Fix incorrect sig_hash generation

sig_hash was used as a challenge. challenges should be of the form H(R, A, m).
These sig hashes were solely H(A, m), allowing trivial forgeries.
This commit is contained in:
Luke Parker 2023-06-08 06:38:25 -04:00
parent c6982b5dfc
commit dfa3106a38
No known key found for this signature in database
3 changed files with 20 additions and 13 deletions

View file

@ -458,11 +458,9 @@ impl Transaction {
signed_ref.signer = Ristretto::generator() * key.deref();
signed_ref.nonce = nonce;
let sig_nonce = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(rng));
signed(self).signature.R = <Ristretto as Ciphersuite>::generator() * sig_nonce.deref();
let sig_hash = self.sig_hash(genesis);
signed(self).signature = SchnorrSignature::<Ristretto>::sign(
key,
Zeroizing::new(<Ristretto as Ciphersuite>::F::random(rng)),
sig_hash,
);
signed(self).signature = SchnorrSignature::<Ristretto>::sign(key, sig_nonce, sig_hash);
}
}

View file

@ -1,3 +1,4 @@
use core::ops::Deref;
use std::{io, collections::HashMap};
use zeroize::Zeroizing;
@ -114,11 +115,9 @@ pub fn signed_transaction<R: RngCore + CryptoRng>(
let mut tx =
SignedTransaction(data, Signed { signer, nonce, signature: random_signed(rng).signature });
tx.1.signature = SchnorrSignature::sign(
key,
Zeroizing::new(<Ristretto as Ciphersuite>::F::random(rng)),
tx.sig_hash(genesis),
);
let sig_nonce = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(rng));
tx.1.signature.R = Ristretto::generator() * sig_nonce.deref();
tx.1.signature = SchnorrSignature::sign(key, sig_nonce, tx.sig_hash(genesis));
let mut nonces = HashMap::from([(signer, nonce)]);
verify_transaction(&tx, genesis, &mut nonces).unwrap();

View file

@ -98,10 +98,20 @@ pub trait Transaction: 'static + Send + Sync + Clone + Eq + Debug + ReadWrite {
/// Obtain the challenge for this transaction's signature.
///
/// Do not override this unless you know what you're doing.
///
/// Panics if called on non-signed transactions.
fn sig_hash(&self, genesis: [u8; 32]) -> <Ristretto as Ciphersuite>::F {
match self.kind() {
TransactionKind::Signed(Signed { signature, .. }) => {
<Ristretto as Ciphersuite>::F::from_bytes_mod_order_wide(
&Blake2b512::digest([genesis, self.hash()].concat()).into(),
&Blake2b512::digest(
[genesis.as_ref(), &self.hash(), signature.R.to_bytes().as_ref()].concat(),
)
.into(),
)
}
_ => panic!("sig_hash called on non-signed transaction"),
}
}
}