EdDSA no longer accepts all zero signatures
This fixes the critical vulnerability in commit
e4cbf84384ffdce194895078c88680be0c341d76 (compute signatures in
Montgomery space (faster)), somewhere between versions 0.8 and 1.0, and
detected by the tests in the parent commit.
The fix basically reverts the optimisation, effectively halving the
performance of EdDSA.
It appears the conversion to Montgomery space and back didn't handle
every edge case correctly. That optimisation will be re-introduced once
the issue has been fully understood. This will probably require expert
advice.
projects / Monocypher.git / commit