From 13fe8724f34d1476f1ff16e84db67c066b3bd4ee Mon Sep 17 00:00:00 2001 From: Mike Hamburg Date: Sat, 10 Oct 2020 12:38:28 +0100 Subject: [PATCH] a couple more tests for EdDSA malleability --- test/test_decaf.cxx | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/test/test_decaf.cxx b/test/test_decaf.cxx index 4f851ad..80f8368 100644 --- a/test/test_decaf.cxx +++ b/test/test_decaf.cxx @@ -575,6 +575,13 @@ static void test_eddsa() { Test test("EdDSA"); SpongeRng rng(Block("test_eddsa"),SpongeRng::DETERMINISTIC); + int lg_scalar = Group::bits(); + for (int cof = Group::REMOVED_COFACTOR; cof>1; cof>>=1) { + lg_scalar--; + } + typename Group::Scalar more_than_size = 1; + for (int i=0; i::PrivateKey priv(rng); typename EdDSA::PublicKey pub(priv); @@ -633,6 +640,28 @@ static void test_eddsa() { context[(i/8) % context.size()] ^= 1<<(i%8); } + // Construct sig which is numerically equal but improper + const int scalarbytes = Group::Scalar::SER_BYTES; + uint8_t *scalarpart = &sig[EdDSA::PublicKey::SER_BYTES]; + typename Group::Scalar sig_r = FixedBlock(scalarpart); + memcpy(scalarpart, (-sig_r).serialize().data(), scalarbytes); + try { + pub.verify(sig,message,context); + test.fail(); + printf(" Signature validation passed incorrectly on negated sig %d\n", i); + } catch(CryptoException&) {} + + + sig_r -= more_than_size; + memcpy(scalarpart, sig_r.serialize().data(), scalarbytes); + scalarpart[scalarbytes-1] += 1<<(lg_scalar%8); + try { + pub.verify(sig,message,context); + test.fail(); + printf(" Signature validation passed incorrectly on improper sig %d\n", i); + } catch(CryptoException&) {} + + /* Test encode_like and torque */ Point p(rng); SecureBuffer p1 = p.mul_by_ratio_and_encode_like_eddsa();