From 28f6c3e280c421d56228038e9b60ea3281079a58 Mon Sep 17 00:00:00 2001
From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Sat, 11 Aug 2018 18:19:35 +0200
Subject: [PATCH] Reduced EdDSA malleability for sliding windows

Signed sliding windows can overflow the initial scalar by one bit.  This
is not a problem when the scalar is reduced modulo L, which is smaller
than 2^253.  The second half of the signature however is controlled by
the attacker, and can be any value.

Legitimate signatures however always reduce modulo L.  They don't really
have to, but this helps with determinism, and enables test vectors.  So
we can safely reject any signature whose second half exceeds L.

This patch rejects anything above 2^253-1, thus guaranteeing that the
three most significant bits are cleared.  This eliminate s-malleability
in most cases, but not all.  Besides, there is still nonce malleability.

Users should still assume signatures are malleable.
---
 src/monocypher.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/monocypher.c b/src/monocypher.c
index dd9a078..851fab6 100644
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -1926,7 +1926,8 @@ int crypto_check_final(crypto_check_ctx *ctx)
     u8 h_ram[64], R_check[32];
     u8 *s = ctx->sig + 32;                       // s
     u8 *R = ctx->sig;                            // R
-    if (ge_frombytes_neg_vartime(&A, ctx->pk)) { // -A
+    if (ge_frombytes_neg_vartime(&A, ctx->pk) || // -A
+        (s[31] & 224) != 0) { // reduce malleability for the sliding windows
         return -1;
     }
     HASH_FINAL(&ctx->hash, h_ram);
-- 
2.47.3