ed25519: switch to cofactored verification

Author: jedisct1

src/ed25519.rs

@@ -228,22 +228,20 @@ impl VerifyingState {
 
     /// Verifies the signature and return it.
     pub fn verify(&self) -> Result<(), Error> {
+        let mut expected_r_bytes = [0u8; 32];
+        expected_r_bytes.copy_from_slice(&self.signature[0..32]);
+        let expected_r =
+            GeP3::from_bytes_vartime(&expected_r_bytes).ok_or(Error::InvalidSignature)?;
         let s = &self.signature[32..64];
 
         let mut hash = self.hasher.finalize();
         sc_reduce(&mut hash);
 
-        let r = GeP2::double_scalarmult_vartime(hash.as_ref(), self.a, s);
-        if r.to_bytes()
-            .as_ref()
-            .iter()
-            .zip(self.signature.iter())
-            .fold(0, |acc, (x, y)| acc | (x ^ y))
-            != 0
-        {
-            Err(Error::SignatureMismatch)
-        } else {
+        let r: GeP3 = GeP2::double_scalarmult_vartime(hash.as_ref(), self.a, s).into();
+        if (expected_r - r).has_small_order() {
             Ok(())
+        } else {
+            Err(Error::SignatureMismatch)
         }
     }
 }

src/edwards25519.rs

@@ -70,6 +70,17 @@ impl GeP1P1 {
     }
 }
 
+impl From<GeP2> for GeP3 {
+    fn from(p: GeP2) -> GeP3 {
+        GeP3 {
+            x: p.x,
+            y: p.y,
+            z: p.z,
+            t: p.x * p.y,
+        }
+    }
+}
+
 impl GeP2 {
     fn zero() -> GeP2 {
         GeP2 {
@@ -79,15 +90,6 @@ impl GeP2 {
         }
     }
 
-    pub fn to_bytes(&self) -> [u8; 32] {
-        let recip = self.z.invert();
-        let x = self.x * recip;
-        let y = self.y * recip;
-        let mut bs = y.to_bytes();
-        bs[31] ^= (if x.is_negative() { 1 } else { 0 }) << 7;
-        bs
-    }
-
     fn dbl(&self) -> GeP1P1 {
         let xx = self.x.square();
         let yy = self.y.square();
@@ -208,9 +210,9 @@ impl GeP3 {
 
         let vxx = x.square() * v;
         let check = vxx - u;
-        if check.is_nonzero() {
+        if !check.is_zero() {
             let check2 = vxx + u;
-            if check2.is_nonzero() {
+            if !check2.is_zero() {
                 return None;
             }
             x = x * FE_SQRTM1;
@@ -273,6 +275,31 @@ impl GeP3 {
         bs[31] ^= (if x.is_negative() { 1 } else { 0 }) << 7;
         bs
     }
+
+    pub fn has_small_order(&self) -> bool {
+        let recip = self.z.invert();
+        let x = self.x * recip;
+        let y = self.y * recip;
+        let x_neg = x.neg();
+        let y_sqrtm1 = y * FE_SQRTM1;
+        x.is_zero() | y.is_zero() | (y_sqrtm1 == x) | (y_sqrtm1 == x_neg)
+    }
+}
+
+impl Add<GeP3> for GeP3 {
+    type Output = GeP3;
+
+    fn add(self, other: GeP3) -> GeP3 {
+        (self + other.to_cached()).to_p3()
+    }
+}
+
+impl Sub<GeP3> for GeP3 {
+    type Output = GeP3;
+
+    fn sub(self, other: GeP3) -> GeP3 {
+        (self - other.to_cached()).to_p3()
+    }
 }
 
 impl Add<GeCached> for GeP3 {

src/field25519.rs

@@ -596,8 +596,8 @@ impl Fe {
         z_255_21
     }
 
-    pub fn is_nonzero(&self) -> bool {
-        self.to_bytes().iter().fold(0, |acc, x| acc | x) != 0
+    pub fn is_zero(&self) -> bool {
+        self.to_bytes().iter().fold(0, |acc, x| acc | x) == 0
     }
 
     pub fn is_negative(&self) -> bool {

src/x25519.rs

@@ -132,7 +132,7 @@ impl PublicKey {
         Fe::cswap2(&mut x2, &mut x3, &mut z2, &mut z3, swap);
         z2 = z2.invert();
         x2 = x2 * z2;
-        if !x2.is_nonzero() {
+        if x2.is_zero() {
             return Err(Error::WeakPublicKey);
         }
         Ok(x2.to_bytes())
@@ -248,7 +248,7 @@ impl KeyPair {
     pub fn generate() -> KeyPair {
         let mut sk = [0u8; SecretKey::BYTES];
         getrandom::getrandom(&mut sk).expect("getrandom");
-        if !Fe::from_bytes(&sk).is_nonzero() {
+        if Fe::from_bytes(&sk).is_zero() {
             panic!("All-zero secret key");
         }
         let sk = SecretKey(sk);