Normalize the s component of the generated signature.

synedrion/Cargo.toml

@@ -11,7 +11,7 @@ categories = ["cryptography", "no-std"]
 [dependencies]
 signature = { version = "2", default-features = false, features = ["alloc"] }
 # TODO: we only need `serde` feature in tests
-k256 = { version = "0.13", default-features = false, features = ["ecdsa", "arithmetic", "serde"] }
+k256 = { version = "0.13.2", default-features = false, features = ["ecdsa", "arithmetic", "serde"] }
 rand_core = { version = "0.6.4", default-features = false, features = ["getrandom"] }
 sha2 = { version = "0.10", default-features = false }
 sha3 = { version = "0.10", default-features = false }

synedrion/src/cggmp21/protocols/signing.rs

@@ -129,8 +129,6 @@ impl<P: SchemeParams> FinalizableToResult for Round1<P> {
         let s: Scalar = shares.iter().sum();
         let s = s + self.s_part;
 
-        // CHECK: should `s` be normalized here?
-
         let sig = RecoverableSignature::from_scalars(
             &self.r,
             &s,

synedrion/src/curve/ecdsa.rs

@@ -16,9 +16,13 @@ impl RecoverableSignature {
         vkey: &Point,
         message: &Scalar,
     ) -> Option<Self> {
-        // TODO: call `normalize_s()` on the result?
-        // TODO: pass a message too and derive the recovery byte?
         let signature = BackendSignature::from_scalars(r.to_backend(), s.to_backend()).ok()?;
+
+        // Normalize the `s` component.
+        // `BackendSignature`'s constructor does not require `s` to be normalized,
+        // but consequent usage of it may fail otherwise.
+        let signature = signature.normalize_s().unwrap_or(signature);
+
         let message_bytes = message.to_be_bytes();
         let recovery_id = RecoveryId::trial_recovery_from_prehash(
             &VerifyingKey::from_affine(vkey.to_backend().to_affine()).ok()?,