From e7030a5d5fcd9c52c97a6888dbfe5d438349eb47 Mon Sep 17 00:00:00 2001
From: ackratos <zhaocong89@gmail.com>
Date: Thu, 3 Dec 2020 13:29:44 +0800
Subject: [PATCH] S in eddsa signature is not encoded correctly

---
 eddsa/signing/finalize.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/eddsa/signing/finalize.go b/eddsa/signing/finalize.go
index 7313580a..87c9e34b 100644
--- a/eddsa/signing/finalize.go
+++ b/eddsa/signing/finalize.go
@@ -37,11 +37,12 @@ func (round *finalization) Start() *tss.Error {
 		edwards25519.ScMulAdd(&tmpSumS, sumS, bigIntToEncodedBytes(big.NewInt(1)), sjBytes)
 		sumS = &tmpSumS
 	}
+	s := encodedBytesToBigInt(sumS)
 
 	// save the signature for final output
 	round.data.Signature = append(bigIntToEncodedBytes(round.temp.r)[:], sumS[:]...)
 	round.data.R = round.temp.r.Bytes()
-	round.data.S = sumS[:]
+	round.data.S = s.Bytes()
 	round.data.M = round.temp.m.Bytes()
 
 	pk := edwards.PublicKey{
@@ -49,7 +50,6 @@ func (round *finalization) Start() *tss.Error {
 		X:     round.key.EDDSAPub.X(),
 		Y:     round.key.EDDSAPub.Y(),
 	}
-	s := encodedBytesToBigInt(sumS)
 
 	ok := edwards.Verify(&pk, round.temp.m.Bytes(), round.temp.r, s)
 	if !ok {