Optimise scalar check to succeed fast if the 4th MSB is unset.

This is only done upon signature deserialisation/verification. cf. dalek-cryptography/ed25519-dalek#99 for more info.
isislovecruft · Oct 14, 2019 · 3da2e8d · 3da2e8d
1 parent bd2d077
commit 3da2e8d
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/src/main/java/cafe/cryptography/ed25519/Ed25519Signature.java b/src/main/java/cafe/cryptography/ed25519/Ed25519Signature.java
@@ -44,7 +44,17 @@ public static Ed25519Signature fromByteArray(byte[] input) {
         //    signature is invalid.
         // @formatter:on
         CompressedEdwardsY R = new CompressedEdwardsY(Arrays.copyOfRange(input, 0, 32));
-        Scalar S = Scalar.fromCanonicalBytes(Arrays.copyOfRange(input, 32, 64));
+
+        // If the four most significant bits are unset, we know the scalar is
+        // guaranteed to be fully reduced modulo the order of the basepoint, and
+        // thus we can skip the full check.
+        Scalar S;
+        if (input[63] & 240 == 0) {
+          S = Scalar.fromBits(Arrays.copyOfRange(input, 32, 64));
+        } else {
+          S = Scalar.fromCanonicalBytes(Arrays.copyOfRange(input, 32, 64));
+        }
+
         return new Ed25519Signature(R, S);
     }