Reduced EdDSA malleability for sliding windows

Signed sliding windows can overflow the initial scalar by one bit.  This
is not a problem when the scalar is reduced modulo L, which is smaller
than 2^253.  The second half of the signature however is controlled by
the attacker, and can be any value.

Legitimate signatures however always reduce modulo L.  They don't really
have to, but this helps with determinism, and enables test vectors.  So
we can safely reject any signature whose second half exceeds L.

This patch rejects anything above 2^253-1, thus guaranteeing that the
three most significant bits are cleared.  This eliminate s-malleability
in most cases, but not all.  Besides, there is still nonce malleability.

Users should still assume signatures are malleable.

diff --git a/src/monocypher.c b/src/monocypher.c
index dd9a078f665cdf6505a2ed84e762a21d5b4c29b3..851fab63bc8901c34ef0345a928a13e1c1d79689 100644 (file)
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -1926,7 +1926,8 @@ int crypto_check_final(crypto_check_ctx *ctx)
     u8 h_ram[64], R_check[32];
     u8 *s = ctx->sig + 32;                       // s
     u8 *R = ctx->sig;                            // R
-    if (ge_frombytes_neg_vartime(&A, ctx->pk)) { // -A
+    if (ge_frombytes_neg_vartime(&A, ctx->pk) || // -A
+        (s[31] & 224) != 0) { // reduce malleability for the sliding windows
         return -1;
     }
     HASH_FINAL(&ctx->hash, h_ram);