Merge pull request #24 from oasisprotocol/yawning/fix/remove-is-small…

…-order ed25519: Remove PublicKey.IsSmallOrder
oasisprotocol · Oct 30, 2020 · cbed068 · cbed068
2 parents e591887 + 9e7b83d
commit cbed068
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 20 deletions.
diff --git a/ed25519.go b/ed25519.go
@@ -203,16 +203,6 @@ func (pub PublicKey) Equal(x crypto.PublicKey) bool {
 	return bytes.Equal(pub, xx)
 }
 
-// IsSmallOrder returns true iff a Public Key is a small order point.
-// This routine will panic if the public key length is invalid.
-func (pub PublicKey) IsSmallOrder() bool {
-	if l := len(pub); l != PublicKeySize {
-		panic("ed25519: bad public key length: " + strconv.Itoa(l))
-	}
-
-	return isSmallOrderVartime(pub)
-}
-
 // Sign signs the message with privateKey and returns a signature. It will
 // panic if len(privateKey) is not PrivateKeySize.
 func Sign(privateKey PrivateKey, message []byte) []byte {
@@ -294,11 +284,6 @@ func verify(publicKey PublicKey, message, sig []byte, f dom2Flag, c []byte, zip2
 		panic("ed25519: bad public key length: " + strconv.Itoa(l))
 	}
 
-	// Reject small order A to make the scheme strongly binding.
-	if !zip215 && isSmallOrderVartime(publicKey) {
-		return false
-	}
-
 	var (
 		hash                [64]byte
 		Rproj, R, A, checkR ge25519.Ge25519
@@ -309,6 +294,11 @@ func verify(publicKey PublicKey, message, sig []byte, f dom2Flag, c []byte, zip2
 		return false
 	}
 
+	// Reject small order A to make the scheme strongly binding.
+	if !zip215 && isSmallOrderVartime(publicKey) {
+		return false
+	}
+
 	// hram = H(R,A,m)
 	h := sha512.New()
 	if f != fPure {
@@ -476,7 +466,8 @@ func isSmallOrderVartime(s []byte) bool {
 	var t1, t2 ge25519.Ge25519
 
 	if !ge25519.UnpackVartime(&t1, s) {
-		panic("ed25519/isSmallOrderVartime: failed to unpack")
+		// Treat unpack failures as equivalent to small order (invalid A).
+		return true
 	}
 
 	ge25519.CofactorMultiply(&t2, &t1)

diff --git a/small_order_test.go b/small_order_test.go
@@ -98,9 +98,5 @@ func TestSmallOrderCheck(t *testing.T) {
 		if !isSmallOrderVartime(v[:]) {
 			t.Errorf("point %d should fail small order check", idx)
 		}
-
-		if pub := PublicKey(v[:]); !pub.IsSmallOrder() {
-			t.Errorf("point %d as public key should fail small order check", idx)
-		}
 	}
 }