Merge commit from fork

* fix: assert s < l eddsa

* fix: assert r, s < l in ecdsa

Author: ThomasPiellard

std/signature/ecdsa/ecdsa.go

@@ -59,6 +59,10 @@ func (pk PublicKey[T, S]) prepareVerification(api frontend.API, params sw_emulat
 	if err != nil {
 		panic(err)
 	}
+
+	scalarApi.AssertIsLessOrEqual(&sig.S, scalarApi.Modulus())
+	scalarApi.AssertIsLessOrEqual(&sig.R, scalarApi.Modulus())
+
 	pkpt := sw_emulated.AffinePoint[T](pk)
 	msInv := scalarApi.Div(msg, &sig.S)
 	rsInv := scalarApi.Div(&sig.R, &sig.S)

std/signature/eddsa/eddsa.go

@@ -53,6 +53,9 @@ func Verify(curve twistededwards.Curve, sig Signature, msg frontend.Variable, pu
 		Y: curve.Params().Base[1],
 	}
 
+	// Assert S < GroupSize (see https://datatracker.ietf.org/doc/html/rfc8032#section-3.4)
+	curve.API().AssertIsLessOrEqual(sig.S, curve.Params().Order)
+
 	//[S]G-[H(R,A,M)]*A
 	_A := curve.Neg(pubKey.A)
 	Q := curve.DoubleBaseScalarMul(base, _A, sig.S, hRAM)

std/signature/eddsa/eddsa_test.go

@@ -42,6 +42,47 @@ func (circuit *eddsaCircuit) Define(api frontend.API) error {
 	return Verify(curve, circuit.Signature, circuit.Message, circuit.PublicKey, &mimc)
 }
 
+// Forge signature: S → S + order
+func forge(id tedwards.ID, sig []byte) ([]byte, error) {
+
+	forged := make([]byte, len(sig))
+	copy(forged, sig)
+
+	var offset int
+	switch id {
+	case tedwards.BN254:
+		offset = 32
+	case tedwards.BLS12_381:
+		offset = 32
+	case tedwards.BLS12_377:
+		offset = 32
+	case tedwards.BW6_761:
+		offset = 48
+	case tedwards.BLS24_317:
+		offset = 32
+	case tedwards.BLS24_315:
+		offset = 32
+	case tedwards.BW6_633:
+		offset = 40
+	default:
+		panic("not implemented")
+	}
+
+	s := new(big.Int).SetBytes(sig[offset:])
+	params, err := twistededwards.GetCurveParams(id)
+	if err != nil {
+		return nil, err
+	}
+	s.Add(s, params.Order)
+
+	sizeS := len(sig) - offset
+	buf := make([]byte, sizeS)
+	copy(buf[sizeS-len(s.Bytes()):], s.Bytes())
+
+	copy(forged[offset:], buf)
+	return forged, nil
+}
+
 func TestEddsa(t *testing.T) {
 
 	assert := test.NewAssert(t)
@@ -110,9 +151,17 @@ func TestEddsa(t *testing.T) {
 		invalidWitness.PublicKey.Assign(conf.curve, pubKey.Bytes())
 		invalidWitness.Signature.Assign(conf.curve, signature)
 
+		var invalidWitnessOverflow eddsaCircuit
+		invalidWitnessOverflow.Message = msg
+		invalidWitnessOverflow.PublicKey.Assign(conf.curve, pubKey.Bytes())
+		forgedSig, err := forge(conf.curve, signature)
+		assert.NoError(err, "forging signature")
+		invalidWitnessOverflow.Signature.Assign(conf.curve, forgedSig)
+
 		assert.CheckCircuit(&circuit,
 			test.WithValidAssignment(&validWitness),
 			test.WithInvalidAssignment(&invalidWitness),
+			test.WithInvalidAssignment(&invalidWitnessOverflow),
 			test.WithCurves(snarkCurve))
 
 	}