Signed sliding windows can overflow the initial scalar by one bit. This
is not a problem when the scalar is reduced modulo L, which is smaller
than 2^253. The second half of the signature however is controlled by
the attacker, and can be any value.
Legitimate signatures however always reduce modulo L. They don't really
have to, but this helps with determinism, and enables test vectors. So
we can safely reject any signature whose second half exceeds L.
This patch rejects anything above 2^253-1, thus guaranteeing that the
three most significant bits are cleared. This eliminate s-malleability
in most cases, but not all. Besides, there is still nonce malleability.
Users should still assume signatures are malleable.
projects / Monocypher.git / commit