correct issue on ed25519 full session

rdubois-crypto · rdubois-crypto · commit 4194f211a801 · 2024-11-27T17:56:19.000+01:00
solving parity mistake with ed25519:
- faulty use of &amp; instead of &amp;&amp;
- magic number used for curve order inside Psig
diff --git a/src/libMPC/SCL_Musig2.mjs b/src/libMPC/SCL_Musig2.mjs
@@ -356,8 +356,8 @@ Psign(secnonce, sk, session_ctx){
     //todo : test range of k1 and k2
     if (this.curve.Has_even_y(R)==false)
       {
-        k1=secp256k1.CURVE.n-k1;
-        k2=secp256k1.CURVE.n-k2;
+        k1=this.order-k1;
+        k2=this.order-k2;
       }
     let d_ = int_from_bytes(sk)
     //todo : test range d
diff --git a/src/libMPC/SCL_ecc.mjs b/src/libMPC/SCL_ecc.mjs
@@ -92,12 +92,13 @@ export class SCL_ecc
               return true;
         }
         if (this.curve === 'ed25519'){
-            if( (RawHex_Point[0]&&(0x80)==0x80))
+            if( ( (RawHex_Point[0]&(0x80))==0x80))
                 {
                   return false;
                 }
-                else 
+                else { 
                   return true;
+                }
             }
         }
 
@@ -142,8 +143,9 @@ export class SCL_ecc
         return  bytePoint.slice(1,33);//x-only version for noncegen
       }
       if(this.curve=='ed25519') {
-        bytePoint[0]=bytePoint[0]&0x7f;//nullify to force parity bit to 0
-        return bytePoint;
+        let cp=Buffer.from([...bytePoint]);//avoid destruction of input
+        cp[0]=cp[0]&0x7f;//force parity bit to 0
+        return cp;
       }
 
     } 
@@ -172,9 +174,10 @@ export class SCL_ecc
         return P;
       }
       if (this.curve === 'ed25519') {
-        bytePointX[0]=bytePointX[0]&0x7f;//nullify to force parity bit to 0
+        let cp=Buffer.from([...bytePointX]);//avoid destruction of input
+        cp[0]=cp[0]&0x7f;//force parity bit to 0
         
-        return ed25519.ExtendedPoint.fromHex(reverse(bytePointX));
+        return ed25519.ExtendedPoint.fromHex(reverse(cp));
       }
       throw new Error('Unsupported curve');
     }
diff --git a/src/libMPC/test_Musig2.mjs b/src/libMPC/test_Musig2.mjs
@@ -371,8 +371,9 @@ function random_fullsession(Curve){
     
     let psigs=[p1,p2];
 
+    console.log("   -Aggregating signature");
     let res=signer.Partial_sig_agg(psigs, session_ctx);
-    console.log("Aggregated signature=", res, res.length);
+    console.log("res", res, res.length);
 
     console.log("  -Final Schnorr verify:");
 

Original file line number	Diff line number	Diff line change
`@@ -356,8 +356,8 @@ Psign(secnonce, sk, session_ctx){`
`356`	`356`	`//todo : test range of k1 and k2`
`357`	`357`	`if (this.curve.Has_even_y(R)==false)`
`358`	`358`	`{`
`359`		`- k1=secp256k1.CURVE.n-k1;`
`360`		`- k2=secp256k1.CURVE.n-k2;`
	`359`	`+ k1=this.order-k1;`
	`360`	`+ k2=this.order-k2;`
`361`	`361`	`}`
`362`	`362`	`let d_ = int_from_bytes(sk)`
`363`	`363`	`//todo : test range d`
Original file line number	Diff line number	Diff line change
`@@ -92,12 +92,13 @@ export class SCL_ecc`
`92`	`92`	`return true;`
`93`	`93`	`}`
`94`	`94`	`if (this.curve === 'ed25519'){`
`95`		`- if( (RawHex_Point[0]&&(0x80)==0x80))`
	`95`	`+ if( ( (RawHex_Point[0]&(0x80))==0x80))`
`96`	`96`	`{`
`97`	`97`	`return false;`
`98`	`98`	`}`
`99`		`- else`
	`99`	`+ else {`
`100`	`100`	`return true;`
	`101`	`+ }`
`101`	`102`	`}`
`102`	`103`	`}`
`103`	`104`
`@@ -142,8 +143,9 @@ export class SCL_ecc`
`142`	`143`	`return bytePoint.slice(1,33);//x-only version for noncegen`
`143`	`144`	`}`
`144`	`145`	`if(this.curve=='ed25519') {`
`145`		`- bytePoint[0]=bytePoint[0]&0x7f;//nullify to force parity bit to 0`
`146`		`- return bytePoint;`
	`146`	`+ let cp=Buffer.from([...bytePoint]);//avoid destruction of input`
	`147`	`+ cp[0]=cp[0]&0x7f;//force parity bit to 0`
	`148`	`+ return cp;`
`147`	`149`	`}`
`148`	`150`
`149`	`151`	`}`
`@@ -172,9 +174,10 @@ export class SCL_ecc`
`172`	`174`	`return P;`
`173`	`175`	`}`
`174`	`176`	`if (this.curve === 'ed25519') {`
`175`		`- bytePointX[0]=bytePointX[0]&0x7f;//nullify to force parity bit to 0`
	`177`	`+ let cp=Buffer.from([...bytePointX]);//avoid destruction of input`
	`178`	`+ cp[0]=cp[0]&0x7f;//force parity bit to 0`
`176`	`179`
`177`		`- return ed25519.ExtendedPoint.fromHex(reverse(bytePointX));`
	`180`	`+ return ed25519.ExtendedPoint.fromHex(reverse(cp));`
`178`	`181`	`}`
`179`	`182`	`throw new Error('Unsupported curve');`
`180`	`183`	`}`