EdDSA is a standardised elliptic curve digital signature scheme introduced to overcome some of the issues prevalent in the more established ECDSA standard. Due to the EdDSA standard specifying that the EdDSA signature be deterministic, if the signing function were to be used as a public key signing oracle for the attacker, the unforgeability notion of security of the scheme can be broken. This paper describes an attack against some of the most popular EdDSA implementations, which results in an adversary recovering the private key used during signing. With this recovered secret key, an adversary can sign arbitrary messages that would be seen as valid by the EdDSA verification function. A list of libraries with vulnerable APIs at the time of publication is provided. Furthermore, this paper provides two suggestions for securing EdDSA signing APIs against this vulnerability while it additionally discusses failed attempts to solve the issue.
I. INTRODUCTION
Since it was first proposed independently in the late ’80s by Koblitz [1] and Miller [2], Elliptic Curve Cryptography (ECC) has become the preferred choice for constructing classical public-key cryptosystems. The critical advantage of ECC is its capability to construct public key cryptosystems with a smaller key size than its discrete logarithm-based counterparts. For example, the Digital Signature Algorithm (DSA) proposed by the National Institute of Standards and Technology (NIST) for their Digital Signature Standard (DSS) (attributed to Kravitz [3]) has an ECC counterpart, the Elliptic Curve Digital Signature Algorithm (ECDSA) [4], which boasts greater efficiency and smaller key sizes while achieving similar levels of security. However, ECDSA is not without its share of common pitfalls that implementations can suffer from. For example, key recovery attacks are enabled by poorly generated random values [5] and nonce re-usage [6]. Lattice-based attacks, such as those using the Lenstra-Lenstra-Lovász (LLL) method [7], have also been used to recover information about private keys from weak ECDSA signatures successfully [8], [9].
With the evident problems in ECDSA implementations and a loss of trust in NIST after the Snowden revelations, the cryptography community shifted towards a new cryptosystem based on Curve25519 proposed by Bernstein in 2006 [10]. In 2012, Bernstein et al. [11] proposed using the Edwards variant of Curve25519 to construct a deterministic Schnorr-like [12] digital signature scheme. This scheme became the Edwards-curve Digital Signature Algorithm (EdDSA). One of the main advantages of EdDSA over other ECC signature schemes is how the scalar multiplication of points on the curve can be implemented without branching and lookups depending on a secret value [11]. Due to its many advantages over ECDSA [13], EdDSA quickly became widely implemented and was eventually standardised in both RFC 8032 [14] and NIST’s own FIPS 186-5 [15].
This paper discloses an undiscovered vulnerability related to the implementation of EdDSA. This vulnerability is severe enough that adversaries can easily exploit it to extract the private key during the EdDSA signing process. This attack requires that an adversary use the signing function as an oracle that expects arbitrary public keys as inputs. While the majority of applications that use EdDSA are unlikely to expose signing functions to end users publicly or may mitigate the issue before signing invocation, there are some applications in which private and public keys are managed in different ways, exposing the surface to attack by adversaries. The details of this attack are given later in the paper, along with ways to mitigate the attack easily.
The rest of this paper is organised as follows: In the remainder of this section, various work related to EdDSA and its vulnerabilities is outlined, and the contributions of this paper are specified. In Section II provides background information on the EdDSA algorithm required for the rest of the paper. Section III describes the double public key signing function oracle attack and gives a list of libraries with EdDSA implementations vulnerable to the attack. In Section IV, possible countermeasures against the described vulnerability are given and Section V concludes the paper.
A. Related Work
Since the proposal of Ed25519 by Bernstein et al. [11] in 2012 and the subsequent generalisation of the algorithm into EdDSA [13], there has been a significant amount of work detailing various formal security notions of EdDSA as well as attacks to both the algorithm itself and implementation of the algorithm. Due to the fact that its construction is heavily based on the Schnorr signature scheme [12], security of the schemes proposed by Bernstein et al. in [11] and [16] is based on similar assumptions. More recently, Brendel et al. [17] gave a comprehensive security analysis of Ed25519 based on its…
They found that certain implementations guarantee stronger security than others. Furthermore, work by Chalkias et al. [18] was done to formalise EdDSA implementations under the strictest notions of security.
