mirror/zig
1
0
Fork 0
mirror of https://github.com/ziglang/zig.git synced 2026-01-20 22:35:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

crypto/edwards25519: correctly flip the Y sign in the H2C operation

Browse Source 
No security implications, but the current hash-to-curve standard
defines the sign of the Y coordinate to be negative if `gx1`
is a square, positive otherwise.

We were doing it the other way round.
This commit is contained in:
Frank Denis 2021-11-08 14:55:27 +01:00
parent 6b5e403e5d
commit bd8b94bd0e
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/std/crypto/25519/edwards25519.zig
View File

@ -395,7 +395,7 @@ pub const Edwards25519 = struct {
const fe_f = Fe.fromBytes64(h);
var elr = elligator2(fe_f);
const y_sign = elr.not_square;
const y_sign = !elr.not_square;
const y_neg = elr.y.neg();
elr.y.cMov(y_neg, @boolToInt(elr.y.isNegative()) ^ @boolToInt(y_sign));
return montToEd(elr.x, elr.y).clearCofactor();
@ -542,11 +542,11 @@ test "edwards25519 uniform-to-point" {
try htest.assertEqual("f70718e68ef42d90ca1d936bb2d7e159be6c01d8095d39bd70487c82fe5c973a", p.toBytes()[0..]);
}
// Test vectors from draft-irtf-cfrg-hash-to-curve-10
// Test vectors from draft-irtf-cfrg-hash-to-curve-12
test "edwards25519 hash-to-curve operation" {
var p = Edwards25519.fromString(true, "QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_RO_", "abc");
try htest.assertEqual("31558a26887f23fb8218f143e69d5f0af2e7831130bd5b432ef23883b895831a", p.toBytes()[0..]);
try htest.assertEqual("31558a26887f23fb8218f143e69d5f0af2e7831130bd5b432ef23883b895839a", p.toBytes()[0..]);
p = Edwards25519.fromString(false, "QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_NU_", "abc");
try htest.assertEqual("42fa27c8f5a1ae0aa38bb59d5938e5145622ba5dedd11d11736fa2f9502d73e7", p.toBytes()[0..]);
try htest.assertEqual("42fa27c8f5a1ae0aa38bb59d5938e5145622ba5dedd11d11736fa2f9502d7367", p.toBytes()[0..]);
}