Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ed25519 signature malleability test like ed25519-dalek verify_strict #471

Merged
merged 1 commit into from
Jun 16, 2023
Merged

ed25519 signature malleability test like ed25519-dalek verify_strict #471

merged 1 commit into from
Jun 16, 2023

Conversation

llamb-jump
Copy link
Contributor

@llamb-jump llamb-jump commented Jun 14, 2023
edited
Loading

Test for ed25519 signature malleability like ed25519-dalek verify_strict by checking if the signature piece R and public key are small order.

A point is small order if [n]P=I where n is the order of the group (8 in our case for the torsion group) and I is the identity for the group.

Useful references:
fd_ed25519_ge_p3_mul_by_pow_2 and dalek equivalent
fd_ed25519_ge_p3_is_identity and dalek equivalent
https://slowli.github.io/ed25519-quirks/wildcards/
https://slowli.github.io/ed25519-quirks/
dalek-cryptography/ed25519-dalek#20

benchmark comparison between main and this PR:

main NOTICE  06-14 20:39:18.682183 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 128)          17.608K/s/core  56791.434 ns/call
pr   NOTICE  06-14 20:39:41.025284 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 128)          17.389K/s/core  57508.484 ns/call

main NOTICE  06-14 20:39:19.244476 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 256)          17.785K/s/core  56226.066 ns/call
pr   NOTICE  06-14 20:39:41.591724 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 256)          17.656K/s/core  56638.809 ns/call

main NOTICE  06-14 20:39:19.807265 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 384)          17.770K/s/core  56275.703 ns/call
pr   NOTICE  06-14 20:39:42.162251 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 384)          17.529K/s/core  57049.043 ns/call

main NOTICE  06-14 20:39:20.372881 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 512)          17.681K/s/core  56557.023 ns/call
pr   NOTICE  06-14 20:39:42.733511 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 512)          17.506K/s/core  57122.336 ns/call

main NOTICE  06-14 20:39:20.934790 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 640)          17.798K/s/core  56187.418 ns/call
pr   NOTICE  06-14 20:39:43.302813 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 640)          17.566K/s/core  56927.047 ns/call

main NOTICE  06-14 20:39:21.507734 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 768)          17.455K/s/core  57290.918 ns/call
pr   NOTICE  06-14 20:39:43.884359 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 768)          17.197K/s/core  58151.117 ns/call

main NOTICE  06-14 20:39:22.082113 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 896)          17.411K/s/core  57434.637 ns/call
pr   NOTICE  06-14 20:39:44.464149 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 896)          17.249K/s/core  57975.500 ns/call

main NOTICE  06-14 20:39:22.683850 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 1024)         16.620K/s/core  60170.008 ns/call
pr   NOTICE  06-14 20:39:45.073907 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(good 1024)         16.401K/s/core  60972.090 ns/call

main NOTICE  06-14 20:39:22.739903 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 128)      178.530K/s/core   5601.302 ns/call
pr   NOTICE  06-14 20:39:45.129671 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 128)      179.431K/s/core   5573.184 ns/call

main NOTICE  06-14 20:39:22.746830 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 256)     1449.674K/s/core    689.810 ns/call
pr   NOTICE  06-14 20:39:45.136589 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 256)     1451.715K/s/core    688.840 ns/call

main NOTICE  06-14 20:39:22.768089 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 384)      471.037K/s/core   2122.975 ns/call
pr   NOTICE  06-14 20:39:45.158071 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 384)      466.126K/s/core   2145.340 ns/call

main NOTICE  06-14 20:39:22.770158 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 512)     4903.891K/s/core    203.920 ns/call
pr   NOTICE  06-14 20:39:45.160163 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 512)     4846.128K/s/core    206.350 ns/call

main NOTICE  06-14 20:39:22.841580 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 640)      140.069K/s/core   7139.333 ns/call
pr   NOTICE  06-14 20:39:45.232385 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 640)      138.520K/s/core   7219.197 ns/call

main NOTICE  06-14 20:39:22.848088 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 768)     1543.936K/s/core    647.695 ns/call
pr   NOTICE  06-14 20:39:45.238942 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 768)     1532.110K/s/core    652.695 ns/call

main NOTICE  06-14 20:39:22.914798 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 896)      149.980K/s/core   6667.558 ns/call
pr   NOTICE  06-14 20:39:45.305088 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 896)      151.251K/s/core   6611.521 ns/call

main NOTICE  06-14 20:39:22.945683 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 1024)     324.162K/s/core   3084.875 ns/call
pr   NOTICE  06-14 20:39:45.336273 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad sig 1024)     321.037K/s/core   3114.910 ns/call

main NOTICE  06-14 20:39:23.549598 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 128)       16.559K/s/core  60388.754 ns/call
pr   NOTICE  06-14 20:39:45.946625 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 128)       16.385K/s/core  61032.285 ns/call

main NOTICE  06-14 20:39:24.152300 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 256)       16.593K/s/core  60267.148 ns/call
pr   NOTICE  06-14 20:39:46.556382 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 256)       16.401K/s/core  60971.691 ns/call