There have also been some high-profile attacks against EdDSA. In 2017, an issue arose in an implementation of Ed25519 used by the Monero crypto-currency, which allowed users to get around double-spending prevent ions. This issue was mitigated by checking the order of the key using full scalar multiplication and arose due to the unique way in which Monero used Ed25519 [19]. Samwel et al. [20] demonstrated that differential power analysis could be used on Ed25519’s underlying hash function SHA-512. In particular, their work targeted the WolfSSL implementation and required 4000 EM traces to be successful. In an extension to this work, Weissbart et al. [21] used machine learning techniques to reduce this attack to a single EM trace.
Another type of attack against EdDSA is a fault attack. Romallier and Pelissier [22] demonstrated that a single fault in the EdDSA signing process could be used to recover enough private key material for an attacker to sign arbitrary messages. Poddebniak et al. [23] also studied fault attacks against deterministic digital signature schemes such as EdDSA, formalising requirements for protocols to be vulnerable to these types of attacks. Approaching the same problem slightly differently, Cao et al. [24] constructed lattice-based attacks to recover private key information from deterministic digital signature schemes vulnerable to fault attacks.
This work presents an attack on the standard rather than an attack on implementation-specific details found in EdDSA software or hardware. More specifically, the standards fail to specify the format of key input into the EdDSA signing function. Due to the algorithmic details, if an adversary was able to use the signing function as an Oracle expecting arbitrary public key inputs, then it is possible for them to recover the full private key trivially. To the best of the authors’ knowledge, this issue was unreported until now.
B. Contributions
- A new attack against the EdDSA standards RFC 8032 [14] and FIPS 186-5 DSS [15] is presented. It is shown that unless necessary precautions are taken, an adversary can perform full private key recovery if given Oracle access to the EdDSA signing function.
- A list of potentially unsafe EdDSA libraries is given. At the time of writing, there are 45 libraries impacted by this vulnerability. Misuse of these libraries can result in private key exposure. Currently, 8 of the 45 impacted libraries have implemented fixes to the issues after notification.
- Finally, two countermeasures against this type of attack are given. These countermeasures are simple changes to the vulnerable EdDSA software implementations found in many libraries. Both changes require only a small amount of additional overhead in the signing function.
II. Edwards-curve Digital Signature Algorithm
EdDSA is a digital signature algorithm similar to ECDSA [4] proposed by Bernstein et al. [11]. RFC 8032 [14] defines EdDSA for two twisted Edwards curves Ed25519 (similar to curve25519 proposed by Bernstein [10]) and Ed448; however, EdDSA may be instantiated over other curves. For a fixed field (k), a twisted Edwards curve with the coefficients (a, d \in k) is the curve:
[ E_{a,d} : ax^2 + y^2 = 1 + dx^2 y^2 ]
where (a) and (b) are non-zero elements. For example, Ed25519 (curve25519) is defined over (\mathbb{F}_p) where (p = 2^{255} – 19). Similarly, Ed448 is defined over (\mathbb{F}_p) where (p = 2^{448} – 2^{224} – 1) and offers a 224-bit security level compared to the 128-bit security of Ed25519.
The sum of two points in the Ed25519 and Ed448 curves is represented by the following addition rule:
[ (x_1, y_1) + (x_2, y_2) = \frac{x_1 y_2 + y_1 x_2 – ax_1 x_2}{1 + dx_1 x_2 y_1 y_2}, \frac{y_1 y_2 – ax_1 x_2}{1 – dx_1 x_2 y_1 y_2} ]
where the point ((0, 1)) is the neutral element. The above rule can also be used for point doubling and addition. Adding a point (P) to itself (n) times is the same as multiplication by a scalar, denoted as (n \cdot P).
| Parameter | Ed25519 | Ed448 |
|---|---|---|
| Field Modulus (p) | (2^{255} – 19) | (2^{448} – 2^{224} – 1) |
| Key Bits (b) | 256 | 456 |
| Hash Function (H) | SHA-512 | SHAKE256 |
| Cofactor (c) | 8 | 4 |
| Coefficient (d) | (-121665/121666) | (-39081) |
| Coefficient (a) | -1 | 1 |
| Base Point (G) | ((x, y) \in \mathbb{F}_p^2) (see [25]) | ((x, y) \in \mathbb{F}_p^2) (see [25]) |
| Curve Order (ℓ) | see [25] | see [25] |
EdDSA uses a Fiat-Shamir transformed Schnorr-like identification protocol to generate a cryptographic signature based on elliptic curve point addition. The EdDSA protocol is standardised under the Ed25519 and Ed448 curves; the parameters for both curves are given in Table I. Note that the actual number of points on the curve is (|E_{a,d}| = c \cdot ℓ). The presence of the cofactor (c) in the order of the curve makes it harder to use in applications where prime-order groups are required for cryptographic proof.
