change ed19 verify operator, to comply with ed spec

FuelLabs / fuel-specs

📝 Specifications for the Fuel protocol and the FuelVM, a blazingly fast blockchain VM.

https://fuellabs.github.io/fuel-specs/master

Apache License 2.0

1.78k stars 711 forks source link

change ed19 verify operator, to comply with ed spec #600

Closed luizstacio closed 3 months ago

luizstacio commented 3 months ago

When using EdDSA (Ed25519) to verify a signature, the payload is not limited by 32 bytes.

After merging, notify other teams

[ ] Rust SDK
[ ] Sway compiler
[ ] Platform documentation (for out-of-organization contributors, the person merging the PR will do this)
[ ] Connectors

Dentosal commented 3 months ago

This seems completely incorrect. The ED19 "payload" is a message hash, typically sha-2-256. Using the instruction with a non-hashed value is cryptographically unsound. The payload is not hashed again by the instruction. To use ED19 with any message of any size, you must first hash it, typically using S256 instruction to do so.

luizstacio commented 3 months ago

@Dentosal

https://en.wikipedia.org/wiki/EdDSA on Signature verification

$$ H(R \parallel A \parallel M) A $$

From my understanding the message is required by the algo to be able to perform the hash on the validation. Forcing to hash the message is not an option as you can't control the environment where the signature is going to happen, ex.: Wallets.