Comments (7)
I put some commits here: https://github.com/chain/curve25519-dalek/tree/optimized_scalar that remove the masking of the high 3 bits, so that the unpacked scalar types (Scalar32 / Scalar64
) treat the bytes of a Scalar
as a 256-bit integer. I also added a fuzzer.
It seems like there's a problem with the Scalar64
code. The test vectors are in this test: https://github.com/chain/curve25519-dalek/commit/94ef56ad230ec680ba69907bab77ccaf40903660
from curve25519-dalek.
Aside from hating the clamping and masking and Ed25519 managing to use 3 different convoluted types of scalars (clamped partial hash, masked but unreduced, and reduced from hash)..
Maybe have a Scalar::clamp() method that clamps & (doesn't reduce! doesn't!) the scalar bytes (which would cover Ed25519/Curve25519), and a Scalar::mask() method that clears the top 3 bits and returns if they were non-zero (which covers Ed25519 signatures)?
The Scalar64 bug is very embarrassing, from_bytes_wide initializes words as [064; 16] instead of [0u64; 8]. 064 seems to just be parsed as 64 as well, no warnings about octal or possible mistyped constant?
from curve25519-dalek.
I don't think that clamping/masking really makes sense in the Ristretto case, where you have a genuine prime-order group, which should probably be the focus for curve25519-dalek
. So I think the thing to do in curve25519-dalek
is to treat a Scalar
as a 256-bit integer representing an integer mod l
and providing a Scalar::reduce()
method that reduces the Scalar
mod l
(to produce the canonical representative).
Since the clamping, masking, etc. is not compatible with doing arithmetic (because it's not well-defined mod l
), maybe it should be kept out of curve25519-dalek
and left in protocol-specific ed25519-dalek
, x25519-dalek
crates?
from curve25519-dalek.
Since the clamping, masking, etc. is not compatible with doing arithmetic (because it's not well-defined
mod l
), maybe it should be kept out ofcurve25519-dalek
and left in protocol-specificed25519-dalek
,x25519-dalek
crates?
Yeah, the clamping and masking isn't the most elegant. As mentioned, it's breaking the (so far, implicit) contract on what exactly a scalar is, and it produces bias in the keys. So, I'm in full agreement that if a protocol is designed to do something that hideous it should stay in the protocol's implementation (and preferably in a manner which doesn't encourage anyone to repeat the behaviour!).
I reverted the revert of floodyberry's code in my optimzed_scalar_r1
, which also includes:
- a fix for the typo,
- the fuzz tests that caught it,
- more unittests, and
- removes some code for operations which have no effect (i.e. masking a integer which cannot possibly exceed the mask size).
Probably we still need better documentation on scalar behaviour? Opinions, @hdevalence?
from curve25519-dalek.
I would like to rearrange some of the scalar behaviour and documentation to better align it with the Ristretto use-case, but that could be in a later issue during other refactoring...
from curve25519-dalek.
Okay, sounds good. I'll merge the working branch here so that we have @floodyberry's improvements, and the docs can happen when we move stuff around.
from curve25519-dalek.
Merged for 0.13.x.
from curve25519-dalek.
Related Issues (20)
- `curve25519_dalek::SubgroupPoint`: missing traits
- Build fails on nightly-2024-02-05 HOT 2
- Crate fails with `nightly-2024-02-06` HOT 3
- How to check a VerifyingKey point is within the prime order subgroup HOT 3
- Support NIST validation criteria for Edwards points HOT 2
- ed25519: support PKCS#8 v1 (for OpenSSL interop)? HOT 2
- Use of unstable library feature 'stdsimd HOT 6
- Use of unstable library feature 'stdsimd' HOT 3
- Incorrect use of cfg to import dependency HOT 1
- docs.rs homepage examples use `rand_core` crate option, but do not mention its existence HOT 2
- [docs request] how to serialize a public key in the format compatible with `~/.ssh/authorized_keys`? HOT 2
- AVX512-IFMA & AVX10 status
- curve25519: nightly CI seems borked w/ warn(unused_imports)
- Impl std::num_traits::{One, Zero} for Scalar types
- Zeroize `SecretKey` on drop HOT 5
- Potential optimization for the torsion check HOT 1
- 4.1.3 release? HOT 4
- Implementation of ed25519-dalek::VerifyingKey::verify_strict seemingly inconsistent with documentation
- Verifying signatures using ZIP215 criteria
- Hard to use API for raw_sign_prehashed, I want to pass a 64 byte message hash HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from curve25519-dalek.