[cryptography] reject ed25519 signatures with non-canonical S at decode time#3532
Open
0xAysh wants to merge 3 commits intocommonwarexyz:mainfrom
Open
[cryptography] reject ed25519 signatures with non-canonical S at decode time#35320xAysh wants to merge 3 commits intocommonwarexyz:mainfrom
0xAysh wants to merge 3 commits intocommonwarexyz:mainfrom
Conversation
cronokirby
added
the
breaking-format
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
ed25519::Signature::read_cfgaccepted any 64-byte sequence without validation. A signature with S >= l (the ed25519 group order) would decode successfully but fail verification later. This is inconsistent with the rest of the codebase:ed25519::PublicKey::read_cfgcallsVerificationKey::try_from— validates the compressed Edwards point at decode timesecp256r1::Signature::read_cfgcallsp256::ecdsa::Signature::from_slice— validates R and S at decode timeed25519::Signature::read_cfg— previously did nothing beyond confirming 64 bytes were presentNon-canonical S values introduce signature malleability: two different byte sequences (S and S mod l) decode to logically equivalent signatures since verification reduces S mod l. In adversarial environments this matters — a valid signature can be transformed into a "different" one that also passes verification.
Fix
Add a canonicality check for S (bytes 32..63 of the signature) in
read_cfg. S must be in [0, l-1] where:The check compares S against l byte-by-byte from the most significant byte down (required because S is stored little-endian — index 0 is the LSB, so Rust's default lexicographic array comparison would be incorrect here).
The
ed25519_consensuslibrary does not expose standalone signature validation without a message, so the R component (bytes 0..31) cannot be validated at decode time without adding a dependency oncurve25519-dalek. Only S canonicality is checkable, which is the primary malleability concern.Tests
test_high_s_rejected_at_decode: S with high bit set (S >= 2^255 >> l)test_s_equal_to_l_rejected_at_decode: S == l exactly (boundary — valid range is [0, l-1])test_s_above_l_rejected_at_decode: S == l+1Closes #1070