jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

fix malleability bug from https://eprint.iacr.org/2020/1244.pdf and add test vectors

master
Mike Hamburg 4 years ago
parent
ff5d289935
commit
e99b0a52f8
3 changed files with 346 additions and 40 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +13
    -3
      src/per_curve/eddsa.tmpl.c
  2. +80
    -29
      test/test_decaf.cxx
  3. +253
    -8
      test/vectors.inc.cxx

+ 13
- 3
src/per_curve/eddsa.tmpl.c View File

@@ -354,11 +354,21 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);
API_NS(scalar_t) response_scalar;
API_NS(scalar_decode_long)(
error = API_NS(scalar_decode)(
response_scalar,
&signature[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES
&signature[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES]
);
if (DECAF_SUCCESS != error) { return error; }

#if DECAF_$(gf_bits)_SCALAR_BYTES < DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES
for (unsigned i = DECAF_$(gf_bits)_SCALAR_BYTES;
i < DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES;
i++) {
if (signature[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES+i] != 0x00) {
return DECAF_FAILURE;
}
}
#endif
for (unsigned c=1; c<$(C_NS)_EDDSA_DECODE_RATIO; c<<=1) {
API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);


+ 80
- 29
test/test_decaf.cxx View File

@@ -481,6 +481,7 @@ static void test_cfrg_crypto() {

static const bool eddsa_prehashed[];
static const Block eddsa_sk[], eddsa_pk[], eddsa_message[], eddsa_context[], eddsa_sig[];
static const bool eddsa_verify_should_succeed[];

static void test_cfrg_vectors() {
Test test("CFRG test vectors");
@@ -490,49 +491,60 @@ static void test_cfrg_vectors() {
int the_ntests = (NTESTS < 1000000) ? 1000 : 1000000;
/* EdDSA */
for (unsigned int t=0; eddsa_sk[t].size(); t++) {
typename EdDSA<Group>::PrivateKey priv(eddsa_sk[t]);
SecureBuffer eddsa_pk2 = priv.pub().serialize();
if (!memeq(SecureBuffer(eddsa_pk[t]), eddsa_pk2)) {
test.fail();
printf(" EdDSA PK vectors #%d disagree.", t);
printf("\n Correct: ");
for (unsigned i=0; i<eddsa_pk[t].size(); i++) printf("%02x", eddsa_pk[t][i]);
printf("\n Incorrect: ");
for (unsigned int t=0; t<sizeof(eddsa_sk)/sizeof(eddsa_sk[0]); t++) {
if (eddsa_sk[t].size()) {
typename EdDSA<Group>::PrivateKey priv(eddsa_sk[t]);
SecureBuffer eddsa_pk2 = priv.pub().serialize();
if (!memeq(SecureBuffer(eddsa_pk[t]), eddsa_pk2)) {
test.fail();
printf(" EdDSA PK vectors #%d disagree.", t);
printf("\n Correct: ");
for (unsigned i=0; i<eddsa_pk[t].size(); i++) printf("%02x", eddsa_pk[t][i]);
printf("\n Incorrect: ");

for (unsigned i=0; i<eddsa_pk2.size(); i++) printf("%02x", eddsa_pk2[i]);
printf("\n");
}
SecureBuffer sig;
for (unsigned i=0; i<eddsa_pk2.size(); i++) printf("%02x", eddsa_pk2[i]);
printf("\n");
}
SecureBuffer sig;
if (eddsa_prehashed[t]) {
typename EdDSA<Group>::PrivateKeyPh priv2(eddsa_sk[t]);
sig = priv2.sign_with_prehash(eddsa_message[t],eddsa_context[t]);
} else {
sig = priv.sign(eddsa_message[t],eddsa_context[t]);
}
if (eddsa_prehashed[t]) {
typename EdDSA<Group>::PrivateKeyPh priv2(eddsa_sk[t]);
sig = priv2.sign_with_prehash(eddsa_message[t],eddsa_context[t]);
} else {
sig = priv.sign(eddsa_message[t],eddsa_context[t]);
}

if (!memeq(SecureBuffer(eddsa_sig[t]),sig)) {
test.fail();
printf(" EdDSA sig vectors disagree.");
printf("\n Correct: ");
for (unsigned i=0; i<eddsa_sig[t].size(); i++) printf("%02x", eddsa_sig[t][i]);
printf("\n Incorrect: ");
if (!memeq(SecureBuffer(eddsa_sig[t]),sig)) {
test.fail();
printf(" EdDSA sig vectors #%d disagree.", t);
printf("\n Correct: ");
for (unsigned i=0; i<eddsa_sig[t].size(); i++) printf("%02x", eddsa_sig[t][i]);
printf("\n Incorrect: ");

