Rejection of non-prime order points in Ed25519.

jedisct1 / libsodium

A modern, portable, easy to use crypto library.

https://libsodium.org

Other

12.18k stars 1.73k forks source link

Rejection of non-prime order points in Ed25519. #969

Closed armfazh closed 4 years ago

armfazh commented 4 years ago

The function ge25519_has_small_order verifies whether the encoded point is in the low-order group. However, how to prevent the input point has a non-prime order, say 2r, 4r, 8*r?

jedisct1 commented 4 years ago

crypto_core_ed25519_is_valid_point() also multiplies the point by the order of the main subgroup (ge25519_mul_l()).

The only purpose of the ge25519_has_small_order() function is to mitigate side channel attacks in case the scalarmult code happens not to be constant time.

jedisct1 commented 4 years ago

And applications generally don't have to explicitly call crypto_core_ed25519_is_valid_point(), as the checks are also unconditionally made when unclamped scalar multiplications are made.

jedisct1 commented 4 years ago

You may have noticed that is_valid_point() and scalarmult() check for points of order 1/2/4/8 prior to checking that the point is in the right group.

This is not really necessary; checking for the neutral element would be enough. But it is very cheap and may occasionally save a few cycles by preventing the multiplication.

There is no unchecked variant of unclamped scalar multiplication in the public API.