The elliptic curve group (E_{a,d}) is isomorphic to (\mathbb{Z}d \times \mathbb{Z}c), where a base point (G \in E{a,d}) generates a subgroup of order (ℓ) and a small torsion point (T_c \in E{a,d}) generates the subgroup of order (c). Any point (P \in E_{a,d}) can be uniquely represented as the linear combination of (G) and (T_c) with (P = g \cdot B + t \cdot T_c) where (0 \leq g < ℓ) and (0 \leq t < c). In this case, the discrete log of (P) base (G) is (g). (P) is small order if (g = 0), mixed order if (t \neq 0) and (g \neq 0), and order (ℓ) if (g \neq 0) and (t = 0).
A. EdDSA Signing
As defined in the RFC 8032 standard [14], EdDSA uses a b-bit long private key ( pk ) and a hash function ( H ) that produces a 2b-bit output. An integer ( s ) is generated by taking the hash of the secret key ( H(sk) = (h_0, h_1, \ldots, h_{2b-1}) ) and computing [ s = 2^{b-1} + \sum_{3 \leq i \leq b-3} 2^i h_i. ] The public key ( pk ) is then computed by taking the curve’s base point ( G ) as defined in the public parameters and computing ( s \cdot G ).
Algorithm 1: EdDSA Signing
Input: ( m, H, sk, G, ) and ( pk )
Output: The signature ((R, S))
- ( h := H(sk) )
- ( s := 2^{b-1} + \sum_{3 \leq i \leq b-3} 2^i h_i )
- ( r := H(h_0, \ldots, h_{2b-1} || m) \mod \ell )
- ( R := r \cdot G )
- ( S := r + H(R || pk || m) \mod \ell )
- return ((R, S))
The signature ((R, S)) of a message ( m \in {0, 1}^* ) is computed according to Algorithm 1. A significant difference between EdDSA and ECDSA is the signature generated is deterministic in EdDSA; in other words, for a message, any signature computed using the same key pair and public parameters will always be the same.
Both signatures and keys can be encoded for space-efficient transmission. According to the RFC 8032 standard [14], an element of the scalar field ((\mod \ell)) is encoded with a 256-bit little-endian string. If the scalar is reduced ( \mod \ell ) it is considered to be a canonical encoding; otherwise, it is non-canonical. A point ( P = (x, y) \in E_{a,d} ) is also encoded as a 256-bit string, with 255 bits devoted to the encoding of ( y ) in little-endian format and a single bit devoted to the encoding the sign of ( x ). Given a serialisation of ( P ) the ( x ) coordinate is restored via [ x := \pm \sqrt{(y^2 – 1)/(dy^2 + 1)}. ] If the ( y ) coordinate is reduced ( \mod p ) encoding is canonical; otherwise, it is non-canonical.
B. EdDSA Signature Verification
The EdDSA verification algorithm given in Algorithm 2 generally conforms to both the RFC 8032 standard and [14], and the NIST FIPS 186-5 standard [15], while also providing the strongest notion of security defined by Brendel et al. [17] and Chalkias et al. [18]: Strong UnForgeability under Chosen Message Attacks (SUF-CMA) with Strongly Binding Signatures (SBS). This means that efficient adversaries cannot output valid signatures on new messages nor find a new signature for old messages. Furthermore, messages are bound to the public key, a property shown to be lacking in the RFC 8032 variant of EdDSA [17].
The verification algorithm given in Algorithm 2 performs several checks to ensure the scheme’s security against various attacks. First, the generic check to ensure that the public key ( pk ) and the point ( R ) from the signature ((R, S)) are valid points on the curve ( E_{a,d} ) is performed. The algorithm then ensures that the scalar value ( S ) is not any of the values ( 0, \ldots, \ell – 1 ), since ( S’ := S + n \cdot \ell ) would also satisfy the verification algorithm for ( n \in \mathbb{Z} ). Checking the value of ( S ) ensures that the scheme satisfies the requirements for SUF-CMA [17]. The algorithm then rejects any non-canonical encodings of ( pk ) and ( R ). Rejecting non-canonical encodings is required by both RFC 8032 [14] and FIPS 186-5 [15].
