Re-introduce lowSmax check

src/CertManager.sol

@@ -268,7 +268,8 @@ contract CertManager is ICertManager {
             gx: ECDSA384.CURVE_GX,
             gy: ECDSA384.CURVE_GY,
             p: ECDSA384.CURVE_P,
-            n: ECDSA384.CURVE_N
+            n: ECDSA384.CURVE_N,
+            lowSmax: ECDSA384.CURVE_LOW_S_MAX
         });
         require(ECDSA384.verify(CURVE_PARAMETERS, hash, sig, pubKey), "invalid sig");
     }

src/ECDSA384.sol

@@ -27,6 +27,9 @@ library ECDSA384 {
         hex"fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff";
     bytes public constant CURVE_N =
         hex"ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973";
+    // use n-1 for lowSmax, which allows s-values above n/2
+    bytes public constant CURVE_LOW_S_MAX =
+        hex"ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972";
 
     /**
      * @notice 384-bit curve parameters.
@@ -38,6 +41,7 @@ library ECDSA384 {
         bytes gy;
         bytes p;
         bytes n;
+        bytes lowSmax;
     }
 
     struct _Parameters {
@@ -47,6 +51,7 @@ library ECDSA384 {
         uint256 gy;
         uint256 p;
         uint256 n;
+        uint256 lowSmax;
     }
 
     struct _Inputs {
@@ -58,7 +63,7 @@ library ECDSA384 {
 
     /**
      * @notice The function to verify the ECDSA signature
-     * @param curveParams_ the 384-bit curve parameters.
+     * @param curveParams_ the 384-bit curve parameters. `lowSmax` is `n / 2`.
      * @param hashedMessage_ the already hashed message to be verified.
      * @param signature_ the ECDSA signature. Equals to `bytes(r) + bytes(s)`.
      * @param pubKey_ the full public key of a signer. Equals to `bytes(x) + bytes(y)`.
@@ -83,10 +88,14 @@ library ECDSA384 {
                 gx: curveParams_.gx.init(),
                 gy: curveParams_.gy.init(),
                 p: curveParams_.p.init(),
-                n: curveParams_.n.init()
+                n: curveParams_.n.init(),
+                lowSmax: curveParams_.lowSmax.init()
             });
 
-            if (U384.eqInteger(inputs_.r, 0) || U384.cmp(inputs_.r, params_.n) >= 0 || U384.eqInteger(inputs_.s, 0)) {
+            if (
+                U384.eqInteger(inputs_.r, 0) || U384.cmp(inputs_.r, params_.n) >= 0 || U384.eqInteger(inputs_.s, 0)
+                    || U384.cmp(inputs_.s, params_.lowSmax) > 0
+            ) {
                 return false;
             }
 

src/NitroValidator.sol

@@ -193,7 +193,8 @@ contract NitroValidator {
             gx: ECDSA384.CURVE_GX,
             gy: ECDSA384.CURVE_GY,
             p: ECDSA384.CURVE_P,
-            n: ECDSA384.CURVE_N
+            n: ECDSA384.CURVE_N,
+            lowSmax: ECDSA384.CURVE_LOW_S_MAX
         });
         require(ECDSA384.verify(CURVE_PARAMETERS, hash, sig, pubKey), "invalid sig");
     }

test/ECDSA384.t.sol

@@ -13,7 +13,8 @@ contract ECDSA384Test is Test {
             gx: ECDSA384.CURVE_GX,
             gy: ECDSA384.CURVE_GY,
             p: ECDSA384.CURVE_P,
-            n: ECDSA384.CURVE_N
+            n: ECDSA384.CURVE_N,
+            lowSmax: ECDSA384.CURVE_LOW_S_MAX
         });
         bytes memory pubKey = abi.encodePacked(
             hex"56931fd7d42942eec92298d7291371cdbac29c60230c9f635d010939ab7f8f5d977ccfe90bd7528cafa53afad6225bf61e2af4d20831aed1e6b578ccb00e1534182f6d1ee6bf524fbd62bd056d0d538c24eb7f2a436e336e139f00a072b0ba1a"