in src/main.rs [675:731]
fn large_s() -> Result<TestVector> {
let mut rng = new_rng();
// Pick a random scalar
let mut scalar_bytes = [0u8; 32];
rng.fill_bytes(&mut scalar_bytes);
let a = Scalar::from_bytes_mod_order(scalar_bytes);
debug_assert!(a.is_canonical());
debug_assert!(a != Scalar::zero());
// Pick a random nonce
let nonce_bytes = [0u8; 32];
rng.fill_bytes(&mut scalar_bytes);
// generate the r of a "normal" signature
let pub_key = a * ED25519_BASEPOINT_POINT;
let mut message = [0u8; 32];
rng.fill_bytes(&mut message);
let mut h = Sha512::new();
h.update(&nonce_bytes);
h.update(&message);
let mut output = [0u8; 64];
output.copy_from_slice(h.finalize().as_slice());
let r_scalar = curve25519_dalek::scalar::Scalar::from_bytes_mod_order_wide(&output);
let r = r_scalar * ED25519_BASEPOINT_POINT;
let s = r_scalar + compute_hram(&message, &pub_key, &r) * a;
debug_assert!(verify_cofactored(&message, &pub_key, &(r, s)).is_ok());
debug_assert!(verify_cofactorless(&message, &pub_key, &(r, s)).is_ok());
let s_nonreducing = Scalar52::from_bytes(&s.to_bytes());
let s_prime_bytes = Scalar52::add(&s_nonreducing, &non_reducing_scalar52::L).to_bytes();
// using deserialize_scalar is key here, we use `from_bits` to represent
// the scalar
let s_prime = deserialize_scalar(&s_prime_bytes)?;
debug_assert!(s != s_prime);
debug_assert!(verify_cofactored(&message, &pub_key, &(r, s_prime)).is_ok());
debug_assert!(verify_cofactorless(&message, &pub_key, &(r, s_prime)).is_ok());
debug!(
"S > L, large order A, large order R\n\
passes cofactored, passes cofactorless, often excluded from both, breaks strong unforgeability\n\
\"message\": \"{}\", \"pub_key\": \"{}\", \"signature\": \"{}\"",
hex::encode(&message),
hex::encode(&pub_key.compress().as_bytes()),
hex::encode(&serialize_signature(&r, &s_prime))
);
let tv = TestVector {
message,
pub_key: pub_key.compress().to_bytes(),
signature: serialize_signature(&r, &s_prime),
};
Ok(tv)
}