[ZIP 216] Require Canonical Jubjub Point Encodings

[daira]

Exclude the non-canonical encodings of Jubjub and Ed25519 points (0, ±1) with ũ = 1 from all point representations in transactions.

This was the original intent (for Jubjub), but is not enforced by the current implementations. This change would be targetted for NU5.

ZIP stub: https://zips.z.cash/zip-0216

[daira]

I'm inclined not to make this change for the R points in Ed25519 and RedDSA signatures; only for other points. For both Ed25519 as defined by ZIP 215 and RedDSA, the consequences of the non-canonical encoding are straightforward to analyse, and do not result in any known or likely security weakness. In particular the proof of strong unforgeability (therefore nonmalleability) still holds, because the original encoding of R is an input to the internal hash function.

[hdevalence]

I don't think that this was the original intent for Ed25519 points; there is no clear intent in the reference implementation and the intent for ZIP215 is explicitly to allow these points. Without some further rationale about why the point representations should be changed again, I don't think this is a good idea.

[daira]

This is written.

@hdevalence: the validation of Ed25519 signatures is not changed relative to ZIP 215.