From e99b0a52f8d979e5139f4919f8e1cfe19b0ee9f4 Mon Sep 17 00:00:00 2001 From: Mike Hamburg Date: Sat, 10 Oct 2020 12:13:25 +0100 Subject: [PATCH] fix malleability bug from https://eprint.iacr.org/2020/1244.pdf and add test vectors --- src/per_curve/eddsa.tmpl.c | 16 ++- test/test_decaf.cxx | 109 +++++++++++----- test/vectors.inc.cxx | 261 +++++++++++++++++++++++++++++++++++-- 3 files changed, 346 insertions(+), 40 deletions(-) diff --git a/src/per_curve/eddsa.tmpl.c b/src/per_curve/eddsa.tmpl.c index 97e9be5..b1dea71 100644 --- a/src/per_curve/eddsa.tmpl.c +++ b/src/per_curve/eddsa.tmpl.c @@ -354,11 +354,21 @@ decaf_error_t decaf_ed$(gf_shortname)_verify ( API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar); API_NS(scalar_t) response_scalar; - API_NS(scalar_decode_long)( + error = API_NS(scalar_decode)( response_scalar, - &signature[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], - DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES + &signature[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES] ); + if (DECAF_SUCCESS != error) { return error; } + +#if DECAF_$(gf_bits)_SCALAR_BYTES < DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES + for (unsigned i = DECAF_$(gf_bits)_SCALAR_BYTES; + i < DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES; + i++) { + if (signature[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES+i] != 0x00) { + return DECAF_FAILURE; + } + } +#endif for (unsigned c=1; c<$(C_NS)_EDDSA_DECODE_RATIO; c<<=1) { API_NS(scalar_add)(response_scalar,response_scalar,response_scalar); diff --git a/test/test_decaf.cxx b/test/test_decaf.cxx index 9c16be5..4f851ad 100644 --- a/test/test_decaf.cxx +++ b/test/test_decaf.cxx @@ -481,6 +481,7 @@ static void test_cfrg_crypto() { static const bool eddsa_prehashed[]; static const Block eddsa_sk[], eddsa_pk[], eddsa_message[], eddsa_context[], eddsa_sig[]; +static const bool eddsa_verify_should_succeed[]; static void test_cfrg_vectors() { Test test("CFRG test vectors"); @@ -490,49 +491,60 @@ static void test_cfrg_vectors() { int the_ntests = (NTESTS < 1000000) ? 1000 : 1000000; /* EdDSA */ - for (unsigned int t=0; eddsa_sk[t].size(); t++) { - typename EdDSA::PrivateKey priv(eddsa_sk[t]); - SecureBuffer eddsa_pk2 = priv.pub().serialize(); - if (!memeq(SecureBuffer(eddsa_pk[t]), eddsa_pk2)) { - test.fail(); - printf(" EdDSA PK vectors #%d disagree.", t); - printf("\n Correct: "); - for (unsigned i=0; i::PrivateKey priv(eddsa_sk[t]); + SecureBuffer eddsa_pk2 = priv.pub().serialize(); + if (!memeq(SecureBuffer(eddsa_pk[t]), eddsa_pk2)) { + test.fail(); + printf(" EdDSA PK vectors #%d disagree.", t); + printf("\n