Closed armfazh closed 4 years ago
crypto_core_ed25519_is_valid_point()
also multiplies the point by the order of the main subgroup (ge25519_mul_l()
).
The only purpose of the ge25519_has_small_order()
function is to mitigate side channel attacks in case the scalarmult code happens not to be constant time.
And applications generally don't have to explicitly call crypto_core_ed25519_is_valid_point()
, as the checks are also unconditionally made when unclamped scalar multiplications are made.
You may have noticed that is_valid_point()
and scalarmult()
check for points of order 1/2/4/8 prior to checking that the point is in the right group.
This is not really necessary; checking for the neutral element would be enough. But it is very cheap and may occasionally save a few cycles by preventing the multiplication.
There is no unchecked variant of unclamped scalar multiplication in the public API.
The function
ge25519_has_small_order
verifies whether the encoded point is in the low-order group. However, how to prevent the input point has a non-prime order, say 2r, 4r, 8*r?