From 045e2564545cbcf6694f690cd5565985d17321f3 Mon Sep 17 00:00:00 2001 From: Ivo Kubjas Date: Wed, 27 Sep 2023 14:17:28 +0200 Subject: [PATCH] chore: generate --- ecc/bls12-377/twistededwards/eddsa/eddsa_test.go | 14 -------------- ecc/bls12-377/twistededwards/eddsa/marshal.go | 7 +++++++ ecc/bls12-378/twistededwards/eddsa/eddsa_test.go | 14 -------------- ecc/bls12-378/twistededwards/eddsa/marshal.go | 7 +++++++ ecc/bls12-381/bandersnatch/eddsa/eddsa_test.go | 14 -------------- ecc/bls12-381/bandersnatch/eddsa/marshal.go | 7 +++++++ ecc/bls12-381/twistededwards/eddsa/eddsa_test.go | 14 -------------- ecc/bls12-381/twistededwards/eddsa/marshal.go | 7 +++++++ ecc/bls24-315/twistededwards/eddsa/eddsa_test.go | 14 -------------- ecc/bls24-315/twistededwards/eddsa/marshal.go | 7 +++++++ ecc/bls24-317/twistededwards/eddsa/eddsa_test.go | 14 -------------- ecc/bls24-317/twistededwards/eddsa/marshal.go | 7 +++++++ ecc/bn254/twistededwards/eddsa/eddsa_test.go | 14 -------------- ecc/bn254/twistededwards/eddsa/marshal.go | 7 +++++++ ecc/bw6-633/twistededwards/eddsa/eddsa_test.go | 14 -------------- ecc/bw6-633/twistededwards/eddsa/marshal.go | 7 +++++++ ecc/bw6-756/twistededwards/eddsa/eddsa_test.go | 14 -------------- ecc/bw6-756/twistededwards/eddsa/marshal.go | 7 +++++++ ecc/bw6-761/twistededwards/eddsa/eddsa_test.go | 14 -------------- ecc/bw6-761/twistededwards/eddsa/marshal.go | 7 +++++++ 20 files changed, 70 insertions(+), 140 deletions(-) diff --git a/ecc/bls12-377/twistededwards/eddsa/eddsa_test.go b/ecc/bls12-377/twistededwards/eddsa/eddsa_test.go index 903866f45..9aa80fcdb 100644 --- a/ecc/bls12-377/twistededwards/eddsa/eddsa_test.go +++ b/ecc/bls12-377/twistededwards/eddsa/eddsa_test.go @@ -107,20 +107,6 @@ func TestNonMalleability(t *testing.T) { } func TestNoZeros(t *testing.T) { - t.Run("R.X=0", func(t *testing.T) { - // R points are 0 - var sig Signature - sig.R.X.SetInt64(0) - sig.R.Y.SetInt64(1) - s := big.NewInt(1) - s.FillBytes(sig.S[:]) - bts := sig.Bytes() - var newSig Signature - _, err := newSig.SetBytes(bts) - if err != ErrZero { - t.Fatal("expected error for zero R.X") - } - }) t.Run("R.Y=0", func(t *testing.T) { // R points are 0 var sig Signature diff --git a/ecc/bls12-377/twistededwards/eddsa/marshal.go b/ecc/bls12-377/twistededwards/eddsa/marshal.go index bf2af57eb..ec78c776a 100644 --- a/ecc/bls12-377/twistededwards/eddsa/marshal.go +++ b/ecc/bls12-377/twistededwards/eddsa/marshal.go @@ -137,6 +137,7 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // R < P_mod (to avoid malleability) // P_mod = field of def of the twisted Edwards = Fr snark field fpMod := fr.Modulus() + zero := big.NewInt(0) var bufBigInt big.Int bufCopy := make([]byte, fr.Bytes) for i := 0; i < sizeFr; i++ { @@ -144,6 +145,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { } bufCopy[0] &= mUnmask bufBigInt.SetBytes(bufCopy) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } if bufBigInt.Cmp(fpMod) != -1 { return 0, ErrRBiggerThanPMod } @@ -151,6 +155,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // S < R_mod (to avoid malleability) // R_mod is the relevant group size of the twisted Edwards NOT the fr snark field so it's supposedly smaller bufBigInt.SetBytes(buf[sizeFr : 2*sizeFr]) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } cp := twistededwards.GetEdwardsCurve() if bufBigInt.Cmp(&cp.Order) != -1 { return 0, ErrSBiggerThanRMod diff --git a/ecc/bls12-378/twistededwards/eddsa/eddsa_test.go