Commit | Line | Data |
---|---|---|
accdbbc9 MW |
1 | ### Local tests for Ed25519 |
2 | ||
3 | verify { | |
4 | ## Check that noncanonical scalars are rejected. The base test is repeated | |
5 | ## from the main suite; let s be the scalar part of the signature, and ℓ be | |
6 | ## the curve order. The negative test has s' = s + ℓ < 2^254, so the value | |
7 | ## fits. | |
8 | 74d29127f199d86a8676aec33b4ce3f225ccb191f52c191ccd1e8cca65213a6b | |
9 | bd8e05033f3a8bcdcbf4beceb70901c82e31 | |
10 | fbe929d743a03c17910575492f3092ee2a2bf14a60a3fcacec74a58c7334510fc262db582791322d6c8c41f1700adb80027ecabc14270b703444ae3ee7623e0a | |
11 | 0; | |
12 | 74d29127f199d86a8676aec33b4ce3f225ccb191f52c191ccd1e8cca65213a6b | |
13 | bd8e05033f3a8bcdcbf4beceb70901c82e31 | |
14 | fbe929d743a03c17910575492f3092ee2a2bf14a60a3fcacec74a58c7334510faf36d1b541f44485422939944f04ba95027ecabc14270b703444ae3ee7623e1a | |
15 | -1; | |
16 | ||
17 | ## OK, so this is a massive cheat, but otherwise testing that out-of-range | |
18 | ## coordinates are rejected is really hard. Pick A = (0, 1), which is the | |
19 | ## identity in E. Then n A = A for all n; in particular, H(R, A, M) A = A | |
20 | ## for any choice of R and M. Furthermore, R = R + H(R, A, M) A for any R. | |
21 | ## Let's pick R = A = (0, 1), because that seems to be working out for us. | |
22 | ## Then s P = R + H(R, A, M) A exactly when s = 0 (mod ℓ). | |
23 | ## | |
24 | ## This is obviously a really daft choice of public key for security, | |
25 | ## because the following is a completely general-purpose signature for all | |
26 | ## messages. | |
27 | ## | |
28 | ## Why bother, you ask? Well, because (0, 1) is one of the few points | |
29 | ## which has a reduntant representation. So we can use this to check that | |
30 | ## we're correctly rejecting signatures which aren't in normal form. | |
31 | 0100000000000000000000000000000000000000000000000000000000000000 | |
32 | 416c6c2d707572706f7365207369676e6174757265210a | |
33 | 01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |
34 | 0; | |
35 | eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f | |
36 | 416c6c2d707572706f7365207369676e6174757265210a | |
37 | 01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |
38 | -1; | |
39 | 0100000000000000000000000000000000000000000000000000000000000000 | |
40 | 416c6c2d707572706f7365207369676e6174757265210a | |
41 | eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f0000000000000000000000000000000000000000000000000000000000000000 | |
42 | -1; | |
43 | } |