From 70af14b6440b10b47e31c47332f870a20213bafa Mon Sep 17 00:00:00 2001 From: Lee Bousfield Date: Fri, 9 Nov 2018 09:49:04 -0600 Subject: [PATCH 1/5] Dedicate a full r hash block to attacker unknown bytes --- ed25519-donna/ed25519.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ed25519-donna/ed25519.c b/ed25519-donna/ed25519.c index ad31d1183f..09d4a729f9 100644 --- a/ed25519-donna/ed25519.c +++ b/ed25519-donna/ed25519.c @@ -62,6 +62,7 @@ ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_sec ge25519 ALIGN(16) R; hash_512bits extsk, hashr, hram; unsigned char randr[32]; + static const unsigned char rzero[64] = {0}; ed25519_extsk(extsk, sk); @@ -70,6 +71,11 @@ ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_sec ed25519_hash_update(&ctx, extsk + 32, 32); ed25519_randombytes_unsafe(randr, 32); ed25519_hash_update(&ctx, randr, 32); + /* + Fill up the rest of the hash block. + This puts the message (possibly known to a side channel attacker) in a separate block. + */ + ed25519_hash_update(&ctx, rzero, 64); ed25519_hash_update(&ctx, m, mlen); ed25519_hash_final(&ctx, hashr); expand256_modm(r, hashr, 64); From 8226feba5384daa5b05e50d2a2b70af4ff90df69 Mon Sep 17 00:00:00 2001 From: Roy Keene Date: Fri, 9 Nov 2018 15:17:48 -0600 Subject: [PATCH 2/5] Formatting --- ed25519-donna/ed25519.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ed25519-donna/ed25519.c b/ed25519-donna/ed25519.c index 09d4a729f9..af167e089a 100644 --- a/ed25519-donna/ed25519.c +++ b/ed25519-donna/ed25519.c @@ -66,15 +66,16 @@ ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_sec ed25519_extsk(extsk, sk); - /* r = H(aExt[32..64], randr, m) */ + /* r = H(aExt[32..64], randr[0..31], zero[0..31], m) */ ed25519_hash_init(&ctx); ed25519_hash_update(&ctx, extsk + 32, 32); ed25519_randombytes_unsafe(randr, 32); ed25519_hash_update(&ctx, randr, 32); /* - Fill up the rest of the hash block. - This puts the message (possibly known to a side channel attacker) in a separate block. - */ + * Fill up the rest of the hash block. + * This puts the message (possibly known to a side + * channel attacker) in a separate block. + */ ed25519_hash_update(&ctx, rzero, 64); ed25519_hash_update(&ctx, m, mlen); ed25519_hash_final(&ctx, hashr); From 62e896f085c4249783c50147e884425d38f1e0a9 Mon Sep 17 00:00:00 2001 From: Roy Keene Date: Fri, 9 Nov 2018 15:18:57 -0600 Subject: [PATCH 3/5] Updated wording --- ed25519-donna/ed25519.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ed25519-donna/ed25519.c b/ed25519-donna/ed25519.c index af167e089a..82d6bdabe7 100644 --- a/ed25519-donna/ed25519.c +++ b/ed25519-donna/ed25519.c @@ -66,13 +66,13 @@ ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_sec ed25519_extsk(extsk, sk); - /* r = H(aExt[32..64], randr[0..31], zero[0..31], m) */ + /* r = H(aExt[32..64], randr[0..31], zero[0..63], m) */ ed25519_hash_init(&ctx); ed25519_hash_update(&ctx, extsk + 32, 32); ed25519_randombytes_unsafe(randr, 32); ed25519_hash_update(&ctx, randr, 32); /* - * Fill up the rest of the hash block. + * Pad with zeros the rest of the hash block. * This puts the message (possibly known to a side * channel attacker) in a separate block. */ From 08bad94db869933f15457bfd3aa675443b599c85 Mon Sep 17 00:00:00 2001 From: Roy Keene Date: Fri, 9 Nov 2018 15:41:51 -0600 Subject: [PATCH 4/5] Updated ranges --- ed25519-donna/ed25519.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ed25519-donna/ed25519.c b/ed25519-donna/ed25519.c index 82d6bdabe7..4879c98213 100644 --- a/ed25519-donna/ed25519.c +++ b/ed25519-donna/ed25519.c @@ -66,7 +66,7 @@ ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_sec ed25519_extsk(extsk, sk); - /* r = H(aExt[32..64], randr[0..31], zero[0..63], m) */ + /* r = H(aExt[32..63], randr[0..31], zero[0..63], m) */ ed25519_hash_init(&ctx); ed25519_hash_update(&ctx, extsk + 32, 32); ed25519_randombytes_unsafe(randr, 32); From d31ec8692e7b8143acfcb0341ce8a5710e864a0f Mon Sep 17 00:00:00 2001 From: Roy Keene Date: Fri, 9 Nov 2018 15:44:54 -0600 Subject: [PATCH 5/5] More words, and better too --- ed25519-donna/ed25519.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ed25519-donna/ed25519.c b/ed25519-donna/ed25519.c index 4879c98213..d120c414d0 100644 --- a/ed25519-donna/ed25519.c +++ b/ed25519-donna/ed25519.c @@ -72,7 +72,8 @@ ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_sec ed25519_randombytes_unsafe(randr, 32); ed25519_hash_update(&ctx, randr, 32); /* - * Pad with zeros the rest of the hash block. + * Pad the rest of the hash block (which is 128 + * bytes in size in our case) with zeros. * This puts the message (possibly known to a side * channel attacker) in a separate block. */