search

usnistgov / ACVP-Server

A repository tracking releases of NIST's ACVP server. See www.github.com/usnistgov/ACVP for the protocol.
39 stars 14 forks source link

EDDSA/sigVer test vectors are always for pureEdDSA even with preHash=true #268

Closed naogot closed 12 months ago

naogot commented 1 year ago

environment Demo

testSessionId 413264

vsId 1688669

Algorithm registration

"registration": {
    "isSample": true,
    "algorithms": [
        {
            "algorithm": "EDDSA",
            "revision": "1.0",
            "mode": "sigVer",
            "curve": [
                "ED-25519"
            ],
            "pure": false,
            "preHash": true
        }
    ]
}

Endpoint in which the error is experienced https://demo.acvts.nist.gov/acvp/v1/

Expected behavior According to the expected results, the signature verification should be successful in tcId:5, but it failed. When I tried to process it as pureEdDSA (overwrote as "preHash": false), the verification succeeded.

"tgId": 1,
"testType": "AFT",
"curve": "ED-25519",
"preHash": true,
"tests": [
    {
        "tcId": 5,
        "message": "CF5BA1E5E1064CDCDDBCF640F9FFD6653AFC0668F6ED84F03096BD8DD643CB87B61CD428A49145AD5A057B74E8978C1F404296C1499BE3A483467726B4A6E15830DFD8851E16A7D1BD5004D9920736A7BD7134B79BFC668EA2F33E4C6303FD5EDE0D7C1F3F4A9074FA32BEB02A8598C292DA2AB105BF65ADFE17D0AF8BA1037C",
        "q": "BFBC0F10DDA703607499866836A82FFEE1211FB654BD8AD49B492C165257F5E7",
        "signature": "A42325A4D9FE3E4C90EBDF4BB432B8DE6A5573B566C8358E1715EFFB46D3997E14B89D52DC017E3B6783463727858C2124CC4767EFD7C5D5008ADEA72365B90C"

Additional context Not sure if it is really related, but the following code does not care _param.PreHash (handled as false by default parameter). https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/src/orleans/src/NIST.CVP.ACVTS.Libraries.Orleans.Grains/Eddsa/OracleObserverEddsaVerifySignatureCaseGrain.cs

63            var result = edDsa.Sign(domainParams, key, message);
livebe01 commented 1 year ago

Thanks @naogot. Received. We'll take a look.

celic commented 1 year ago

Edit: Removed other text. I thought EdDSA pre-hash would be similar to the signature component (pre-hash) options for ECDSA. The code we have implemented is identical to FIPS 186-5. Turns out hashEdDSA still expects an arbitrary bitstring message that is immediately hashed, and the digest is used for the signature generation steps.

@naogot if I drop a vector set here for Ed25519, would you be able to test it out?

celic commented 1 year ago

EdDSA SigVer.zip

naogot commented 1 year ago

Thank you so much, @celic. Our result is consistent with expectedResults.json in the zip.

celic commented 1 year ago

Thanks. I'll make sure this goes into the next release.

livebe01 commented 1 year ago

The fix for this is on Demo in release v1.1.0.30

naogot commented 1 year ago

Thanks a lot, it is working fine.

livebe01 commented 12 months ago

The fix for this is on Prod in release v1.1.0.30