git.codecow.com Git - Monocypher.git/commit

author	Loup Vaillant <loup@loup-vaillant.fr>
	Sat, 14 Jul 2018 16:16:42 +0000 (18:16 +0200)
committer	Loup Vaillant <loup@loup-vaillant.fr>
	Sat, 14 Jul 2018 17:27:30 +0000 (19:27 +0200)
commit	d23b00916f922e84a2ec34731d83e37045852917
tree	81d6c08ad7f1ab4352b7f6f86143a72cab3b44c4	tree \| snapshot
parent	a41408b63aabca6d5058b684da664f9c75fc4430	commit \| diff

Restored EdDSA optimisation

The one that was removed for version 2.0.4, because a bogus special
cases caused it to accept forged signature (a big fat vulnerability).

To avoid the vulnerability, this optimisation is only used for signing
and public key generation.  Those never multiply the base point by zero,
and as such should not hit any nasty special case.  More specifically:

- Public key generation works the same as X25519: the scalar is trimmed
  before it is multiplied by the base point.
- Signing multiplies the base point by a nonce, which by construction is
  a random number between 1 and L-1 (L is the order of the curve).

External scrutiny will be needed to confirm this is safe.

Note: signing is now even faster than it was, because multiplying by a
known point (the base point) lets us avoid a conversion and a division.

Related to #101