Correct: "); + for (unsigned i=0; i::PrivateKeyPh priv2(eddsa_sk[t]); - sig = priv2.sign_with_prehash(eddsa_message[t],eddsa_context[t]); - } else { - sig = priv.sign(eddsa_message[t],eddsa_context[t]); - } + if (eddsa_prehashed[t]) { + typename EdDSA::PrivateKeyPh priv2(eddsa_sk[t]); + sig = priv2.sign_with_prehash(eddsa_message[t],eddsa_context[t]); + } else { + sig = priv.sign(eddsa_message[t],eddsa_context[t]); + } - if (!memeq(SecureBuffer(eddsa_sig[t]),sig)) { - test.fail(); - printf(" EdDSA sig vectors disagree."); - printf("\n Correct: "); - for (unsigned i=0; i::PublicKey pub(eddsa_pk[t]); if (eddsa_prehashed[t]) { pub.verify_with_prehash(eddsa_sig[t], eddsa_message[t], eddsa_context[t]); } else { - priv.pub().verify(eddsa_sig[t], eddsa_message[t], eddsa_context[t]); + pub.verify(eddsa_sig[t], eddsa_message[t], eddsa_context[t]); } + verified = true; } catch(CryptoException&) { + verified = false; + } + + if (verified != eddsa_verify_should_succeed[t]) { test.fail(); - printf(" EdDSA Verify vector #%d disagree\n", t); + printf(" EdDSA Verify vector #%d disagree: verify %s but should %s\n", + t, verified ? "passed" : "failed", + eddsa_verify_should_succeed[t] ? "pass" : "fail"); } } @@ -582,6 +594,45 @@ static void test_eddsa() { printf(" Signature validation failed on sig %d\n", i); } + try { + sig[(i/8) % sig.size()] ^= 1<<(i%8); + pub.verify(sig,message,context); + test.fail(); + printf(" Signature validation passed incorrectly on corrupted sig %d\n", i); + } catch(CryptoException&) {} + sig[(i/8) % sig.size()] ^= 1<<(i%8); + + try { + const int size = EdDSA::PublicKey::SER_BYTES; + uint8_t ser[size]; + pub.serialize_into(ser); + ser[(i/8) % size] ^= 1<<(i%8); + typename EdDSA::PublicKey pub2((FixedBlock(ser))); + pub2.verify(sig,message,context); + test.fail(); + printf(" Signature validation passed incorrectly on corrupted pubkey %d\n", i); + } catch(CryptoException&) {} + + if (message.size() > 0) { + try { + message[(i/8) % message.size()] ^= 1<<(i%8); + pub.verify(sig,message,context); + test.fail(); + printf(" Signature validation passed incorrectly on corrupted message %d\n", i); + } catch(CryptoException&) {} + message[(i/8) % message.size()] ^= 1<<(i%8); + } + + if (context.size() > 0) { + try { + context[(i/8) % context.size()] ^= 1<<(i%8); + pub.verify(sig,message,context); + test.fail(); + printf(" Signature validation passed incorrectly on corrupted message %d\n", i); + } catch(CryptoException&) {} + context[(i/8) % context.size()] ^= 1<<(i%8); + } + /* Test encode_like and torque */ Point p(rng); SecureBuffer p1 = p.mul_by_ratio_and_encode_like_eddsa(); diff --git