for (unsigned i=0; i<sig.size(); i++) printf("%02x", sig[i]);
printf("\n");
for (unsigned i=0; i<sig.size(); i++) printf("%02x", sig[i]);
printf("\n");
}
}
bool verified;
try {
typename EdDSA<Group>::PublicKey pub(eddsa_pk[t]);
if (eddsa_prehashed[t]) {
pub.verify_with_prehash(eddsa_sig[t], eddsa_message[t], eddsa_context[t]);
} else {
priv.pub().verify(eddsa_sig[t], eddsa_message[t], eddsa_context[t]);
pub.verify(eddsa_sig[t], eddsa_message[t], eddsa_context[t]);
}
verified = true;
} catch(CryptoException&) {
verified = false;
}

if (verified != eddsa_verify_should_succeed[t]) {
test.fail();
printf(" EdDSA Verify vector #%d disagree\n", t);
printf(" EdDSA Verify vector #%d disagree: verify %s but should %s\n",
t, verified ? "passed" : "failed",
eddsa_verify_should_succeed[t] ? "pass" : "fail");
}
}
@@ -582,6 +594,45 @@ static void test_eddsa() {
printf(" Signature validation failed on sig %d\n", i);
}
try {
sig[(i/8) % sig.size()] ^= 1<<(i%8);
pub.verify(sig,message,context);
test.fail();
printf(" Signature validation passed incorrectly on corrupted sig %d\n", i);
} catch(CryptoException&) {}
sig[(i/8) % sig.size()] ^= 1<<(i%8);
try {
const int size = EdDSA<Group>::PublicKey::SER_BYTES;
uint8_t ser[size];
pub.serialize_into(ser);
ser[(i/8) % size] ^= 1<<(i%8);
typename EdDSA<Group>::PublicKey pub2((FixedBlock<size>(ser)));
pub2.verify(sig,message,context);
test.fail();
printf(" Signature validation passed incorrectly on corrupted pubkey %d\n", i);
} catch(CryptoException&) {}

if (message.size() > 0) {
try {
message[(i/8) % message.size()] ^= 1<<(i%8);
pub.verify(sig,message,context);
test.fail();
printf(" Signature validation passed incorrectly on corrupted message %d\n", i);
} catch(CryptoException&) {}
message[(i/8) % message.size()] ^= 1<<(i%8);
}

if (context.size() > 0) {
try {
context[(i/8) % context.size()] ^= 1<<(i%8);
pub.verify(sig,message,context);
test.fail();
printf(" Signature validation passed incorrectly on corrupted message %d\n", i);
} catch(CryptoException&) {}
context[(i/8) % context.size()] ^= 1<<(i%8);
}
/* Test encode_like and torque */
Point p(rng);
SecureBuffer p1 = p.mul_by_ratio_and_encode_like_eddsa();


+ 253
- 8
test/vectors.inc.cxx View File

@@ -685,8 +685,7 @@ template<> const Block Tests<Ed448Goldilocks>::eddsa_sk[] = {
// RFC 8032 - test vector 8 - 256 octet
Block(ed448_eddsa_sk[7],57),
// RFC 8032 - test vector 9 - 1023 octet
Block(ed448_eddsa_sk[8],57),
Block(NULL,0)
Block(ed448_eddsa_sk[8],57)
};
template<> const Block Tests<Ed448Goldilocks>::eddsa_pk[] = {
// RFC 8032 - test vector 1 - blank
@@ -786,6 +785,20 @@ template<> const Block Tests<Ed448Goldilocks>::eddsa_sig[] = {
Block(ed448_eddsa_sig[10],114)
};

template<> const bool Tests<Ed448Goldilocks>::eddsa_verify_should_succeed[] = {
true,
true,
true,
true,
true,
true,
true,
true,
true,
true,
true
};

