EdDSA Verification Checks

[gnarula]

This PR builds on #427 with the following modifications:

• The IsCanonical and HasSmallOrder checks are moved to Point and Scalar implementations of edwards25519
• Tests use the constants defined in edwards25519
• Ensured bitwise operations are on unsigned types / bytes
• Added eddsa.VerifyWithChecks(pub, msg, sig []byte) which checks constraints as imposed by RFC8032 and group order checks as suggested in https://eprint.iacr.org/2020/823.pdf and implemented in libsodium

[ineiti]

I would replace all assert with require, as most of the time it doesn't make sense to continue the test, e.g., if the msg := random.Bits... fails, no reason to continue the test.

Also, there are some assert.Nil which should be require.NoError.

I thought that HasSmallOrder is defined on the point and doesn't need to take a slice of bytes, no?

Also, IsCanonical could be defined only in the eddsa package, as it doesn't make sense in the edwards25519 package, given that Points and Scalars always are canonical.

[ineiti]

Suggested change

//suite := edwards25519.NewBlakeSHA256Ed25519()

[ineiti]

Suggested change

	msg := make([]byte, 32)
	_, err := rand.Read(msg)
	assert.NoError(t, err)
	msg := random.Bits(256, true, random.New())

[ineiti]

Suggested change

	msg := make([]byte, 32)
	_, err := rand.Read(msg)
	assert.NoError(t, err)
	msg := random.Bits(256, true, random.New())

[ineiti]

Can this check be easily added?

[ineiti]

Suggested change

	err = ed.Public.UnmarshalBinary(publicKey)
	assert.Nil(t, err)
	require.NoError(ed.Public.UnmarshalBinary(publicKey))

[ineiti]

Suggested change

	assert.Equal(t, fmt.Errorf("signature is not canonical"), err)
	require.Equal(t, fmt.Errorf("signature is not canonical"), err)

[ineiti]

Suggested change

	msg := make([]byte, 32)
	_, err := rand.Read(msg)
	assert.NoError(t, err)
	msg := random.Bits(256, true, random.New())

[ineiti]

Suggested change

	assert.Nil(t, err)
	require.NoError(t, err)

[ineiti]

Suggested change

	assert.Nil(t, Verify(ed.Public, msg, sig))
	require.NoError(t, Verify(ed.Public, msg, sig))

[ineiti]

Suggested change

	assert.Equal(t, fmt.Errorf("signature is not canonical"), err)
	require.Equal(t, fmt.Errorf("signature is not canonical"), err)

[gnarula]

I would replace all assert with require, as most of the time it doesn't make sense to continue the test, e.g., if the msg := random.Bits... fails, no reason to continue the test.

Also, there are some assert.Nil which should be require.NoError.

Yeah, I'm yet to work my way through eddsa_test. Realised it quite late yesterday after I created the PR and hence the TODO commit/messages in haste :)

I thought that HasSmallOrder is defined on the point and doesn't need to take a slice of bytes, no?

I used the byte slice because point.MarshalBinary() returns values modulo prime and we have prime and prime+1 in weak keys.

Also, IsCanonical could be defined only in the eddsa package, as it doesn't make sense in the edwards25519 package, given that Points and Scalars always are canonical.

👍

[ineiti]

I thought that HasSmallOrder is defined on the point and doesn't need to take a slice of bytes, no?

I used the byte slice because point.MarshalBinary() returns values modulo prime and we have prime and prime+1 in weak keys.

Yes - I still don't really understand what this check does with all the XORs :( This is where I would've liked to have an input from Simone, to know what makes most sense. From an engineering point of view HasSmallOrder([]byte) is a static method, which doesn't belong in a structure, but should be kept in the package. But as it only applies to ed25519.points, it is cleaner to be defined on the structure, but then it shouldn't be a static method, so it should use the structure.
But then, as you write, we will never have the prime and prime+1 as weak keys.

Is it correct to replace prime and prime+1 with 0 and 1? As we're always counting modulo prime?

[gnarula]

I still don't really understand what this check does with all the XORs

If I understand it correctly, the XORing ensures that c[i] = 0 iff the given slice is the same as the weakKeys[i].

But then, as you write, we will never have the prime and prime+1 as weak keys.

We might run into that at https://github.com/dedis/kyber/pull/430/files#diff-bd9209ce75feb92351db6c68bd8010d7R154

[ineiti]

The (sig[63]&240) > 0 should also go in IsCanonical.

[ineiti]

But then, as you write, we will never have the prime and prime+1 as weak keys.

We might run into that at https://github.com/dedis/kyber/pull/430/files#diff-bd9209ce75feb92351db6c68bd8010d7R154

This doesn't make sense: if the keys are supposed to be < prime, then how can you test against prime and prime+1 weak keys?

OK, crypto.stackexchange to the rescue:

https://crypto.stackexchange.com/questions/55632/libsodium-x25519-and-ed25519-small-order-check

So, if I get that right, the second-last paragraph has a nice summary:

The blacklist is the list of all points that will give zero as the ‘shared secret’. It does not list all illegitimate public keys—there are too many to list, of the form 𝐵+𝑄 where 𝐵 is a legitimate public key (of which there are 𝑝1 possibilities) and 𝑄 is on the blacklist. The only way to detect legitimate public keys is to confirm that [𝑝1]𝐵=0.

So if we test for p and p+1 in non-reduced numbers, they will fall on 0 and 1 anyway, which are already tested. Which makes me quite convinced that we can:

• from an engineering point of view: define HasSmallOrder on ed25519.point
• from a mathematical point of view: only check the first 5 weak keys, as p and p+1 will be caught by the reduction and the check with 0 and 1
• from a verification point of view: by UnmarshalBinarying the []byte in eddsa.VerifyWithChecks after we check the IsCanonical

But I don't see yet where we should/could check for the correct subgroup with prime * Point = 0, like the following does: https://github.com/kilic/bls12-381/blob/59713d4652a1851eb2ad0fb980533a5472294fe0/g1.go#L280

That's probably for another PR.

[gnarula]

This doesn't make sense: if the keys are supposed to be < prime, then how can you test against prime and prime+1 weak keys?

Aha, I was under the impression that R = sig[:32] could be > prime but I read RFC8032 again and it does indeed mention that verification should fail if R cannot be decoded. Decoding rules require failure for non canonical points. This is what you suggest in the third bullet point as well. 👍 Working on the changes now