a/test/vectors.inc.cxx b/test/vectors.inc.cxx index 290aefe..c13d5a8 100644 --- a/test/vectors.inc.cxx +++ b/test/vectors.inc.cxx @@ -685,8 +685,7 @@ template<> const Block Tests::eddsa_sk[] = { // RFC 8032 - test vector 8 - 256 octet Block(ed448_eddsa_sk[7],57), // RFC 8032 - test vector 9 - 1023 octet - Block(ed448_eddsa_sk[8],57), - Block(NULL,0) + Block(ed448_eddsa_sk[8],57) }; template<> const Block Tests::eddsa_pk[] = { // RFC 8032 - test vector 1 - blank @@ -786,6 +785,20 @@ template<> const Block Tests::eddsa_sig[] = { Block(ed448_eddsa_sig[10],114) }; +template<> const bool Tests::eddsa_verify_should_succeed[] = { + true, + true, + true, + true, + true, + true, + true, + true, + true, + true, + true +}; + const uint8_t ed25519_eddsa_sk[][32] = {{ 0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60, 0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4, @@ -837,8 +850,28 @@ const uint8_t ed25519_eddsa_pk[][32] = {{ 0x0c,0x29,0xf0,0x25,0x9c,0xf5,0xf9,0xae, 0xd6,0x85,0x1c,0x2b,0xb4,0xad,0x8b,0xfb, 0x86,0x0c,0xfe,0xe0,0xab,0x24,0x82,0x92 +}, { + 0xc7,0x17,0x6a,0x70,0x3d,0x4d,0xd8,0x4f, + 0xba,0x3c,0x0b,0x76,0x0d,0x10,0x67,0x0f, + 0x2a,0x20,0x53,0xfa,0x2c,0x39,0xcc,0xc6, + 0x4e,0xc7,0xfd,0x77,0x92,0xac,0x03,0xfa +}, { + 0xf7,0xba,0xde,0xc5,0xb8,0xab,0xea,0xf6, + 0x99,0x58,0x39,0x92,0x21,0x9b,0x7b,0x22, + 0x3f,0x1d,0xf3,0xfb,0xbe,0xa9,0x19,0x84, + 0x4e,0x3f,0x7c,0x55,0x4a,0x43,0xdd,0x43 +}, { + 0xcd,0xb2,0x67,0xce,0x40,0xc5,0xcd,0x45, + 0x30,0x6f,0xa5,0xd2,0xf2,0x97,0x31,0x45, + 0x93,0x87,0xdb,0xf9,0xeb,0x93,0x3b,0x7b, + 0xd5,0xae,0xd9,0xa7,0x65,0xb8,0x8d,0x4d +}, { + 0x44,0x2a,0xad,0x9f,0x08,0x9a,0xd9,0xe1, + 0x46,0x47,0xb1,0xef,0x90,0x99,0xa1,0xff, + 0x47,0x98,0xd7,0x85,0x89,0xe6,0x6f,0x28, + 0xec,0xa6,0x9c,0x11,0xf5,0x82,0xa6,0x23 }}; -const uint8_t ed25519_eddsa_message[][16] = {{ +const uint8_t ed25519_eddsa_message[][32] = {{ 0 }, { 0x72 @@ -849,6 +882,41 @@ const uint8_t ed25519_eddsa_message[][16] = {{ }, { 0xf7,0x26,0x93,0x6d,0x19,0xc8,0x00,0x49, 0x4e,0x3f,0xda,0xff,0x20,0xb2,0x76,0xa8 +}, { // https://eprint.iacr.org/2020/1244.pdf + 0x8c,0x93,0x25,0x5d,0x71,0xdc,0xab,0x10, + 0xe8,0xf3,0x79,0xc2,0x62,0x00,0xf3,0xc7, + 0xbd,0x5f,0x09,0xd9,0xbc,0x30,0x68,0xd3, + 0xef,0x4e,0xde,0xb4,0x85,0x30,0x22,0xb6 +}, { + 0x9b,0xd9,0xf4,0x4f,0x4d,0xcc,0x75,0xbd, + 0x53,0x1b,0x56,0xb2,0xcd,0x28,0x0b,0x0b, + 0xb3,0x8f,0xc1,0xcd,0x6d,0x12,0x30,0xe1, + 0x48,0x61,0xd8,0x61,0xde,0x09,0x2e,0x79 +}, { + 0xae,0xbf,0x3f,0x26,0x01,0xa0,0xc8,0xc5, + 0xd3,0x9c,0xc7,0xd8,0x91,0x16,0x42,0xf7, + 0x40,0xb7,0x81,0x68,0x21,0x8d,0xa8,0x47, + 0x17,0x72,0xb3,0x5f,0x9d,0x35,0xb9,0xab +}, { + 0xe4,0x7d,0x62,0xc6,0x3f,0x83,0x0d,0xc7, + 