const uint8_t ed25519_eddsa_sk[][32] = {{
0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
@@ -837,8 +850,28 @@ const uint8_t ed25519_eddsa_pk[][32] = {{
0x0c,0x29,0xf0,0x25,0x9c,0xf5,0xf9,0xae,
0xd6,0x85,0x1c,0x2b,0xb4,0xad,0x8b,0xfb,
0x86,0x0c,0xfe,0xe0,0xab,0x24,0x82,0x92
}, {
0xc7,0x17,0x6a,0x70,0x3d,0x4d,0xd8,0x4f,
0xba,0x3c,0x0b,0x76,0x0d,0x10,0x67,0x0f,
0x2a,0x20,0x53,0xfa,0x2c,0x39,0xcc,0xc6,
0x4e,0xc7,0xfd,0x77,0x92,0xac,0x03,0xfa
}, {
0xf7,0xba,0xde,0xc5,0xb8,0xab,0xea,0xf6,
0x99,0x58,0x39,0x92,0x21,0x9b,0x7b,0x22,
0x3f,0x1d,0xf3,0xfb,0xbe,0xa9,0x19,0x84,
0x4e,0x3f,0x7c,0x55,0x4a,0x43,0xdd,0x43
}, {
0xcd,0xb2,0x67,0xce,0x40,0xc5,0xcd,0x45,
0x30,0x6f,0xa5,0xd2,0xf2,0x97,0x31,0x45,
0x93,0x87,0xdb,0xf9,0xeb,0x93,0x3b,0x7b,
0xd5,0xae,0xd9,0xa7,0x65,0xb8,0x8d,0x4d
}, {
0x44,0x2a,0xad,0x9f,0x08,0x9a,0xd9,0xe1,
0x46,0x47,0xb1,0xef,0x90,0x99,0xa1,0xff,
0x47,0x98,0xd7,0x85,0x89,0xe6,0x6f,0x28,
0xec,0xa6,0x9c,0x11,0xf5,0x82,0xa6,0x23
}};
const uint8_t ed25519_eddsa_message[][16] = {{
const uint8_t ed25519_eddsa_message[][32] = {{
0
}, {
0x72
@@ -849,6 +882,41 @@ const uint8_t ed25519_eddsa_message[][16] = {{
}, {
0xf7,0x26,0x93,0x6d,0x19,0xc8,0x00,0x49,
0x4e,0x3f,0xda,0xff,0x20,0xb2,0x76,0xa8
}, { // https://eprint.iacr.org/2020/1244.pdf
0x8c,0x93,0x25,0x5d,0x71,0xdc,0xab,0x10,
0xe8,0xf3,0x79,0xc2,0x62,0x00,0xf3,0xc7,
0xbd,0x5f,0x09,0xd9,0xbc,0x30,0x68,0xd3,
0xef,0x4e,0xde,0xb4,0x85,0x30,0x22,0xb6
}, {
0x9b,0xd9,0xf4,0x4f,0x4d,0xcc,0x75,0xbd,
0x53,0x1b,0x56,0xb2,0xcd,0x28,0x0b,0x0b,
0xb3,0x8f,0xc1,0xcd,0x6d,0x12,0x30,0xe1,
0x48,0x61,0xd8,0x61,0xde,0x09,0x2e,0x79
}, {
0xae,0xbf,0x3f,0x26,0x01,0xa0,0xc8,0xc5,
0xd3,0x9c,0xc7,0xd8,0x91,0x16,0x42,0xf7,
0x40,0xb7,0x81,0x68,0x21,0x8d,0xa8,0x47,
0x17,0x72,0xb3,0x5f,0x9d,0x35,0xb9,0xab
}, {
0xe4,0x7d,0x62,0xc6,0x3f,0x83,0x0d,0xc7,
0xa6,0x85,0x1a,0x0b,0x1f,0x33,0xae,0x4b,
0xb2,0xf5,0x07,0xfb,0x6c,0xff,0xec,0x40,
