[curves] Handling invalid (unreduced) public keys and signatures in 25519
Trevor Perrin
trevp at trevp.net
Wed Aug 6 15:22:05 PDT 2014
Typo, Ed25519 R is not just a field element, it includes the sign bit, so...
On Wed, Aug 6, 2014 at 3:10 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
> Ed25519
> ========
>
> R
> --
> * Implementations MUST encode R as a value < 2^255-19
> * Implementations MAY reject a signature if its R is >= 2^255-19
> Otherwise, an invalid R MUST be handled as follows:
[XXX] > * Implementations MUST decode R as a value < 2^255 (by
ignoring the high bit) [XXX]
> * Implementations MUST process R with value >= 2^255-19 as if R was
> reduced by 2^255-19
Change to:
R
--
* Implementations MUST encode the R.y coordinate as a value < 2^255-19
* Implementations MAY reject a signature if its R.y is >= 2^255-19
Otherwise, an invalid R.y MUST be handled as follows:
* Implementations MUST process R.y with value >= 2^255-19 as if R.y was
reduced by 2^255-19
* However, the bytes that are hashed for signature verification
contain R as it was received
?
Trevor
More information about the Curves
mailing list