0xa6,0x85,0x1a,0x0b,0x1f,0x33,0xae,0x4b, + 0xb2,0xf5,0x07,0xfb,0x6c,0xff,0xec,0x40, + 0x11,0xea,0xcc,0xd5,0x5b,0x53,0xf5,0x6c +}, { + 0x85,0xe2,0x41,0xa0,0x7d,0x14,0x8b,0x41, + 0xe4,0x7d,0x62,0xc6,0x3f,0x83,0x0d,0xc7, + 0xa6,0x85,0x1a,0x0b,0x1f,0x33,0xae,0x4b, + 0xb2,0xf5,0x07,0xfb,0x6c,0xff,0xec,0x40 +}, { + 0xfd,0xae,0xbc,0x42,0x9f,0x4a,0x73,0x59, + 0x32,0xa1,0x60,0xda,0x13,0x01,0x08,0x0c, + 0x13,0x28,0x0e,0xea,0x8b,0xc2,0x80,0xd1, + 0xb3,0x92,0xc6,0xb9,0xe6,0xba,0x3a,0x5a +}, { + 0x84,0xb6,0x98,0xd3,0x9b,0xe1,0x26,0xff, + 0x55,0xfe,0x45,0x07,0x9e,0x6c,0x8b,0xf6, + 0x4a,0x0d,0x7d,0xb6,0x99,0x45,0x60,0xb4, + 0xe9,0x6b,0x70,0x21,0xeb,0x39,0xc1,0xa1 }}; const uint8_t ed25519_eddsa_context[][3] = {{ 0x66,0x6f,0x6f @@ -909,6 +977,96 @@ const uint8_t ed25519_eddsa_sig[][64] = {{ 0xb5,0xb1,0x86,0xd1,0xd2,0x8f,0x8e,0xe1, 0x5a,0x5c,0xa2,0xdf,0x66,0x68,0x34,0x62, 0x91,0xc2,0x04,0x3d,0x4e,0xb3,0xe9,0x0d +}, { + 0xc7,0x17,0x6a,0x70,0x3d,0x4d,0xd8,0x4f, + 0xba,0x3c,0x0b,0x76,0x0d,0x10,0x67,0x0f, + 0x2a,0x20,0x53,0xfa,0x2c,0x39,0xcc,0xc6, + 0x4e,0xc7,0xfd,0x77,0x92,0xac,0x03,0x7a, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +}, { + 0xf7,0xba,0xde,0xc5,0xb8,0xab,0xea,0xf6, + 0x99,0x58,0x39,0x92,0x21,0x9b,0x7b,0x22, + 0x3f,0x1d,0xf3,0xfb,0xbe,0xa9,0x19,0x84, + 0x4e,0x3f,0x7c,0x55,0x4a,0x43,0xdd,0x43, + 0xa5,0xbb,0x70,0x47,0x86,0xbe,0x79,0xfc, + 0x47,0x6f,0x91,0xd3,0xf3,0xf8,0x9b,0x03, + 0x98,0x4d,0x80,0x68,0xdc,0xf1,0xbb,0x7d, + 0xfc,0x66,0x37,0xb4,0x54,0x50,0xac,0x04 +}, { + 0xc7,0x17,0x6a,0x70,0x3d,0x4d,0xd8,0x4f, + 0xba,0x3c,0x0b,0x76,0x0d,0x10,0x67,0x0f, + 0x2a,0x20,0x53,0xfa,0x2c,0x39,0xcc,0xc6, + 0x4e,0xc7,0xfd,0x77,0x92,0xac,0x03,0xfa, + 0x8c,0x4b,0xd4,0x5a,0xec,0xac,0xa5,0xb2, + 0x4f,0xb9,0x7b,0xc1,0x0a,0xc2,0x7a,0xc8, + 0x75,0x1a,0x7d,0xfe,0x1b,0xaf,0xf8,0xb9, + 0x53,0xec,0x9f,0x58,0x33,0xca,0x26,0x0e +}, { + 0x90,0x46,0xa6,0x47,0x50,0x44,0x49,0x38, + 0xde,0x19,0xf2,0x27,0xbb,0x80,0x48,0x5e, + 0x92,0xb8,0x3f,0xdb,0x4b,0x65,0x06,0xc1, + 0x60,0x48,0x4c,0x01,0x6c,0xc1,0x85,0x2f, + 0x87,0x90,0x9e,0x14,0x42,0x8a,0x7a,0x1d, + 0x62,0xe9,0xf2,0x2f,0x3d,0x3a,0xd7,0x80, + 0x2d,0xb0,0x2e,0xb2,0xe6,0x88,0xb6,0xc5, + 0x2f,0xcd,0x66,0x48,0xa9,0x8b,0xd0,0x09 +}, { + 0x16,0x0a,0x1c,0xb0,0xdc,0x9c,0x02,0x58, + 0xcd,0x0a,0x7d,0x23,0xe9,0x4d,0x8f,0xa8, + 0x78,0xbc,0xb1,0x92,0x5f,0x2c,0x64,0x24, + 0x6b,0x2d,0xee,0x17,0x96,0xbe,0xd5,0x12, + 0x5e,0xc6,0xbc,0x98,0x2a,0x26,0x9b,0x72, + 0x3e,0x06,0x68,0xe5,0x40,0x91,0x1a,0x9a, + 0x6a,0x58,0x92,0x1d,0x69,0x25,0xe4,0x34, + 0xab,0x10,0xaa,0x79,0x40,0x55,0x1a,0x09 +}, { + 0x21,0x12,0x2a,0x84,0xe0,0xb5,0xfc,0xa4, + 0x05,0x2f,0x5b,0x12,0x35,0xc8,0x0a,0x53, + 