main NOTICE  06-14 20:39:24.758304 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 384)       16.502K/s/core  60596.992 ns/call
pr   NOTICE  06-14 20:39:47.171933 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 384)       16.247K/s/core  61551.082 ns/call

main NOTICE  06-14 20:39:25.365090 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 512)       16.482K/s/core  60673.770 ns/call
pr   NOTICE  06-14 20:39:47.790010 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 512)       16.181K/s/core  61800.895 ns/call

main NOTICE  06-14 20:39:25.971838 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 640)       16.483K/s/core  60670.168 ns/call
pr   NOTICE  06-14 20:39:48.406855 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 640)       16.212K/s/core  61681.145 ns/call

main NOTICE  06-14 20:39:26.578952 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 768)       16.472K/s/core  60707.793 ns/call
pr   NOTICE  06-14 20:39:49.027064 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 768)       16.125K/s/core  62017.387 ns/call

main NOTICE  06-14 20:39:27.193290 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 896)       16.279K/s/core  61430.371 ns/call
pr   NOTICE  06-14 20:39:49.651266 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 896)       16.021K/s/core  62416.574 ns/call

main NOTICE  06-14 20:39:27.797595 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 1024)      16.549K/s/core  60427.000 ns/call
pr   NOTICE  06-14 20:39:50.265276 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad msg 1024)      16.287K/s/core  61397.754 ns/call

main NOTICE  06-14 20:39:28.146677 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 128)       28.649K/s/core  34905.223 ns/call
pr   NOTICE  06-14 20:39:50.619598 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 128)       28.226K/s/core  35428.320 ns/call

main NOTICE  06-14 20:39:28.502428 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 256)       28.112K/s/core  35571.828 ns/call
pr   NOTICE  06-14 20:39:50.981758 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 256)       27.615K/s/core  36212.273 ns/call

main NOTICE  06-14 20:39:28.860520 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 384)       27.928K/s/core  35806.211 ns/call
pr   NOTICE  06-14 20:39:51.344093 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 384)       27.601K/s/core  36229.992 ns/call

main NOTICE  06-14 20:39:29.214621 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 512)       28.243K/s/core  35406.707 ns/call
pr   NOTICE  06-14 20:39:51.703018 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 512)       27.864K/s/core  35888.969 ns/call

main NOTICE  06-14 20:39:29.573657 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 640)       27.855K/s/core  35900.234 ns/call
pr   NOTICE  06-14 20:39:52.066178 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 640)       27.539K/s/core  36312.457 ns/call

main NOTICE  06-14 20:39:29.933933 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 768)       27.760K/s/core  36023.332 ns/call
pr   NOTICE  06-14 20:39:52.432012 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 768)       27.337K/s/core  36579.934 ns/call

main NOTICE  06-14 20:39:30.292993 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 896)       27.853K/s/core  35902.480 ns/call
pr   NOTICE  06-14 20:39:52.797462 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 896)       27.366K/s/core  36541.645 ns/call

main NOTICE  06-14 20:39:30.654660 474063 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 1024)      27.654K/s/core  36160.793 ns/call
pr   NOTICE  06-14 20:39:53.163773 479861 f0   0    src/ballet/ed25519/test_ed25519.c(27): fd_ed25519_verify(bad pub 1024)      27.302K/s/core  36627.520 ns/call

@llamb-jump llamb-jump force-pushed the ll/ed25519 branch 3 times, most recently from cdbaf93 to d25a1ea Compare June 14, 2023 21:22
@llamb-jump llamb-jump marked this pull request as ready for review June 14, 2023 21:27
@llamb-jump llamb-jump enabled auto-merge June 14, 2023 21:46
ptaffet-jump
ptaffet-jump reviewed Jun 14, 2023
View reviewed changes
src/ballet/ed25519/fd_ed25519_ge.c Outdated Show resolved Hide resolved
src/ballet/ed25519/fd_ed25519_ge.c Outdated Show resolved Hide resolved
src/ballet/ed25519/fd_ed25519_ge.c Outdated Show resolved Hide resolved
src/ballet/ed25519/fd_ed25519_ge.c Outdated Show resolved Hide resolved
src/ballet/ed25519/fd_ed25519_ge.c Outdated Show resolved Hide resolved
@llamb-jump llamb-jump force-pushed the ll/ed25519 branch 5 times, most recently from 23771d8 to 95fd2df Compare June 15, 2023 21:07
@llamb-jump
ed25519 signature malleability test like ed25519-dalek verify_strict
a2e14b0 
by checking if the signature piece R and public key are small order
@llamb-jump llamb-jump added this pull request to the merge queue Jun 16, 2023
Merged via the queue into main with commit fe17020 Jun 16, 2023
@llamb-jump llamb-jump deleted the ll/ed25519 branch June 16, 2023 18:29
@ripatel-fd ripatel-fd mentioned this pull request Jun 28, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ptaffet-jump ptaffet-jump ptaffet-jump left review comments

@kbowers-jump kbowers-jump kbowers-jump approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@llamb-jump @kbowers-jump @ptaffet-jump