Feat/sig bounds

[ThomasPiellard]

Description

Ensures s < r/2 in ecdsa

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How has this been tested?

See test suite ECDSA

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I did not modify files generated from templates
• golangci-lint does not output errors locally
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

---

Note

Enforces s <= (order-1)/2 across ECDSA sign/verify/serialization for all supported curves, updates errors/tests, and enhances docs/comments (SEC 1, BIP-62).

• ECDSA core:
  • Ensure Sign outputs canonical signatures by normalizing s to <= (order-1)/2.
  • In Verify, reject non-canonical signatures with errSBiggerThanHalfRMod.
  • Add/clarify docs for hashing behavior, truncation, and references to SEC 1 and BIP-62.
• Serialization (SetBytes):
  • Change s bounds check from < order to <= (order-1)/2; introduce errSBiggerThanHalfRMod.
• SignForRecover (secp256k1, bn254, stark-curve, secp256r1):
  • Loop until s <= (order-1)/2; set v initialization explicitly.
• Tests:
  • Update non-malleability tests to expect errSBiggerThanHalfRMod and adjust S_overflow construction.
• Codegen templates:
  • Propagate low-s enforcement, verify checks, error names, comments, and tests across generator templates.

^{Written by Cursor Bugbot for commit 5116cf4. This will update automatically on new commits. Configure here.}

[cursor]

🚨 Bugbot Trial Expired

Your team's Bugbot trial has expired. Please contact your team administrator to turn on the paid plan to continue using Bugbot.

A team admin can activate the plan in the Cursor dashboard.

[Copilot]

Pull Request Overview

This PR implements ECDSA signature malleability protection by enforcing the constraint s < r/2, which prevents signature malleability attacks where an adversary can create a second valid signature for the same message by negating the s component.

• Updated error messages and validation logic to check s > r_mod/2 instead of s >= r_mod
• Modified signing functions to ensure generated signatures satisfy s < r/2
• Added verification checks to reject signatures with s > r/2

Reviewed Changes

Copilot reviewed 33 out of 33 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
internal/generator/ecdsa/template/marshal.go.tmpl	Template for signature validation - updated to check s > r_mod/2
internal/generator/ecdsa/template/ecdsa.test.go.tmpl	Template for malleability tests - updated test expectations
internal/generator/ecdsa/template/ecdsa.go.tmpl	Template for signing/verification - added s < r/2 enforcement
ecc/*/ecdsa/marshal.go	Generated files with updated validation logic
ecc/*/ecdsa/ecdsa_test.go	Generated test files with updated expectations
ecc/*/ecdsa/ecdsa.go	Generated signing/verification with malleability protection

Comments suppressed due to low confidence (1)

internal/generator/ecdsa/template/ecdsa.go.tmpl:152

• Using 'order' variable which may not be defined in this context. Should use 'frMod' instead to be consistent with the existing validation logic.

		y = y.Sub(fp.Modulus(), y)

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[ivokub]

LGTM!

Although I need to see how it affects gnark gadgets. I think in some tests we are trying to generate signature with large s. I'll see how to resolve that. Lets wait with merge until it is confirmed.