Closed CedarMist closed 2 hours ago
This is probably a question for @Yawning, I would assume that the Rust implementation is consistent with the Go one. But note that changing any of this is very likely consensus-breaking.
Am still digging into this, will update notes above.
I'm going to close this ticket for now, but it was worth making a note of.
Re: https://github.com/oasisprotocol/oasis-core/blob/b0e6bc88be7a3fe051ea1d35b06e8d33691d5aec/runtime/src/common/crypto/signature.rs#L123-L128
https://github.com/oasisprotocol/oasis-core/blob/b0e6bc88be7a3fe051ea1d35b06e8d33691d5aec/runtime/src/common/crypto/signature.rs#L173
Note that the ed25519-dalek
verify_strict
method doesn't use cofactored verification.https://github.com/dalek-cryptography/ed25519-dalek/blob/02001d8c3422fb0314b541fdb09d04760f7ab4ba/src/verifying.rs#L349
From my notes:
Are we sure that we want to use cofactored verification? Under normal circumstances signing libraries will never produce signatures outside of the main subgroup.
I feel that
ed25519_dalek::verify_strict
could be used unless there are compelling reasons. The comments in Oasissignature.rs
are confusing and don't specify the intent for allowing signature malleability by using cofactored verification.ADR-009 does though: https://github.com/oasisprotocol/adrs/blob/5acd39c3491e72bb6692818641f8585b54783ae2/0009-ed25519-semantics.md?plain=1#L68C1-L79C12
https://eprint.iacr.org/2020/1244.pdf provides more insight
Essentially, providing a batch signature to a cofactorless verification routine will fail.
ADR-064 specifies block validation by batching signatures.