Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Constant time scalar deserialize check #2

Open
elichai opened this issue Feb 8, 2022 · 1 comment
Open

Constant time scalar deserialize check #2

elichai opened this issue Feb 8, 2022 · 1 comment

Comments

@elichai
Copy link
Contributor

elichai commented Feb 8, 2022

Currently, we use this logic to check that a scalar is canonical, this is also used in the deserialization of private nonces, which should be secret.
We want this to be constant time, which neither the bytes[31] & 240 == 0 check nor the from_canonical_bytes function are constant time.

two-party-musig2-eddsa/src/lib.rs

Lines 383 to 386 in e7b8b2e

if bytes[31] & 240 == 0 {
Some(Scalar::from_bits(bytes))
} else {
Scalar::from_canonical_bytes(bytes)

@elichai
Copy link
Contributor Author

elichai commented Feb 25, 2022

Opened a PR to solve this: dalek-cryptography/curve25519-dalek#384

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@elichai