0x11,0xea,0xcc,0xd5,0x5b,0x53,0xf5,0x6c
}, {
0x85,0xe2,0x41,0xa0,0x7d,0x14,0x8b,0x41,
0xe4,0x7d,0x62,0xc6,0x3f,0x83,0x0d,0xc7,
0xa6,0x85,0x1a,0x0b,0x1f,0x33,0xae,0x4b,
0xb2,0xf5,0x07,0xfb,0x6c,0xff,0xec,0x40
}, {
0xfd,0xae,0xbc,0x42,0x9f,0x4a,0x73,0x59,
0x32,0xa1,0x60,0xda,0x13,0x01,0x08,0x0c,
0x13,0x28,0x0e,0xea,0x8b,0xc2,0x80,0xd1,
0xb3,0x92,0xc6,0xb9,0xe6,0xba,0x3a,0x5a
}, {
0x84,0xb6,0x98,0xd3,0x9b,0xe1,0x26,0xff,
0x55,0xfe,0x45,0x07,0x9e,0x6c,0x8b,0xf6,
0x4a,0x0d,0x7d,0xb6,0x99,0x45,0x60,0xb4,
0xe9,0x6b,0x70,0x21,0xeb,0x39,0xc1,0xa1
}};
const uint8_t ed25519_eddsa_context[][3] = {{
0x66,0x6f,0x6f
@@ -909,6 +977,96 @@ const uint8_t ed25519_eddsa_sig[][64] = {{
0xb5,0xb1,0x86,0xd1,0xd2,0x8f,0x8e,0xe1,
0x5a,0x5c,0xa2,0xdf,0x66,0x68,0x34,0x62,
0x91,0xc2,0x04,0x3d,0x4e,0xb3,0xe9,0x0d
}, {
0xc7,0x17,0x6a,0x70,0x3d,0x4d,0xd8,0x4f,
0xba,0x3c,0x0b,0x76,0x0d,0x10,0x67,0x0f,
0x2a,0x20,0x53,0xfa,0x2c,0x39,0xcc,0xc6,
0x4e,0xc7,0xfd,0x77,0x92,0xac,0x03,0x7a,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
}, {
0xf7,0xba,0xde,0xc5,0xb8,0xab,0xea,0xf6,
0x99,0x58,0x39,0x92,0x21,0x9b,0x7b,0x22,
0x3f,0x1d,0xf3,0xfb,0xbe,0xa9,0x19,0x84,
0x4e,0x3f,0x7c,0x55,0x4a,0x43,0xdd,0x43,
0xa5,0xbb,0x70,0x47,0x86,0xbe,0x79,0xfc,
0x47,0x6f,0x91,0xd3,0xf3,0xf8,0x9b,0x03,
0x98,0x4d,0x80,0x68,0xdc,0xf1,0xbb,0x7d,
0xfc,0x66,0x37,0xb4,0x54,0x50,0xac,0x04
}, {
0xc7,0x17,0x6a,0x70,0x3d,0x4d,0xd8,0x4f,
0xba,0x3c,0x0b,0x76,0x0d,0x10,0x67,0x0f,
0x2a,0x20,0x53,0xfa,0x2c,0x39,0xcc,0xc6,
0x4e,0xc7,0xfd,0x77,0x92,0xac,0x03,0xfa,
0x8c,0x4b,0xd4,0x5a,0xec,0xac,0xa5,0xb2,
0x4f,0xb9,0x7b,0xc1,0x0a,0xc2,0x7a,0xc8,
0x75,0x1a,0x7d,0xfe,0x1b,0xaf,0xf8,0xb9,
0x53,0xec,0x9f,0x58,0x33,0xca,0x26,0x0e
}, {
0x90,0x46,0xa6,0x47,0x50,0x44,0x49,0x38,
0xde,0x19,0xf2,0x27,0xbb,0x80,0x48,0x5e,
0x92,0xb8,0x3f,0xdb,0x4b,0x65,0x06,0xc1,
0x60,0x48,0x4c,0x01,0x6c,0xc1,0x85,0x2f,
0x87,0x90,0x9e,0x14,0x42,0x8a,0x7a,0x1d,
