Skip to content

chore: assert top bit isn't set #552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
joe-p merged 3 commits into from
Mar 15, 2026
Merged

chore: assert top bit isn't set #552

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4207ed3
chore: assert top bit isn't set
joe-p Mar 9, 2026
28a39fb
test: add scalar top-bit tests
joe-p Mar 9, 2026
b07c8de
Merge branch 'decoupling' into decoupling-chore/assert_top_bit
joe-p Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions packages/crypto/src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,8 +67,12 @@ function rawSign(extendedSecretKey: Uint8Array, data: Uint8Array): Uint8Array {

function rawPubkey(extendedSecretKey: Uint8Array): Uint8Array {
const scalar = bytesToNumberLE(extendedSecretKey.slice(0, 32))
const clearedTopBitScalar = scalar & ((1n << 255n) - 1n)
const reducedScalar = mod(clearedTopBitScalar, ed25519.Point.Fn.ORDER)
if ((scalar & (1n << 255n)) !== 0n) {
throw new Error(
'Invalid HD-expanded Ed25519 secret scalar: most-significant bit (bit 255) of the 32-byte scalar must be 0 for rawSign/rawPubkey inputs.',
)
}
const reducedScalar = mod(scalar, ed25519.Point.Fn.ORDER)

// pubKey = scalar * G
const publicKey = ed25519.Point.BASE.multiply(reducedScalar)
Expand Down
45 changes: 45 additions & 0 deletions packages/transact/src/signer.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,51 @@ describe('signer', () => {
)
})

test('wrapped HD extended private key rejects scalar with high bit set during pubkey derivation', async () => {
const extendedKey = new Uint8Array(96)
// Fill with arbitrary data
for (let i = 0; i < 96; i++) {
extendedKey[i] = i
}
// Set bit 255 in scalar (byte 31 of the scalar, which is byte 31 overall)
extendedKey[31] = 0x80

const wrappedHdExtendedPrivateKey = {
unwrapHdExtendedPrivateKey: async () => extendedKey,
wrapHdExtendedPrivateKey: async () => {},
}

await expect(nobleEd25519SigningKeyFromWrappedSecret(wrappedHdExtendedPrivateKey)).rejects.toThrow(
'Invalid HD-expanded Ed25519 secret scalar: most-significant bit (bit 255) of the 32-byte scalar must be 0 for rawSign/rawPubkey inputs.',
)
})

test('wrapped HD extended private key rejects scalar with high bit set during signing', async () => {
// First create a valid key to get a working signer
const { accountGenerator } = await peikertXHdWalletGenerator()
const generated = await accountGenerator(0, 0)

let callCount = 0
const extendedKey = new Uint8Array(generated.extendedPrivateKey)
// Create an invalid version with bit 255 set in scalar
const invalidExtendedKey = new Uint8Array(extendedKey)
invalidExtendedKey[31] = 0x80

const wrappedHdExtendedPrivateKey = {
unwrapHdExtendedPrivateKey: async () => {
callCount++
return callCount === 1 ? extendedKey : invalidExtendedKey
},
wrapHdExtendedPrivateKey: async () => {},
}

const signingKey = await nobleEd25519SigningKeyFromWrappedSecret(wrappedHdExtendedPrivateKey)

await expect(signingKey.rawEd25519Signer(new Uint8Array([1, 2, 3]))).rejects.toThrow(
'Invalid HD-expanded Ed25519 secret scalar: most-significant bit (bit 255) of the 32-byte scalar must be 0 for rawSign/rawPubkey inputs.',
)
})

test('wrapped seed zeroes seed after successful signing', async () => {
const seed = ed.utils.randomSecretKey()
const wrappedSeed = {
Expand Down
Loading