b/ecc/bls12-378/twistededwards/eddsa/eddsa_test.go index 86adc4883..b5460c4f8 100644 --- a/ecc/bls12-378/twistededwards/eddsa/eddsa_test.go +++ b/ecc/bls12-378/twistededwards/eddsa/eddsa_test.go @@ -107,20 +107,6 @@ func TestNonMalleability(t *testing.T) { } func TestNoZeros(t *testing.T) { - t.Run("R.X=0", func(t *testing.T) { - // R points are 0 - var sig Signature - sig.R.X.SetInt64(0) - sig.R.Y.SetInt64(1) - s := big.NewInt(1) - s.FillBytes(sig.S[:]) - bts := sig.Bytes() - var newSig Signature - _, err := newSig.SetBytes(bts) - if err != ErrZero { - t.Fatal("expected error for zero R.X") - } - }) t.Run("R.Y=0", func(t *testing.T) { // R points are 0 var sig Signature diff --git a/ecc/bls12-378/twistededwards/eddsa/marshal.go b/ecc/bls12-378/twistededwards/eddsa/marshal.go index 4859301b8..bb1675990 100644 --- a/ecc/bls12-378/twistededwards/eddsa/marshal.go +++ b/ecc/bls12-378/twistededwards/eddsa/marshal.go @@ -137,6 +137,7 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // R < P_mod (to avoid malleability) // P_mod = field of def of the twisted Edwards = Fr snark field fpMod := fr.Modulus() + zero := big.NewInt(0) var bufBigInt big.Int bufCopy := make([]byte, fr.Bytes) for i := 0; i < sizeFr; i++ { @@ -144,6 +145,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { } bufCopy[0] &= mUnmask bufBigInt.SetBytes(bufCopy) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } if bufBigInt.Cmp(fpMod) != -1 { return 0, ErrRBiggerThanPMod } @@ -151,6 +155,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // S < R_mod (to avoid malleability) // R_mod is the relevant group size of the twisted Edwards NOT the fr snark field so it's supposedly smaller bufBigInt.SetBytes(buf[sizeFr : 2*sizeFr]) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } cp := twistededwards.GetEdwardsCurve() if bufBigInt.Cmp(&cp.Order) != -1 { return 0, ErrSBiggerThanRMod diff --git a/ecc/bls12-381/bandersnatch/eddsa/eddsa_test.go b/ecc/bls12-381/bandersnatch/eddsa/eddsa_test.go index 04f40035c..b3e861215 100644 --- a/ecc/bls12-381/bandersnatch/eddsa/eddsa_test.go +++ b/ecc/bls12-381/bandersnatch/eddsa/eddsa_test.go @@ -107,20 +107,6 @@ func TestNonMalleability(t *testing.T) { } func TestNoZeros(t *testing.T) { - t.Run("R.X=0", func(t *testing.T) { - // R points are 0 - var sig Signature - sig.R.X.SetInt64(0) - sig.R.Y.SetInt64(1) - s := big.NewInt(1) - s.FillBytes(sig.S[:]) - bts := sig.Bytes() - var newSig Signature - _, err := newSig.SetBytes(bts) - if err != ErrZero { - t.Fatal("expected error for zero R.X") - } - }) t.Run("R.Y=0", func(t *testing.T) { // R points are 0 var sig Signature diff --git a/ecc/bls12-381/bandersnatch/eddsa/marshal.go b/ecc/bls12-381/bandersnatch/eddsa/marshal.go index 82859c023..3c83cb9ec 100644 --- a/ecc/bls12-381/bandersnatch/eddsa/marshal.go +++ b/ecc/bls12-381/bandersnatch/eddsa/marshal.go @@ -137,6 +137,7 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // R < P_mod (to avoid malleability) // P_mod = field of def of the twisted Edwards = Fr snark field fpMod := fr.Modulus() + zero := big.NewInt(0) var bufBigInt big.Int bufCopy := make([]byte, fr.Bytes) for i := 0; i < sizeFr; i++ { @@ -144,6 +145,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { } bufCopy[0] &= mUnmask bufBigInt.SetBytes(bufCopy) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } if bufBigInt.Cmp(fpMod) != -1 { return 0, ErrRBiggerThanPMod } @@ -151,6 +155,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // S < R_mod (to avoid malleability) // R_mod is the relevant group size of the twisted Edwards NOT the fr snark field so it's supposedly smaller bufBigInt.SetBytes(buf[sizeFr : 2*sizeFr]) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } cp := twistededwards.GetEdwardsCurve() if bufBigInt.Cmp(&cp.Order) != -1 { return 0, ErrSBiggerThanRMod diff --git a/ecc/bls12-381/twistededwards/eddsa/eddsa_test.go b/ecc/bls12-381/twistededwards/eddsa/eddsa_test.go index 04f40035c..b3e861215 100644 --- a/ecc/bls12-381/twistededwards/eddsa/eddsa_test.go +++ b/ecc/bls12-381/twistededwards/eddsa/eddsa_test.go @@ -107,20 +107,6 @@ func TestNonMalleability(t *testing.T) { } func TestNoZeros(t *testing.T) { - t.Run("R.X=0", func(t *testing.T) { - // R points are 0 - var sig Signature - sig.R.X.SetInt64(0) - sig.R.Y.SetInt64(1) - s := big.NewInt(1) - s.FillBytes(sig.S[:]) - bts := sig.Bytes() - var newSig Signature - _, err := newSig.SetBytes(bts) - if err != ErrZero { - t.Fatal("expected error for zero R.X") - } - }) t.Run("R.Y=0", func(t *testing.T) { // R points are 0 var sig Signature diff --git a/ecc/bls12-381/twistededwards/eddsa/marshal.go b/ecc/bls12-381/twistededwards/eddsa/marshal.go index 82859c023..3c83cb9ec 100644 --- a/ecc/bls12-381/twistededwards/eddsa/marshal.go +++ b/ecc/bls12-381/twistededwards/eddsa/marshal.go @@ -137,6 +137,7 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // R < P_mod (to avoid malleability) // P_mod = field of def of the twisted Edwards = Fr snark field fpMod := fr.Modulus() + zero := big.NewInt(0) var bufBigInt big.Int bufCopy := make([]byte, fr.Bytes) for i := 0; i < sizeFr; i++ { @@ -144,6 +145,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { } bufCopy[0] &= mUnmask bufBigInt.SetBytes(bufCopy) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } if bufBigInt.Cmp(fpMod) != -1 { return 0, ErrRBiggerThanPMod } @@ -151,6 +155,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // S < R_mod (to avoid malleability) // R_mod is the relevant group size of the twisted Edwards NOT the fr snark field so it's supposedly smaller bufBigInt.SetBytes(buf[sizeFr : 2*sizeFr]) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } cp := twistededwards.GetEdwardsCurve() if bufBigInt.Cmp(&cp.Order) != -1 { return 0, ErrSBiggerThanRMod diff --git a/ecc/bls24-315/twistededwards/eddsa/eddsa_test.go b/ecc/bls24-315/twistededwards/eddsa/eddsa_test.go index 11d6b8119..c77910ea2 100644 --- a/ecc/bls24-315/twistededwards/eddsa/eddsa_test.go +++ b/ecc/bls24-315/twistededwards/eddsa/eddsa_test.go @@ -107,20 +107,6 @@ func TestNonMalleability(t *testing.T) { } func TestNoZeros(t *testing.T) { - t.Run("R.X=0", func(t *testing.T) { - // R points are 0 - var sig Signature - sig.R.X.SetInt64(0) - sig.R.Y.SetInt64(1) - s := big.NewInt(1) - s.FillBytes(sig.S[:]) - bts := sig.Bytes() - var newSig Signature - _, err := newSig.SetBytes(bts) - if err != ErrZero { - t.Fatal("expected error for zero R.X") - } - }) t.Run("R.Y=0", func(t *testing.T) { // R points are 0 var sig Signature diff --git a/ecc/bls24-315/twistededwards/eddsa/marshal.go b/ecc/bls24-315/twistededwards/eddsa/marshal.go index c8af241f0..f34d05b87 100644 --- a/ecc/bls24-315/twistededwards/eddsa/marshal.go +++ b/ecc/bls24-315/twistededwards/eddsa/marshal.go @@ -137,6 +137,7 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // R < P_mod (to avoid malleability) // P_mod = field of def of the twisted Edwards = Fr snark field fpMod := fr.Modulus() + zero := big.NewInt(0) var bufBigInt big.Int bufCopy := make([]byte, fr.Bytes) for i := 0; i < sizeFr; i++ { @@ -144,6 +145,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { } bufCopy[0] &= mUnmask bufBigInt.SetBytes(bufCopy) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } if bufBigInt.Cmp(fpMod) != -1 { return 0, ErrRBiggerThanPMod } @@ -151,6 +155,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // S < R_mod (to avoid malleability) // R_mod is the relevant group size of the twisted Edwards NOT the fr snark field so it's supposedly smaller bufBigInt.SetBytes(buf[sizeFr : 2*sizeFr]) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } cp := twistededwards.GetEdwardsCurve() if bufBigInt.Cmp(&cp.Order) != -1 { return 0, ErrSBiggerThanRMod diff --git a/ecc/bls24-317/twistededwards/eddsa/eddsa_test.go b/ecc/bls24-317/twistededwards/eddsa/eddsa_test.go index 634b68a95..5ac389bf3 100644 --- a/ecc/bls24-317/twistededwards/eddsa/eddsa_test.go +++ b/ecc/bls24-317/twistededwards/eddsa/eddsa_test.go @@ -107,20 +107,6 @@ func TestNonMalleability(t *testing.T) { } func TestNoZeros(t *testing.T) { - t.Run("R.X=0", func(t *testing.T) { - // R points are 0 - var sig Signature - sig.R.X.SetInt64(0) - sig.R.Y.SetInt64(1) - s := big.NewInt(1) - s.FillBytes(sig.S[:]) - bts := sig.Bytes() - var newSig Signature - _, err := newSig.SetBytes(bts) - if err != ErrZero { - t.Fatal("expected error for zero R.X") - } - }) t.Run("R.Y=0", func(t *testing.T) { // R points are 0 var sig Signature diff --git a/ecc/bls24-317/twistededwards/eddsa/marshal.go b/ecc/bls24-317/twistededwards/eddsa/marshal.go index cb754541a..a036cd5d5 100644 --- a/ecc/bls24-317/twistededwards/eddsa/marshal.go +++ b/ecc/bls24-317/twistededwards/eddsa/marshal.go @@ -137,6 +137,7 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // R < P_mod (to avoid malleability) // P_mod = field of def of the twisted Edwards = Fr snark field fpMod := fr.Modulus() + zero := big.NewInt(0) var bufBigInt big.Int bufCopy := make([]byte, fr.Bytes) for i := 0; i < sizeFr; i++ { @@ -144,6 +145,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { } bufCopy[0] &= mUnmask bufBigInt.SetBytes(bufCopy) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } if bufBigInt.Cmp(fpMod) != -1 { return 0, ErrRBiggerThanPMod } @@ -151,6 +155,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // S < R_mod (to avoid malleability) // R_mod is the relevant group size of the twisted Edwards NOT the fr snark field so it's supposedly smaller bufBigInt.SetBytes(buf[sizeFr : 2*sizeFr]) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } cp := twistededwards.GetEdwardsCurve() if bufBigInt.Cmp(&cp.Order) != -1 { return 0, ErrSBiggerThanRMod diff --git a/ecc/bn254/twistededwards/eddsa/eddsa_test.go b/ecc/bn254/twistededwards/eddsa/eddsa_test.go index 898d9c57d..2e1055fae 100644 --- a/ecc/bn254/twistededwards/eddsa/eddsa_test.go +++ b/ecc/bn254/twistededwards/eddsa/eddsa_test.go @@ -107,20 +107,6 @@ func TestNonMalleability(t *testing.T) { } func TestNoZeros(t *testing.T) { - t.Run("R.X=0", func(t *testing.T) { - // R points are 0 - var sig Signature - sig.R.X.SetInt64(0) - sig.R.Y.SetInt64(1) - s := big.NewInt(1) - s.FillBytes(sig.S[:]) - bts := sig.Bytes() - var newSig Signature - _, err := newSig.SetBytes(bts) - if err != ErrZero { - t.Fatal("expected error for zero R.X") - } - }) t.Run("R.Y=0", func(t *testing.T) { // R points are 0 var sig Signature diff --git a/ecc/bn254/twistededwards/eddsa/marshal.go