0x78,0x78,0xb3,0x8f,0x31,0x42,0x35,0x6b, + 0x2c,0x23,0x84,0xeb,0xad,0x46,0x68,0xb7, + 0xe4,0x0b,0xc8,0x36,0xda,0xc0,0xf7,0x10, + 0x76,0xf9,0xab,0xe3,0xa5,0x3f,0x9c,0x03, + 0xc1,0xce,0xee,0xdd,0xb6,0x58,0xd0,0x03, + 0x04,0x94,0xac,0xe5,0x86,0x68,0x74,0x05 +}, { + 0xe9,0x6f,0x66,0xbe,0x97,0x6d,0x82,0xe6, + 0x01,0x50,0xba,0xec,0xff,0x99,0x06,0x68, + 0x4a,0xeb,0xb1,0xef,0x18,0x1f,0x67,0xa7, + 0x18,0x9a,0xc7,0x8e,0xa2,0x3b,0x6c,0x0e, + 0x54,0x7f,0x76,0x90,0xa0,0xe2,0xdd,0xcd, + 0x04,0xd8,0x7d,0xbc,0x34,0x90,0xdc,0x19, + 0xb3,0xb3,0x05,0x2f,0x7f,0xf0,0x53,0x8c, + 0xb6,0x8a,0xfb,0x36,0x9b,0xa3,0xa5,0x14 +}, { + 0x8c,0xe5,0xb9,0x6c,0x8f,0x26,0xd0,0xab, + 0x6c,0x47,0x95,0x8c,0x9e,0x68,0xb9,0x37, + 0x10,0x4c,0xd3,0x6e,0x13,0xc3,0x35,0x66, + 0xac,0xd2,0xfe,0x8d,0x38,0xaa,0x19,0x42, + 0x7e,0x71,0xf9,0x8a,0x47,0x34,0x74,0xf2, + 0xf1,0x3f,0x06,0xf9,0x7c,0x20,0xd5,0x8c, + 0xc3,0xf5,0x4b,0x8b,0xd0,0xd2,0x72,0xf4, + 0x2b,0x69,0x5d,0xd7,0xe8,0x9a,0x8c,0x22 +}, { + 0xed,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x7f, + 0x45,0x4d,0x37,0x0c,0x8d,0x9f,0xc3,0x23, + 0xa4,0x14,0x50,0xf8,0xd5,0x13,0xea,0xfe, + 0xb5,0xb0,0x69,0x73,0x90,0xc1,0xe5,0x05, + 0xa0,0xd4,0xdd,0xc7,0x1f,0x56,0x66,0x07 +}, { + 0xed,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x7f, + 0x08,0x4d,0x5b,0x99,0xc2,0xa9,0x46,0x3d, + 0x9c,0x8b,0xd5,0x02,0x69,0x16,0x99,0x69, + 0x84,0xee,0xec,0x87,0xdd,0xf1,0xd3,0xbe, + 0x32,0x90,0x06,0xac,0xe1,0xb3,0x7b,0x09 }}; template<> const bool Tests::eddsa_prehashed[] = { @@ -917,6 +1075,16 @@ template<> const bool Tests::eddsa_prehashed[] = { false, true, false, + false, + false, + false, + false, + false, + false, + false, + false, + false, + false, false }; template<> const Block Tests::eddsa_sk[] = { @@ -926,7 +1094,19 @@ template<> const Block Tests::eddsa_sk[] = { Block(ed25519_eddsa_sk[3],32), Block(ed25519_eddsa_sk[4],32), Block(ed25519_eddsa_sk[4],32), - Block(NULL,0) + // https://eprint.iacr.org/2020/1244.pdf + // These tests don't have an associated private key + // In many cases the public key is malformed + Block(NULL,0), + Block(NULL,0), + Block(NULL,0), + Block(NULL,0), + Block(NULL,0), + Block(NULL,0), + Block(NULL,0), + Block(NULL,0), + Block(NULL,0), + Block(NULL,0), }; template<> const Block Tests::eddsa_pk[] = { Block(ed25519_eddsa_pk[0],32), @@ -934,7 +1114,18 @@ template<> const Block Tests::eddsa_pk[] = { Block(ed25519_eddsa_pk[2],32), Block(ed25519_eddsa_pk[3],32), Block(ed25519_eddsa_pk[4],32), - Block(ed25519_eddsa_pk[4],32) + Block(ed25519_eddsa_pk[4],32), + // https://eprint.iacr.org/2020/1244.pdf + Block(ed25519_eddsa_pk[5],32), + Block(ed25519_eddsa_pk[5],32), + Block(ed25519_eddsa_pk[6],32), + Block(ed25519_eddsa_pk[7],32), + Block(ed25519_eddsa_pk[7],32), + Block(ed25519_eddsa_pk[7],32), + Block(ed25519_eddsa_pk[8],32), + Block(ed25519_eddsa_pk[8],32), + Block(ed25519_eddsa_pk[6],32), + Block(ed25519_eddsa_pk[6],32) }; template<> const Block Tests::eddsa_context[] = { EdDSA::NO_CONTEXT(), @@ -942,7 +1133,18 @@ template<> const Block Tests::eddsa_context[] = { EdDSA::NO_CONTEXT(), Block(NULL,0), Block(ed25519_eddsa_context[0],3), - Block(ed25519_eddsa_context[1],3) + Block(ed25519_eddsa_context[1],3), + // https://eprint.iacr.org/2020/1244.pdf + EdDSA::NO_CONTEXT(), + EdDSA::NO_CONTEXT(), + EdDSA::NO_CONTEXT(), + EdDSA::NO_CONTEXT(), + EdDSA::NO_CONTEXT(), + EdDSA::NO_CONTEXT(), + EdDSA::NO_CONTEXT(), + EdDSA::NO_CONTEXT(), + EdDSA::NO_CONTEXT(), + EdDSA::NO_CONTEXT() }; template<> const Block Tests::eddsa_message[] = { Block(ed25519_eddsa_message[0],0), @@ -950,7 +1152,18 @@ template<> const Block Tests::eddsa_message[] = { Block(ed25519_eddsa_message[2],2), Block(ed25519_eddsa_message[3],3), Block(ed25519_eddsa_message[4],16), - Block(ed25519_eddsa_message[4],16) + Block(ed25519_eddsa_message[4],16), + // https://eprint.iacr.org/2020/1244.pdf + Block(ed25519_eddsa_message[5],32), + Block(ed25519_eddsa_message[6],32), + Block(ed25519_eddsa_message[7],32), + Block(ed25519_eddsa_message[6],32), + Block(ed25519_eddsa_message[8],32), + Block(ed25519_eddsa_message[8],32), + Block(ed25519_eddsa_message[9],32), + Block(ed25519_eddsa_message[9],32), + Block(ed25519_eddsa_message[10],32), + Block(ed25519_eddsa_message[11],32) }; template<> const Block Tests::eddsa_sig[] = { Block(ed25519_eddsa_sig[0],64), @@ -958,5 +1171,37 @@ template<> const Block Tests::eddsa_sig[] = { Block(ed25519_eddsa_sig[2],64), Block(ed25519_eddsa_sig[3],64), Block(ed25519_eddsa_sig[4],64), - Block(ed25519_eddsa_sig[5],64) + Block(ed25519_eddsa_sig[5],64), + // https://eprint.iacr.org/2020/1244.pdf + Block(ed25519_eddsa_sig[6],64), + Block(ed25519_eddsa_sig[7],64), + Block(ed25519_eddsa_sig[8],64), + Block(ed25519_eddsa_sig[9],64), + Block(ed25519_eddsa_sig[10],64), + Block(ed25519_eddsa_sig[11],64), + Block(ed25519_eddsa_sig[12],64), + Block(ed25519_eddsa_sig[13],64), + Block(ed25519_eddsa_sig[14],64), + Block(ed25519_eddsa_sig[15],64) +}; +template<> const bool Tests::eddsa_verify_should_succeed[] = { + true, + true, + true, + true, + true, + true, + // https://eprint.iacr.org/2020/1244.pdf + // Note that passing the first two means we conform + // to RFC 8032, but sigs are malleable for the zero-key + true, + true, + true, + true, + true, + true, + false, + false, + false, + false };