-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix:Correct ECDSA signature malleability handling #13544
fix:Correct ECDSA signature malleability handling #13544
Conversation
@@ -71,7 +71,7 @@ impl Signature { | |||
Ok(()) | |||
} | |||
|
|||
/// Check if S < ORDER_HALF to capture invalid signatures. | |||
/// Check if S <= ORDER_HALF to capture invalid signatures. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you rename this to check_s_le_order_half
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have renamed the function to check_s_le_order_half
as requested. The changes have been committed under hash f46e76c21551f17ca7b0a04bd473b50e7d6c11e8
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks correct to me
98eeb11
to
99d2145
Compare
f46e76c
to
b9a2560
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense. If the order ORDER_HALF = (3-1)/2 = 1
.
When we get a signature s = ORDER_HALF = 1
it would fail the malleability check and we would change it to
On the other hand, if we got a signature s = 2
, it would also fail the malleability check and we would change it to
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
It is indeed the case. Fortunately, the function |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
dc0ff96
to
927cb18
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
✅ Forge suite
|
✅ Forge suite
|
✅ Forge suite
|
* Correct ECDSA signature malleability handling * Rename function check_s_lt_order_half to check_s_le_order_half
Description
The function
check_s_lt_order_half
is intended to ensure that the value of S in an ECDSA signature is less than the order of the Secp256r1 curve divided by 2 to eliminate signature malleability. However, there's a boundary condition issue in the function's return logic.At the end of the function, the return value is set to false when
S == ORDER_HALF
. This decision seems incorrect. To eliminate ECDSA signature malleability, S is required to be less thann/2
, where n is the curve order. Since the curve's order is a prime number and cannot be divided by 2 evenly,ORDER_HALF
effectively represents thefloor(n/2)
. Therefore,ORDER_HALF
should be considered a valid S value, and its corresponding invalid S would beORDER_HALF + 1
. This boundary value consideration aligns with the approach taken in BIP62(despite the curve and its order being different, both are prime numbers).If
ORDER_HALF
is treated as an invalid S value, then computingn - S
tries to convert it to a valid S, resulting inORDER_HALF + 1
, which remains an invalid S.This issue could potentially render signatures invalid when they should be considered valid, impacting the reliability of the system. Although the probability of S exactly equaling ORDER_HALF in a signature is very low, ORDER_HALF should not be considered a invalid S value. If the repository is referenced by other developers in specific business scenarios, it could pose a potential security risk.
Type of Change
Which Components or Systems Does This Change Impact?
How Has This Been Tested?
We can verify using the following Python code that
half_order
andhalf_order + 1
form a pair of associated malleable S values. Among them,half_order
is considered a valid S value, whilehalf_order + 1
is an invalid S value.Key Areas to Review
Checklist