Algorithm 2: EdDSA Verification
Input: ( m, (R, S), H, G, ) and ( pk )
Output: ( b \in {0, 1} )
- if ( pk \not\in E_{a,d} ) or ( R \not\in E_{a,d} ) then
- return ( 0 )
- end if
- if ( S \not\in {0, \ldots, \ell – 1} ) or ( |pk| \geq \ell ) or ( |R| \geq \ell ) then
- return ( 0 )
- end if
- if ( pk = t \cdot T_c ) for ( \forall t \in {0, \ldots, c – 1} ) and ( \forall T_c \in E_{a,d} ) then
- return ( 0 )
- end if
- if ( c \cdot S \cdot G = c \cdot R + c \cdot H(R || pk || m) \cdot pk ) then
- return ( 1 )
- end if
- return ( 0 )
The final check ensures that the public key ( pk ) used to sign the message is not one of a set of small order points on the curve ( E_{a,d} ). This check is not part of any standard and rarely appears in practical implementations. This additional check aims to ensure public keys are strongly bound to the signature to achieve the SBS security notion. This is because if ( pk ) is a ( c )-torsion point, an adversary can any value for their signature such that ( S \cdot G = R ) and the resulting signature verifies under any message. Bernstein et al. [11] identified this vulnerability in work but regarded it as unproblematic. However, some specific cases have arisen where checking for small-order keys becomes important, specifically for building specialised protocols [17]. While this may seem a cumbersome addition to the verification process, the number of small-order public keys is quite small and can be pre-computed and stored for fast verification [18].
Verification of an EdDSA signature can be done either cofactored or cofactorless. The verification described by Algorithm 2 is cofactored. If the implementation uses cofactorless implementation, then it is required to reduce ( H(R || pk || m) ) to the range ([0, \ell)) before multiplication by ( pk ). Not doing so may cause implementers to disagree on the validity of signatures generated by mixed-order public keys. When performing cofactored verification, multiplication by ( c ) should be performed as a separate scalar-by-point multiplication. Failing to ensure separate scalar-by-point multiplication can cause the result in ( c \cdot H(R || pk || m) \mod \ell ) not being divisible by ( c ) and thus, not clear the low order component in ( pk ) if it exists. While Bernstein et al. [11] originally proposed to use cofactorless verification, EdDSA standards recommend using the cofactored verification algorithm [14], [15].
III. DOUBLE PUBLIC KEY SIGNING FUNCTION ORACLE ATTACK
The discovered vulnerability takes the form of an oracle attack. The oracle uses the signing function of a deterministic signature scheme with a fixed secret key and message parameters to compute a signature given an arbitrary public key. If given access to this type of oracle, an adversary can use it to recover the secret key by submitting two different public keys. In this section, an attack methodology is described, and a list of affected libraries and their current status on fixing the issue is given.
A. Attacking EdDSA
According to both the RFC 8032 [14] and FIPS 186-5 [15] standards, EdDSA signatures are deterministic. This means that for the same message ( m \in {0, 1}^* ) input to a signing function with public key ( pk ) and secret key ( sk ), a unique signature ((R, S)) is generated. An important detail of the signing function given in Algorithm 1 is that the signer’s public key is used in the deterministic computation of the scalar value ( S ) but not the point on the curve ( R ) in the signature ((R, S)). The implication of this is that if an adversary was able to use the signing function as an oracle that expects arbitrary public key inputs, they could compute two signatures ((R, S)) and ((R’, S’)) corresponding to the same ( m ).
Assuming access to a signing oracle ( O_{\text{sign}}(m) ) with fixed parameters ( m ) and ( sk ), the adversary would perform the following steps to recover ( sk ):
Step 1: The adversary queries the oracle with two public keys ( pk ) and ( pk’ ). The public keys need not be paired to the fixed secret key ( sk ). The resulting signatures share the same ( R ) value and differ on the ( S ) values.
- Compute ( pk := s \cdot G ) and ( pk’ := s’ \cdot G ) where ( s \neq s’ ). Note that ( pk ) and ( pk’ ) should satisfy the requirements of the EdDSA scheme.
