edwards: make zip215 false Strongly Binding Signature (SBS) secure. gh-40

README.md

@@ -121,7 +121,10 @@ x25519 ECDH and [ristretto255](https://datatracker.ietf.org/doc/html/draft-irtf-
 
 Default `verify` behavior follows [ZIP215](https://zips.z.cash/zip-0215) and
 [can be used in consensus-critical applications](https://hdevalence.ca/blog/2020-10-04-its-25519am).
-`zip215: false` option switches verification criteria to RFC8032 / FIPS 186-5.
+`zip215: false` option switches verification criteria to stricter
+RFC8032 / FIPS 186-5 which is also
+SUF-CMA (strong unforgeability under chosen message attacks) and
+SBS (Strongly Binding signature) as per [eprint 2020/1244](https://eprint.iacr.org/2020/1244).
 
 ```ts
 import { ed25519 } from '@noble/curves/ed25519';

src/abstract/edwards.ts

@@ -474,6 +474,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     } catch (error) {
       return false;
     }
+    if (!zip215 && A.isSmallOrder()) return false;
 
     const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
     const RkA = R.add(A.multiplyUnsafe(k));

test/ed25519.test.js

@@ -410,12 +410,9 @@ describe('ed25519', () => {
     }
   });
 
-  should('not verify when x=0 and x_0 = 1 (RFC8032)', () => {
-    const list = [edgeCases[8], edgeCases[10], edgeCases[11]];
-    for (let v of list) {
-      const result = ed.verify(v.signature, v.message, v.pub_key, { zip215: true });
-      strictEqual(result, true, `zip215: true must validate: ${v.signature}`);
-    }
+  should('have strict SUF-CMA and SBS properties', () => {
+    // https://eprint.iacr.org/2020/1244
+    const list = [0, 1, 6, 7, 8, 9, 10, 11].map((i) => edgeCases[i]);
     for (let v of list) {
       const result = ed.verify(v.signature, v.message, v.pub_key, { zip215: false });
       strictEqual(result, false, `zip215: false must not validate: ${v.signature}`);