diff --git a/crypto/schnorr/src/lib.rs b/crypto/schnorr/src/lib.rs index fed606f4..44eef31e 100644 --- a/crypto/schnorr/src/lib.rs +++ b/crypto/schnorr/src/lib.rs @@ -20,6 +20,13 @@ pub mod aggregate; mod tests; /// A Schnorr signature of the form (R, s) where s = r + cx. +/// +/// These are intended to be strict. It is generic over Ciphersuite which is for PrimeGroups, +/// and mandates canonical encodings in its read function. +/// +/// RFC 8032 has an alternative verification formula, 8R = 8s - 8cX, which is intended to handle +/// torsioned nonces/public keys. Due to this library's strict requirements, such signatures will +/// not be verifiable with this library. #[allow(non_snake_case)] #[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)] pub struct SchnorrSignature { diff --git a/crypto/schnorr/src/tests.rs b/crypto/schnorr/src/tests.rs index 2d24a0a6..7a912767 100644 --- a/crypto/schnorr/src/tests.rs +++ b/crypto/schnorr/src/tests.rs @@ -54,7 +54,7 @@ pub(crate) fn batch_verify() { for (i, sig) in sigs.iter().enumerate() { sig.batch_verify(&mut OsRng, &mut batch, i, C::generator() * keys[i].deref(), challenges[i]); } - batch.verify_with_vartime_blame().unwrap(); + batch.verify_vartime_with_vartime_blame().unwrap(); } // Shift 1 from s from one to another and verify it fails @@ -70,7 +70,7 @@ pub(crate) fn batch_verify() { } sig.batch_verify(&mut OsRng, &mut batch, i, C::generator() * keys[i].deref(), challenges[i]); } - if let Err(blame) = batch.verify_with_vartime_blame() { + if let Err(blame) = batch.verify_vartime_with_vartime_blame() { assert!((blame == 1) || (blame == 2)); } else { panic!("Batch verification considered malleated signatures valid");