1.2 Query ( O_{\text{sign}}(m) ) with ( pk ) and ( pk’ ) and receive the two signatures ( \sigma ) and ( \sigma’ ).
1.3 Check that for ( \sigma = (R, S) ) and ( \sigma’ = (R’, S’) ) the values ( R = R’ ).
Step 2: With the two signatures ( \sigma ) and ( \sigma’ ) corresponding to ( pk ) and ( pk’ ) the adversary can now attempt to recover ( sk ). When signing a message, the signing algorithm computes the ( S ) value as ( S = r + H(R || pk || m) \cdot s ) (mod ( \ell )). Because ( r ) is derived from ( sk ) which is the same for both signatures, and ( R, pk ), and ( m ) are all known to the adversary, they can use this to compute ( s ).
2.1 The adversary computes ( e := H(R || pk || m) ) and ( e’ := H(R || pk’ || m) ).
2.2 Because ( S = r + e \cdot s ) (mod ( \ell )) and ( S’ = r + e’ \cdot s ) (mod ( \ell )), subtracting ( S’ ) from ( S ) gives the following
[ S – S’ = r + e \cdot s – r + e’ \cdot s \quad \text{(mod ( \ell ))} ]
[ e = s \cdot e – s’ \cdot e’ \quad \text{(mod ( \ell ))} ]
[ s = (s – e’ – e) \quad \text{(mod ( \ell ))} ]
2.3 Dividing ( S – S’ ) through by ( e – e’ ) to recover the value
[ s = (S – S’)/(e – e’) \quad \text{(mod ( \ell ))} ]
After completing step 2, the adversary has access to the secret integer ( s ), which can be used to arbitrarily compute values of ( S ). Even if ( s ) is known, it remains impossible to compute a ( r ) value for a new message since the values ( h_b, \ldots, h_{2b-1} ) are unknown to the adversary. However, selecting any random value of ( r ) can computing a new signature ( \sigma = (R, S) ) for any message ( m ) still satisfies
[ c \cdot S \cdot G = c \cdot (r + H(R || pk || m) \cdot s) \cdot G ]
[ = c \cdot R + c \cdot H(R || pk || m) \cdot s \cdot G ]
[ = c \cdot R + c \cdot H(R || pk || m) \cdot pk ]
meaning the verification algorithm still holds. Therefore, it is still possible to sign arbitrary messages, effectively breaking the SUF-CMA security with the SBS notion of security that EdDSA guarantees.
B. Vulnerable Libraries
There are a huge number of software implementations of EdDSA across many different languages. To give an idea of how common this vulnerability can be, a table of vulnerable libraries can be seen in Table 1. Most of these libraries are taken from the IANIX list of “Things that use Ed25519” [26]. These libraries have been notified of the issues, and their current status of fixing the vulnerability at the time of publication is included in the table.
IV. COUNTERMEASURES
Fortunately, due to the nature of the oracle attack, the majority of applications with dependencies on the libraries listed in Table 1 probably are safe due to not publicly exposing affected signing functions. That said, due to the nature of these libraries, a user can inadvertently expose the attack surface when building their application, as was the case with Monero in 2017 [19]. Therefore, it is recommended that the implementer of the EdDSA standard follow one of two methods to prevent this attack: Correctly storing the public key along with the secret key or re-deriving the public key from the secret key each time the signing function is invoked.
Listing 1. ‘OpenGNB public-key signature C interface’
void ed25519_sign(unsigned char* signature, unsigned char const* message, size_t message_len);
1A comprehensive list of libraries and requested fixes can be found here: https://github.com/MystenLabs/ed25519-unsafe-libs
The double public key signing function oracle attack occurs primarily due to insecure APIs around the signing function of the deterministic signature scheme. For example, the Ed25519 signing function taken from the OpenGNB library shown in Listing 1 has two separate arguments for the public and private keys. If an application using this library exposes this API publicly or mishandles the management of the keys, it could expose itself to the attack. The solution to this is to redesign the API to ensure that the secret and public keys pair are always tied together. It is common practice in many libraries to only accept a secret key in the signing function. For example, the Ed25519 signing function taken from the Libsodium library shown in Listing 2 accepts only the signature, message, and secret key as an argument. However, the public key is still required by the signing algorithm. There are two solutions to this.
Listing 2. ‘Libsodium public-key signature C interface’
int crypto_sign(unsigned char* sm,
unsigned long long* smlen_p,
unsigned char const* m,
unsigned long long mlen,
unsigned char const* sk);
Listing 2. Libsodium public-key signature C interface.