0x62,0xe9,0xf2,0x2f,0x3d,0x3a,0xd7,0x80,
0x2d,0xb0,0x2e,0xb2,0xe6,0x88,0xb6,0xc5,
0x2f,0xcd,0x66,0x48,0xa9,0x8b,0xd0,0x09
}, {
0x16,0x0a,0x1c,0xb0,0xdc,0x9c,0x02,0x58,
0xcd,0x0a,0x7d,0x23,0xe9,0x4d,0x8f,0xa8,
0x78,0xbc,0xb1,0x92,0x5f,0x2c,0x64,0x24,
0x6b,0x2d,0xee,0x17,0x96,0xbe,0xd5,0x12,
0x5e,0xc6,0xbc,0x98,0x2a,0x26,0x9b,0x72,
0x3e,0x06,0x68,0xe5,0x40,0x91,0x1a,0x9a,
0x6a,0x58,0x92,0x1d,0x69,0x25,0xe4,0x34,
0xab,0x10,0xaa,0x79,0x40,0x55,0x1a,0x09
}, {
0x21,0x12,0x2a,0x84,0xe0,0xb5,0xfc,0xa4,
0x05,0x2f,0x5b,0x12,0x35,0xc8,0x0a,0x53,
0x78,0x78,0xb3,0x8f,0x31,0x42,0x35,0x6b,
0x2c,0x23,0x84,0xeb,0xad,0x46,0x68,0xb7,
0xe4,0x0b,0xc8,0x36,0xda,0xc0,0xf7,0x10,
0x76,0xf9,0xab,0xe3,0xa5,0x3f,0x9c,0x03,
0xc1,0xce,0xee,0xdd,0xb6,0x58,0xd0,0x03,
0x04,0x94,0xac,0xe5,0x86,0x68,0x74,0x05
}, {
0xe9,0x6f,0x66,0xbe,0x97,0x6d,0x82,0xe6,
0x01,0x50,0xba,0xec,0xff,0x99,0x06,0x68,
0x4a,0xeb,0xb1,0xef,0x18,0x1f,0x67,0xa7,
0x18,0x9a,0xc7,0x8e,0xa2,0x3b,0x6c,0x0e,
0x54,0x7f,0x76,0x90,0xa0,0xe2,0xdd,0xcd,
0x04,0xd8,0x7d,0xbc,0x34,0x90,0xdc,0x19,
0xb3,0xb3,0x05,0x2f,0x7f,0xf0,0x53,0x8c,
0xb6,0x8a,0xfb,0x36,0x9b,0xa3,0xa5,0x14
}, {
0x8c,0xe5,0xb9,0x6c,0x8f,0x26,0xd0,0xab,
0x6c,0x47,0x95,0x8c,0x9e,0x68,0xb9,0x37,
0x10,0x4c,0xd3,0x6e,0x13,0xc3,0x35,0x66,
0xac,0xd2,0xfe,0x8d,0x38,0xaa,0x19,0x42,
0x7e,0x71,0xf9,0x8a,0x47,0x34,0x74,0xf2,
0xf1,0x3f,0x06,0xf9,0x7c,0x20,0xd5,0x8c,
0xc3,0xf5,0x4b,0x8b,0xd0,0xd2,0x72,0xf4,
0x2b,0x69,0x5d,0xd7,0xe8,0x9a,0x8c,0x22
}, {
0xed,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x7f,
0x45,0x4d,0x37,0x0c,0x8d,0x9f,0xc3,0x23,
0xa4,0x14,0x50,0xf8,0xd5,0x13,0xea,0xfe,
0xb5,0xb0,0x69,0x73,0x90,0xc1,0xe5,0x05,
0xa0,0xd4,0xdd,0xc7,0x1f,0x56,0x66,0x07
}, {
0xed,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x7f,
0x08,0x4d,0x5b,0x99,0xc2,0xa9,0x46,0x3d,
0x9c,0x8b,0xd5,0x02,0x69,0x16,0x99,0x69,
0x84,0xee,0xec,0x87,0xdd,0xf1,0xd3,0xbe,
0x32,0x90,0x06,0xac,0xe1,0xb3,0x7b,0x09
}};