b/ecc/bn254/twistededwards/eddsa/marshal.go index 1709112c4..df1202078 100644 --- a/ecc/bn254/twistededwards/eddsa/marshal.go +++ b/ecc/bn254/twistededwards/eddsa/marshal.go @@ -137,6 +137,7 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // R < P_mod (to avoid malleability) // P_mod = field of def of the twisted Edwards = Fr snark field fpMod := fr.Modulus() + zero := big.NewInt(0) var bufBigInt big.Int bufCopy := make([]byte, fr.Bytes) for i := 0; i < sizeFr; i++ { @@ -144,6 +145,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { } bufCopy[0] &= mUnmask bufBigInt.SetBytes(bufCopy) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } if bufBigInt.Cmp(fpMod) != -1 { return 0, ErrRBiggerThanPMod } @@ -151,6 +155,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // S < R_mod (to avoid malleability) // R_mod is the relevant group size of the twisted Edwards NOT the fr snark field so it's supposedly smaller bufBigInt.SetBytes(buf[sizeFr : 2*sizeFr]) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } cp := twistededwards.GetEdwardsCurve() if bufBigInt.Cmp(&cp.Order) != -1 { return 0, ErrSBiggerThanRMod diff --git a/ecc/bw6-633/twistededwards/eddsa/eddsa_test.go b/ecc/bw6-633/twistededwards/eddsa/eddsa_test.go index 1fed02033..f9af1cefe 100644 --- a/ecc/bw6-633/twistededwards/eddsa/eddsa_test.go +++ b/ecc/bw6-633/twistededwards/eddsa/eddsa_test.go @@ -107,20 +107,6 @@ func TestNonMalleability(t *testing.T) { } func TestNoZeros(t *testing.T) { - t.Run("R.X=0", func(t *testing.T) { - // R points are 0 - var sig Signature - sig.R.X.SetInt64(0) - sig.R.Y.SetInt64(1) - s := big.NewInt(1) - s.FillBytes(sig.S[:]) - bts := sig.Bytes() - var newSig Signature - _, err := newSig.SetBytes(bts) - if err != ErrZero { - t.Fatal("expected error for zero R.X") - } - }) t.Run("R.Y=0", func(t *testing.T) { // R points are 0 var sig Signature diff --git a/ecc/bw6-633/twistededwards/eddsa/marshal.go b/ecc/bw6-633/twistededwards/eddsa/marshal.go index 1b68fd172..57c6f408d 100644 --- a/ecc/bw6-633/twistededwards/eddsa/marshal.go +++ b/ecc/bw6-633/twistededwards/eddsa/marshal.go @@ -137,6 +137,7 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // R < P_mod (to avoid malleability) // P_mod = field of def of the twisted Edwards = Fr snark field fpMod := fr.Modulus() + zero := big.NewInt(0) var bufBigInt big.Int bufCopy := make([]byte, fr.Bytes) for i := 0; i < sizeFr; i++ { @@ -144,6 +145,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { } bufCopy[0] &= mUnmask bufBigInt.SetBytes(bufCopy) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } if bufBigInt.Cmp(fpMod) != -1 { return 0, ErrRBiggerThanPMod } @@ -151,6 +155,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // S < R_mod (to avoid malleability) // R_mod is the relevant group size of the twisted Edwards NOT the fr snark field so it's supposedly smaller bufBigInt.SetBytes(buf[sizeFr : 2*sizeFr]) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } cp := twistededwards.GetEdwardsCurve() if bufBigInt.Cmp(&cp.Order) != -1 { return 0, ErrSBiggerThanRMod diff --git a/ecc/bw6-756/twistededwards/eddsa/eddsa_test.go b/ecc/bw6-756/twistededwards/eddsa/eddsa_test.go index ecf5bfe7f..3f32381fa 100644 --- a/ecc/bw6-756/twistededwards/eddsa/eddsa_test.go +++ b/ecc/bw6-756/twistededwards/eddsa/eddsa_test.go @@ -107,20 +107,6 @@ func TestNonMalleability(t *testing.T) { } func TestNoZeros(t *testing.T) { - t.Run("R.X=0", func(t *testing.T) { - // R points