A. Correct Key Storage
The simplest solution is to ensure the public and private keys are stored together and accept them as a single argument to the signing function. This is also slightly more efficient computationally than the other option. Both the public and private keys for EdDSA are 32 or 57-byte for Ed25519 and Ed448, respectively. The solution found in the majority of libraries is to generate the public-private keypair and store the secret key as a 64-byte string. The first 32 bytes are the private key, with the remaining 32 bytes being the public key. The main downside of this is the private key is now 64 or 114 bytes for Ed25519 and Ed448. However, this increased storage space should be acceptable in all but the most extreme cases.
Listing 3. ‘An example of safe Ed25519 key generation and storage’
void ed25519_keypair(unsigned char* pk,
unsigned char* sk) {
unsigned char seed[32];
randombytes(seed, 32);
sha512(seed, seed, 32);
gen_pk(pk, sk);
memmove(sk, seed, 32);
memmove(sk + 32, pk, 32);
}
Listing 3. An example of safe Ed25519 key generation and storage.
In Listing 3, an example of safe key generation and storage is given based on the Libsodium Ed25519 implementation. In this example, the seed byte array is stored as the first 32 bytes of the private key sk. This means that the users of the library can retrieve the initial random seed used to generate the public and private key pair. When invoking the signing function, the secret key would be derived by taking the first 32 bytes and…
Table II
| Library | Language | Fixed |
|---|---|---|
| OpenGNB | C | x |
| GNU Nettle | C | x |
| iroha-ed25519 (Hyperledger Project) | ASM/C | x |
| ed25519-donna (Andrew Moon) | C | x |
| ed25519 (Orson Peters) | C | x |
| libbrine (Kevin Smith) | C | x |
| Ed25519 (ArduinoLibs) | C++ | x |
| Trezor firmware | C | ✓ |
| Harbour (Viktor Szakats) | C | ✓ |
| ed25519 (Hans Wolff) | C# | x |
| Ed25519 (CryptoManiac) | C# | x |
| ed25519-dalek | Rust | ✓ |
| polkadot-js/wasm | Rust/WASM | ✓ |
| ed25519_dart (Oleksii Semeshchuk) | Dart | x |
| riclava_ed25519 (riclava) | Dart | x |
| ed25519 (Kevin Downey) | Clojure | x |
| hs-scraps (Vincent Hanquez) | Haskell | x |
| ed25519-java (k3d3) | Java | x |
| ed25519 (Bjorn Arnelid) | Java | x |
| Punisher.NaCl (Arpan Jati) | Java | x |
| ED25519 (Mick Michalski) | Java | x |
| vRallev/ECC-25519 | Java | x |
| ed25519-elizabeth | Java | ✓ |
| Crypt::Ed25519 (Marc Lehmann) | Perl | x |
| ed25519.py (Ed25519 authors) | Python | x |
| pyca/ed25519 | Python | x |
| python-pure25519 (Brian Warner) | Python | x |
| nmed25519 (naturalmessage) | Python | x |
| ed25519.py (Shiho Midorikawa) | Python | x |
| py-ed25519-bindings | Python | x |
| ed25519swift (pebble8888) | Swift | x |
| supercop.js (1p6 Flynx) | JS | x |
| substack/ed25519-supercop | JS | x |
| libeddsa (Philipp Lay) | C | x |
| SommerEngineering/Ed25519 | C# | x |
| ChorusOne/solanity | CUDA | x |
| ncme/c25519 | C | x |
| luazen (Phil Leblanc) | C | x |
| amber (Pelayo Bernedo) | C++ | x |
| FLD ECC AVX2 | C | x |
| mwmiller/ed25519_ex | Elixir | x |
| php-ed25519-ext | PHP | x |
| niv/ed25519.nim (Bernhard Stöckner) | Nim | x |
| mipher (Marco Paland) | Typescript | x |
| Monocypher | C | ✓ |
| LuaMonocypher | Lua | x |
| monocypher.cr | Crystal | x |
| py_ssh_keygen_ed25519 (Péter Szabó) | Python | x |
| KinomaJS | Javascript | x |
| erlang-libdecaf | Erlang | ✓ |
| gen-ed25-keypair | Haskell | x |
| horse25519 (Yawning Angel) | C | ✓ |
hashing them with the SHA-512 hash function, and the public key would be the remaining 32 bytes.
