1
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-24 04:25:10 -07:00

Optimisation to succeed fast when checking signature scalar is reduced.

This provides a minor optimisation for ed25519 signature verification, when used
without the -DED25519_COMPAT feature, to strictly check for a fully reduced
scalar, `s`, component in variable time by first checking that the most
significant *four* bits are unset, and only if any of them are set proceed to
the `sc25519_is_canonical` check which performs the full reduction.  This should
result in succeeding fast for the check on roughly half of all well-formed,
canonicalised signatures.

This is safely backwards compatible with the previous implementation
of strict checking for signature scalars.
This commit is contained in:
Isis Lovecruft 2019-10-11 21:51:03 +00:00
parent c638d25583
commit 6136871607
No known key found for this signature in database
GPG Key ID: AB41313533E8E812

View File

@ -28,8 +28,11 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
return -1;
}
#else
if (sc25519_is_canonical(sig + 32) == 0 ||
ge25519_has_small_order(sig) != 0) {
if (sig[63] & 240 &&
sc25519_is_canonical(sig + 32) == 0) {
return -1;
}
if (ge25519_has_small_order(sig) != 0) {
return -1;
}
if (ge25519_is_canonical(pk) == 0 ||