From 7052e4733fdb48aa0a09d9897ece7f695478b9ee Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 8 Nov 2021 14:31:14 +0100 Subject: [PATCH] H2C: Y should be negative is gx1 is a square Fixes #1119 --- src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c | 2 +- test/default/core_ed25519_h2c.exp | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c index 9e0825d1..e6d6c42f 100644 --- a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c +++ b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c @@ -2739,7 +2739,7 @@ ge25519_from_hash(unsigned char s[32], const unsigned char h[64]) fe25519_reduce64(fe_f, h); ge25519_elligator2(x, y, fe_f, ¬square); - y_sign = notsquare; + y_sign = notsquare ^ 1; fe25519_neg(negy, y); fe25519_cmov(y, negy, fe25519_isnegative(y) ^ y_sign); diff --git a/test/default/core_ed25519_h2c.exp b/test/default/core_ed25519_h2c.exp index 8ccaa0ad..040a839e 100644 --- a/test/default/core_ed25519_h2c.exp +++ b/test/default/core_ed25519_h2c.exp @@ -1,3 +1,3 @@ -NU with oversized context: 998ca2fdd0ade350cb6c279173dfd4a6a42f46ca5c2928871aacff60c1654663 -RO with oversized context: 5ed4ae2ab665a7a9543f6e9887dc8f8f68a7720fdf32b971f3be71d9c9549f74 +NU with oversized context: 998ca2fdd0ade350cb6c279173dfd4a6a42f46ca5c2928871aacff60c16546e3 +RO with oversized context: 5ed4ae2ab665a7a9543f6e9887dc8f8f68a7720fdf32b971f3be71d9c9549ff4 OK