Ed25519
Last updated
Last updated
EdDSA algorithm itself is proved secure, but some EdDSA libraries implemented API in an unsafe way that could lead to private key exposure.
Edwards-curve Digital Signature Algorithm (EdDSA) is a scheme using a variant of based on .
The EdDSA signature algorithm and its variants Ed25519 and Ed448 are technically described in the .
k = A random number generated from RNG.
Calculate the digest of Private Key:
Then calculate the integer a
:
Later, you'll see this a
is also a number that can't be leaked since it acts like private key.
B
is the base point of the Curve
For message M
:
l
is the order of the subgroup generated by point B.
Now we have the signature (R,s)
. As you can see, you can calculate any signature if you know a
, the same thing as you know the private key k
.
â
Now, consider a kind of function implementations:
This sign() allows a caller to input arbitrary message and public key. If he uses same M
but different A
, he can compute the integer a
, the equivalence to private key k
:
This is an unsafe implementation. It doesn't mean it's a bug that can 100% be exploited now but may have some unpredicted effects in the future.
Developers should be familiar enough with the underlying cryptography to avoid it.
There are many libs with this problem, you can .