-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ed25519::GE fails in serialization and deserialization #156
Comments
The real cause of the problem seems to be in from_bytes() where the encoded point is multiplied by 8. |
Hi @HRezaei, So you're right, we intentionally multiply decoded point by 8, it clears a small cofactor from the point. That might seem odd, but that's how it works. FYI since curv@0.8, we don't do multiplication by 8 anymore. Nevertheless, |
Hi @survived, Thanks for your consideration. Regarding the v0.8 we can't use it currently because upgrading to it, needs a lot of changes, not only in the eddsa project but also in many dependencies such as paillier's, centipede, bulletproofs, etc.
Yeah, tests in the let y_vec = (0..n.clone())
.map(|i| party_keys_vec[i].y_i.clone())
.collect::<Vec<GE>>(); to this snippet below, to mimic the real scenario. let y_vec = (0..n.clone())
.map(|i| party_keys_vec[i].y_i.clone())
.map(|y_i| serde_json::to_string(&y_i).unwrap())//serialize y so to be broadcasted to other parties
.map(|y_i_json| serde_json::from_str(&y_i_json).unwrap())//deserialize y, as it happens in each recipient party
.collect::<Vec<GE>>(); You will see two tests will fail with the error "invalid key: InvalidKey". |
All of these libraries are updated to use the latest Regarding deserialization, unless the library is updated to use latest curv, you can divide deserialized point by 8, it will yield the original point. |
See this link for more details: ZenGo-X/curv#156 (comment)
Updating the eddsa would be appealing if time limits permit. 😊 About division by eight, I followed your advice, but as you can see in the above commit, it needs many changes in many places as GE's are used inside vectors and more complex structs. It also would be a source of runtime errors, not easily discernible errors, because it's related to values, not data types. The developers should be careful to remedy the situation whenever a data structure containing GE is deserialized. |
Yeah that's frustrating. If it's applicable for your case — you can define a structure Also, you can tag the wrapping structure with |
Thank you @survived for your advice. But if I decided to define such a custom type in my own fork for my own use, why not remove that multiply by eight? What's the harm of removing that and adding a check for being on the curve? |
Multiplication by 8 is security related operation, it clears out small cofactor part from the point. Not doing this might leak some bits of your secrets, or affect the protocol in some unexpected way. Note that it's not related to checking whether a point is on curve: when we multiply point by 8, we already checked that the point is on curve. New version of |
@HRezaei thanks for that, can you check again with v.0.10.0? |
Hi @leontiadZen, |
There seems to be an error in encoding/decoding of a GE (Ed25519Point) in version 0.7.0. In the example below, the base_point is serialized to JSON, and a new point is recreated from it. I expect the new point to contain the same x, y coordinates, but it isn't the case:
This causes the EdDSA thresholdsig to always fail with "invalid key" error in the stage: phase1_verify_com_phase2_distribute() because the
y_vec: &Vec<GE>
has to be collected from different parties, and this needs serialize/deserializing the GE's.You have said that improving the v0.7 is no longer a priority(unless critical issues) so it would be great if you please consider this as a critical issue!
The text was updated successfully, but these errors were encountered: