gregorseiler
commented
6 years ago Thank you very much for reporting this. In addition to limiting the offsets, I have now pushed a change that strictly enforces our bit-packed encoding of signatures and eliminates all ambiguities so that we have strong unforgeability at this level now.
This adds a fault injection test, flipping random bits in signatures. During testing, I've discovered signatures can reference invalid memory.
Surprisingly enough, these references made the appearing forgeries more frequent, roughly by a factor of 2. I have no idea what's going on, but simply checking for out of bounds access doesn't hurt in
sig_unpack().For curious reader: this scheme and others similiar to it is by definition malleable, as it will accept random bit mutations with relative ease.