B. Public Key Re-derivation
The other option is to receive the public key on every invoke of the signing function. Obviously, this consumes significantly more CPU cycles in the long term than storing the public key alongside the private key, as suggested in Section IV-A. However, the additional space requirements are no longer necessary, which may be more suitable for use cases with extreme memory restrictions. This solution is far less common to see in software implementations of EdDSA.
void ed25519_sign(unsigned char * sig, unsigned char const * m, size_t mlen, unsigned char const * sk)
{
unsigned char s[32];
unsigned char pk[32];
sha512(s, sk, 32);
gen_pk(pk, s);
...
}
Listing 4. An example of signing with public key re-derivation.
In Listing 4, an example of an Ed25519 signature function with key re-derivation is given. In this example, the secret key sk given is expected to be a 32-byte seed array much like that from Listing 3. The secret key is then regenerated using the SHA-512 hash function, which is passed to the public key generation function, which performs the point multiplication.
The rest of the Ed25519 signing function would then be implemented as per the standard.
V. CONCLUSION
In this work, an attack against the EdDSA standard is presented. Due to the deterministic nature of EdDSA signatures, an adversary with access to the signing function that accepts arbitrary public keys can recover the secret signing value by submitting as little as two different public keys. The adversary can sign arbitrary messages using this signing value, breaking the unforgeability security notion of digital signature schemes. The attack can occur primarily from software implementation APIs presenting an adversary’s opportunity to submit multiple public keys to the signing function, creating different signatures for the same message and private key. This attack presents a real threat if applications expose these APIs publicly or fail to manage public-private key pairs correctly. A list of libraries that implement the Ed25519 standard and are vulnerable to this attack is given. Additionally, two countermeasures are proposed to prevent the attack.
References
[1] N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, pp. 203–209, 1987.
[2] V. S. Miller, “Use of elliptic curves in cryptography,” in Advances in Cryptology — CRYPTO ’85 Proceedings, H. C. Williams, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1986, pp. 417–426.
[3] D. W. Kravitz, “Digital signature algorithm,” May 1993, U.S. Patent US5231668A.
[4] D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digital signature algorithm (ecdsa),” International Journal of Information Security, vol. 1, no. 1, pp. 36–63, Aug 2001. [Online]. Available: https://doi.org/10.1007/s102070100002
[5] P. Q. Nguyen and I. E. Shparlinski, “The insecurity of the elliptic curve digital signature algorithm with partially known nonces,” Designs, Codes and Cryptography, vol. 30, no. 2, pp. 201–217, Sep 2003. [Online]. Available: https://doi.org/10.1023/A:1025436905711
[6] M. Brengel and C. Rossow, “Identifying key leakage of bitcoin users,” in Research in Attacks, Intrusions, and Defenses, M. Bailey, T. Holz, M. Stamatogiannakis, and S. Ioannidis, Eds. Cham: Springer International Publishing, 2018, pp. 623–643.
[7] A. K. Lenstra, H. W. Lenstra, and L. Lovász, “Factoring polynomials with rational coefficients,” Mathematische Annalen, vol. 261, no. 4, pp. 515–534, Dec 1982. [Online]. Available: https://doi.org/10.1007/BF01457454
[8] D. Poulakis, “Some lattice attacks on dsa and ecdsa,” Applicable Algebra in Engineering, Communication and Computing, vol. 22, no. 5, pp. 347–358, Dec 2011. [Online]. Available: https://doi.org/10.1007/s00200-011-0154-1
[9] T. Breitner and N. Heninger, “Biased nonce sense: Lattice attacks against weak ecdsa signatures in cryptocurrencies,” in Financial Cryptography and Data Security, I. Goldberg and T. Moore, Eds. Cham: Springer International Publishing, 2019, pp. 3–20.
[10] D. J. Bernstein, “Curve25519: New diffie-hellman speed records,” in Public Key Cryptography – PKC 2006, M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2006, pp. 207–228.
[11] D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang, “High-speed high-security signatures,” Journal of Cryptographic Engineering, vol. 2, no. 2, pp. 77–89, Sep 2012. [Online]. Available: https://doi.org/10.1007/s13389-012-0027-1
[12] C. P. Schnorr, “Efficient identification and signatures for smart cards,” in Advances in Cryptology — CRYPTO’ 89 Proceedings, G. Brassard, Ed. New York, NY: Springer New York, 1990, pp. 239–252.