template<> const bool Tests<Ristretto>::eddsa_prehashed[] = {
@@ -917,6 +1075,16 @@ template<> const bool Tests<Ristretto>::eddsa_prehashed[] = {
false,
true,
false,
false,
false,
false,
false,
false,
false,
false,
false,
false,
false,
false
};
template<> const Block Tests<Ristretto>::eddsa_sk[] = {
@@ -926,7 +1094,19 @@ template<> const Block Tests<Ristretto>::eddsa_sk[] = {
Block(ed25519_eddsa_sk[3],32),
Block(ed25519_eddsa_sk[4],32),
Block(ed25519_eddsa_sk[4],32),
Block(NULL,0)
// https://eprint.iacr.org/2020/1244.pdf
// These tests don't have an associated private key
// In many cases the public key is malformed
Block(NULL,0),
Block(NULL,0),
Block(NULL,0),
Block(NULL,0),
Block(NULL,0),
Block(NULL,0),
Block(NULL,0),
Block(NULL,0),
Block(NULL,0),
Block(NULL,0),
};
template<> const Block Tests<Ristretto>::eddsa_pk[] = {
Block(ed25519_eddsa_pk[0],32),
@@ -934,7 +1114,18 @@ template<> const Block Tests<Ristretto>::eddsa_pk[] = {
Block(ed25519_eddsa_pk[2],32),
Block(ed25519_eddsa_pk[3],32),
Block(ed25519_eddsa_pk[4],32),
Block(ed25519_eddsa_pk[4],32)
Block(ed25519_eddsa_pk[4],32),
// https://eprint.iacr.org/2020/1244.pdf
Block(ed25519_eddsa_pk[5],32),
Block(ed25519_eddsa_pk[5],32),
Block(ed25519_eddsa_pk[6],32),
Block(ed25519_eddsa_pk[7],32),
Block(ed25519_eddsa_pk[7],32),
Block(ed25519_eddsa_pk[7],32),
Block(ed25519_eddsa_pk[8],32),
Block(ed25519_eddsa_pk[8],32),
Block(ed25519_eddsa_pk[6],32),
Block(ed25519_eddsa_pk[6],32)
};
template<> const Block Tests<Ristretto>::eddsa_context[] = {
EdDSA<Ristretto>::NO_CONTEXT(),
@@ -942,7 +1133,18 @@ template<> const Block Tests<Ristretto>::eddsa_context[] = {
EdDSA<Ristretto>::NO_CONTEXT(),
Block(NULL,0),
Block(ed25519_eddsa_context[0],3),
Block(ed25519_eddsa_context[1],3)
Block(ed25519_eddsa_context[1],3),
// https://eprint.iacr.org/2020/1244.pdf
EdDSA<Ristretto>::NO_CONTEXT(),
EdDSA<Ristretto>::NO_CONTEXT(),
EdDSA<Ristretto>::NO_CONTEXT(),
EdDSA<Ristretto>::NO_CONTEXT(),
EdDSA<Ristretto>::NO_CONTEXT(),
EdDSA<Ristretto>::NO_CONTEXT(),
EdDSA<Ristretto>::NO_CONTEXT(),
EdDSA<Ristretto>::NO_CONTEXT(),
EdDSA<Ristretto>::NO_CONTEXT(),
EdDSA<Ristretto>::NO_CONTEXT()
};
template<> const Block Tests<Ristretto>::eddsa_message[] = {
Block(ed25519_eddsa_message[0],0),
@@ -950,7 +1152,18 @@ template<> const Block Tests<Ristretto>::eddsa_message[] = {
Block(ed25519_eddsa_message[2],2),
Block(ed25519_eddsa_message[3],3),
Block(ed25519_eddsa_message[4],16),
Block(ed25519_eddsa_message[4],16)
Block(ed25519_eddsa_message[4],16),
// https://eprint.iacr.org/2020/1244.pdf
Block(ed25519_eddsa_message[5],32),
Block(ed25519_eddsa_message[6],32),
Block(ed25519_eddsa_message[7],32),
Block(ed25519_eddsa_message[6],32),
Block(ed25519_eddsa_message[8],32),
Block(ed25519_eddsa_message[8],32),
Block(ed25519_eddsa_message[9],32),
Block(ed25519_eddsa_message[9],32),
Block(ed25519_eddsa_message[10],32),
Block(ed25519_eddsa_message[11],32)
};
template<> const Block Tests<Ristretto>::eddsa_sig[] = {
Block(ed25519_eddsa_sig[0],64),
@@ -958,5 +1171,37 @@ template<> const Block Tests<Ristretto>::eddsa_sig[] = {
Block(ed25519_eddsa_sig[2],64),
Block(ed25519_eddsa_sig[3],64),
Block(ed25519_eddsa_sig[4],64),
Block(ed25519_eddsa_sig[5],64)
Block(ed25519_eddsa_sig[5],64),
// https://eprint.iacr.org/2020/1244.pdf
Block(ed25519_eddsa_sig[6],64),
Block(ed25519_eddsa_sig[7],64),
Block(ed25519_eddsa_sig[8],64),
Block(ed25519_eddsa_sig[9],64),
Block(ed25519_eddsa_sig[10],64),
Block(ed25519_eddsa_sig[11],64),
Block(ed25519_eddsa_sig[12],64),
Block(ed25519_eddsa_sig[13],64),
Block(ed25519_eddsa_sig[14],64),
Block(ed25519_eddsa_sig[15],64)
};
template<> const bool Tests<Ristretto>::eddsa_verify_should_succeed[] = {
true,
true,
true,
true,
true,
true,
// https://eprint.iacr.org/2020/1244.pdf
// Note that passing the first two means we conform
// to RFC 8032, but sigs are malleable for the zero-key
true,
true,
true,
true,
true,
true,
false,
false,
false,
false
};

Write Preview
Loading…
Cancel
Save