points are canonical and ensures the points do not have a small
order for Edwards25519 Group.

Builds on top of dedis#432 and closes dedis#431

Co-authored-by: David Cerezo <david@calctopia.com>
K1li4nL pushed a commit that referenced this issue May 16, 2024
@gnarula @calctopian @K1li4nL
Schnorr Verification Checks
b1b47ee 
Added `schnorr.VerifyWithChecks` which checks if the scalars and
points are canonical and ensures the points do not have a small
order for Edwards25519 Group.

Builds on top of #432 and closes #431

Co-authored-by: David Cerezo <david@calctopia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Schnorr Verification Checks dedis/kyber
Fixing schnorr.Verify Calctopia-OpenSource/kyber
1 participant
@calctopian