[13] D. J. Bernstein, S. Josefsson, T. Lange, P. Schwabe, and B.-Y. Yang, “Eddsa for more curves,” Cryptology ePrint Archive, Paper 2015/677, 2015. [Online]. Available: https://eprint.iacr.org/2015/677
[14] S. Josefsson and I. Liusvaara, “Edwards-curve digital signature algorithm (EdDSA),” Tech. Rep., jan 2017.
[15] D. Moody, “Digital signature standard (DSS),” Tech. Rep., 2023.
[16] D. J. Bernstein, S. Josefsson, T. Lange, P. Schwabe, and B.-Y. Yang, “Eddsa for more curves,” Cryptology ePrint Archive, Paper 2015/677, 2015. [Online]. Available: https://eprint.iacr.org/2015/677
[17] J. Brendel, C. Cremers, D. Jackson, and M. Zhao, “The provable security of ed25519: Theory and practice,” in 2021 IEEE Symposium on Security and Privacy (SP), 2021, pp. 1659–1676.
[18] K. Chalkias, F. Garillot, and V. Nikolaenko, “Taming the many eddsas,” in Security Standardisation Research, T. van der Merwe, C. Mitchell, and M. Mehrnezhad, Eds. Cham: Springer International Publishing, 2020, pp. 67–90.
[19] luigi1111 and Riccardo “fluffypony” Spagni, “Disclosure of a major bug in cryptocurrency based currencies,” May 2017. [Online]. Available: https://www.getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-
[20] N. Samwel, L. Batina, G. Bertoni, J. Daemen, and R. Suselba, “Breaking ed25519 in wolfsill,” in Topics in Cryptology – CT-RSA 2018, N. P. Smart, Ed. Cham: Springer International Publishing, 2018, pp. 1–20.
[21] L. Weissbart, S. Picek, and L. Batina, “One trace is all it takes: Machine learning-based side-channel attack on eddsa,” in Security, Privacy, and Applied Cryptography Engineering, S. Bhasin, A. Mendelson, and M. Nandi, Eds. Cham: Springer International Publishing, 2019, pp. 86–105.
[22] Y. Romailler and S. Pelissier, “Practical fault attack against the ed25519 and ecdsa signature schemes,” in 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), 2017, pp. 17–24.
[23] D. Poddebniak, J. Somorovsky, S. Schinzel, M. Lochter, and P. Röslter, “Attacking deterministic signature schemes using fault attacks,” in 2018 IEEE European Symposium on Security and Privacy (EuroS&P), 2018, pp. 338–352.
[24] W. Cao, H. Shi, H. Chen, J. Chen, L. Fan, and W. Wu, “Lattice-based fault attacks on deterministic signature schemes of ecdsa and eddsa,” in Topics in Cryptology – CT-RSA 2022, S. D. Galbraith, Ed. Cham: Springer International Publishing, 2022, pp. 169–195.
[25] A. Langley, M. Hamburg, and S. Turner, “Elliptic curves for security,” Tech. Rep., Jan 2016.
[26] IANIX, “Things that use Ed25519,” Jun. 2023. [Online]. Available: https://ianix.com/pub/ed25519-deployment.html
Useful information for enthusiasts:
- [1]YouTube Channel CryptoDeepTech
- [2]Telegram Channel CryptoDeepTech
- [3]GitHub Repositories CryptoDeepTools
- [4]Telegram: ExploitDarlenePRO
- [5]YouTube Channel ExploitDarlenePRO
- [6]GitHub Repositories Keyhunters
- [7]Telegram: Bitcoin ChatGPT
- [8]YouTube Channel BitcoinChatGPT
- [9] Bitcoin Core Wallet Vulnerability
- [10] BTC PAYS DOCKEYHUNT
- [11] DOCKEYHUNT
- [12]Telegram: DocKeyHunt
- [13]ExploitDarlenePRO.com
- [14]DUST ATTACK
- [15]Vulnerable Bitcoin Wallets
- [16] ATTACKSAFE SOFTWARE
- [17] LATTICE ATTACK
- [18] RangeNonce
- [19] BitcoinWhosWho
- [20] Bitcoin Wallet by Coinbin
- [21] POLYNONCE ATTACK
- [22] Cold Wallet Vulnerability
- [23] Trezor Hardware Wallet Vulnerability
- [24] Exodus Wallet Vulnerability
- [25] BITCOIN DOCKEYHUNT
Contact me via Telegram: @ExploitDarlenePRO