are 0 - var sig Signature - sig.R.X.SetInt64(0) - sig.R.Y.SetInt64(1) - s := big.NewInt(1) - s.FillBytes(sig.S[:]) - bts := sig.Bytes() - var newSig Signature - _, err := newSig.SetBytes(bts) - if err != ErrZero { - t.Fatal("expected error for zero R.X") - } - }) t.Run("R.Y=0", func(t *testing.T) { // R points are 0 var sig Signature diff --git a/ecc/bw6-756/twistededwards/eddsa/marshal.go b/ecc/bw6-756/twistededwards/eddsa/marshal.go index 59d585fde..00eea21d7 100644 --- a/ecc/bw6-756/twistededwards/eddsa/marshal.go +++ b/ecc/bw6-756/twistededwards/eddsa/marshal.go @@ -137,6 +137,7 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // R < P_mod (to avoid malleability) // P_mod = field of def of the twisted Edwards = Fr snark field fpMod := fr.Modulus() + zero := big.NewInt(0) var bufBigInt big.Int bufCopy := make([]byte, fr.Bytes) for i := 0; i < sizeFr; i++ { @@ -144,6 +145,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { } bufCopy[0] &= mUnmask bufBigInt.SetBytes(bufCopy) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } if bufBigInt.Cmp(fpMod) != -1 { return 0, ErrRBiggerThanPMod } @@ -151,6 +155,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // S < R_mod (to avoid malleability) // R_mod is the relevant group size of the twisted Edwards NOT the fr snark field so it's supposedly smaller bufBigInt.SetBytes(buf[sizeFr : 2*sizeFr]) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } cp := twistededwards.GetEdwardsCurve() if bufBigInt.Cmp(&cp.Order) != -1 { return 0, ErrSBiggerThanRMod diff --git a/ecc/bw6-761/twistededwards/eddsa/eddsa_test.go b/ecc/bw6-761/twistededwards/eddsa/eddsa_test.go index 97a83e629..08ad6a67f 100644 --- a/ecc/bw6-761/twistededwards/eddsa/eddsa_test.go +++ b/ecc/bw6-761/twistededwards/eddsa/eddsa_test.go @@ -107,20 +107,6 @@ func TestNonMalleability(t *testing.T) { } func TestNoZeros(t *testing.T) { - t.Run("R.X=0", func(t *testing.T) { - // R points are 0 - var sig Signature - sig.R.X.SetInt64(0) - sig.R.Y.SetInt64(1) - s := big.NewInt(1) - s.FillBytes(sig.S[:]) - bts := sig.Bytes() - var newSig Signature - _, err := newSig.SetBytes(bts) - if err != ErrZero { - t.Fatal("expected error for zero R.X") - } - }) t.Run("R.Y=0", func(t *testing.T) { // R points are 0 var sig Signature diff --git a/ecc/bw6-761/twistededwards/eddsa/marshal.go b/ecc/bw6-761/twistededwards/eddsa/marshal.go index cf6fe09dd..c1e33d406 100644 --- a/ecc/bw6-761/twistededwards/eddsa/marshal.go +++ b/ecc/bw6-761/twistededwards/eddsa/marshal.go @@ -137,6 +137,7 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // R < P_mod (to avoid malleability) // P_mod = field of def of the twisted Edwards = Fr snark field fpMod := fr.Modulus() + zero := big.NewInt(0) var bufBigInt big.Int bufCopy := make([]byte, fr.Bytes) for i := 0; i < sizeFr; i++ { @@ -144,6 +145,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { } bufCopy[0] &= mUnmask bufBigInt.SetBytes(bufCopy) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } if bufBigInt.Cmp(fpMod) != -1 { return 0, ErrRBiggerThanPMod } @@ -151,6 +155,9 @@ func (sig *Signature) SetBytes(buf []byte) (int, error) { // S < R_mod (to avoid malleability) // R_mod is the relevant group size of the twisted Edwards NOT the fr snark field so it's supposedly smaller bufBigInt.SetBytes(buf[sizeFr : 2*sizeFr]) + if bufBigInt.Cmp(zero) == 0 { + return 0, ErrZero + } cp := twistededwards.GetEdwardsCurve() if bufBigInt.Cmp(&cp.Order) != -1 { return 0, ErrSBiggerThanRMod