Fix incorrect sig_hash generation

sig_hash was used as a challenge. challenges should be of the form H(R, A, m). These sig hashes were solely H(A, m), allowing trivial forgeries.
2024-12-22 19:49:22 +00:00 · 2023-06-08 06:38:25 -04:00 · 2023-06-08 06:38:25 -04:00 · dfa3106a38
commit dfa3106a38
parent c6982b5dfc
3 changed files with 20 additions and 13 deletions
--- a/coordinator/src/tributary/mod.rs
+++ b/coordinator/src/tributary/mod.rs
@ -458,11 +458,9 @@ impl Transaction {
    signed_ref.signer = Ristretto::generator() * key.deref();
    signed_ref.nonce = nonce;

+    let sig_nonce = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(rng));
+    signed(self).signature.R = <Ristretto as Ciphersuite>::generator() * sig_nonce.deref();
    let sig_hash = self.sig_hash(genesis);
-    signed(self).signature = SchnorrSignature::<Ristretto>::sign(
-      key,
-      Zeroizing::new(<Ristretto as Ciphersuite>::F::random(rng)),
-      sig_hash,
-    );
+    signed(self).signature = SchnorrSignature::<Ristretto>::sign(key, sig_nonce, sig_hash);
  }
 }
--- a/coordinator/tributary/src/tests/transaction/mod.rs
+++ b/coordinator/tributary/src/tests/transaction/mod.rs
@ -1,3 +1,4 @@
+use core::ops::Deref;
 use std::{io, collections::HashMap};

 use zeroize::Zeroizing;
@ -114,11 +115,9 @@ pub fn signed_transaction<R: RngCore + CryptoRng>(
  let mut tx =
    SignedTransaction(data, Signed { signer, nonce, signature: random_signed(rng).signature });

-  tx.1.signature = SchnorrSignature::sign(
-    key,
-    Zeroizing::new(<Ristretto as Ciphersuite>::F::random(rng)),
-    tx.sig_hash(genesis),
-  );
+  let sig_nonce = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(rng));
+  tx.1.signature.R = Ristretto::generator() * sig_nonce.deref();
+  tx.1.signature = SchnorrSignature::sign(key, sig_nonce, tx.sig_hash(genesis));

  let mut nonces = HashMap::from([(signer, nonce)]);
  verify_transaction(&tx, genesis, &mut nonces).unwrap();
--- a/coordinator/tributary/src/transaction.rs
+++ b/coordinator/tributary/src/transaction.rs
@ -98,10 +98,20 @@ pub trait Transaction: 'static + Send + Sync + Clone + Eq + Debug + ReadWrite {
  /// Obtain the challenge for this transaction's signature.
  ///
  /// Do not override this unless you know what you're doing.
+  ///
+  /// Panics if called on non-signed transactions.
  fn sig_hash(&self, genesis: [u8; 32]) -> <Ristretto as Ciphersuite>::F {
-    <Ristretto as Ciphersuite>::F::from_bytes_mod_order_wide(
-      &Blake2b512::digest([genesis, self.hash()].concat()).into(),
-    )
+    match self.kind() {
+      TransactionKind::Signed(Signed { signature, .. }) => {
+        <Ristretto as Ciphersuite>::F::from_bytes_mod_order_wide(
+          &Blake2b512::digest(
+            [genesis.as_ref(), &self.hash(), signature.R.to_bytes().as_ref()].concat(),
+          )
+          .into(),
+        )
+      }
+      _ => panic!("sig_hash called on non-signed transaction"),
+    }
  }
 }