šŸ‡¬šŸ‡§
Go+ Encyclopedia
English
English
  • šŸ“—Intro
    • Hello, Web3!
    • Recent Security Incidents
  • šŸ‘æVulnerabilities Cases
    • Blockchain Network
      • Eclipse Attack
    • Smart Contract
      • Symmetry Breaking
        • XCarnival
      • Hash Collision
        • Poly Network
      • Flash Loan
        • Cream Finance
      • General NFT
        • ERC721R Bug
        • Sleep Minting
      • Cross-chain Bridge
        • Poly Network
        • Nomad
      • Proxy Contract
        • Audius
    • User Client
      • Clipboard Safety
      • Metamask Demonic Vulnerability
    • Replay Attack
      • Wintermute & OP
    • Phishing
      • Frontend Hijack
        • Premint.xyz
      • Fake User Interface
      • Fake E-mail Address
    • Basic Cryptography
      • Fault Attack
        • ECDSA random numbers
        • Ed25519
    • Zero-knowledge Proof
      • Aliasing Attack
  • šŸļøMiscellaneous
    • Tools
Powered by GitBook
On this page
  • Abstract
  • Cryptography Background
  • Private Key: k
  • Derived Integer: a
  • Public Key: A
  • Signature Generation: (R,s)
  • Verify the Signature
  • Unsafe Implementations
  • Summary
  • References
  1. Vulnerabilities Cases
  2. Basic Cryptography
  3. Fault Attack

Ed25519

PreviousECDSA random numbersNextZero-knowledge Proof

Last updated 2 years ago

Abstract

EdDSA algorithm itself is proved secure, but some EdDSA libraries implemented API in an unsafe way that could lead to private key exposure.

Cryptography Background

Edwards-curve Digital Signature Algorithm (EdDSA) is a scheme using a variant of based on .

The EdDSA signature algorithm and its variants Ed25519 and Ed448 are technically described in the .

Private Key: k

k = A random number generated from RNG.

Derived Integer: a

Calculate the digest of Private Key:

H(k)=(h0,h1,...,h2bāˆ’1)H(k)=(h_0,h_1,...,h_{2b-1})H(k)=(h0​,h1​,...,h2bāˆ’1​)

Then calculate the integer a:

a=2bāˆ’2+āˆ‘3⩽i⩽bāˆ’32ihi∈{2bāˆ’2,2bāˆ’2+8,...,2bāˆ’1āˆ’8}a = 2^{b-2} + \sum_{\substack 3⩽i⩽b-3} 2^ih_i \in \lbrace {2^{b-2},2^{b-2}+8,...,2^{b-1}-8} \rbracea=2bāˆ’2+3​⩽i⩽bāˆ’3āˆ‘ā€‹2ihiā€‹āˆˆ{2bāˆ’2,2bāˆ’2+8,...,2bāˆ’1āˆ’8}

Later, you'll see this a is also a number that can't be leaked since it acts like private key.

Public Key: A

A=aBA = aBA=aB

B is the base point of the Curve

Signature Generation: (R,s)

For message M:

r=H(hb,...,h2bāˆ’1,M)∈0,1,...22bāˆ’1r=H(h_b,...,h_{2b-1},M) \in 0,1,...2^{2b}-1r=H(hb​,...,h2bāˆ’1​,M)∈0,1,...22bāˆ’1
R=rBR=rBR=rB
s=(r+H(R,A,M)a)ā€Šmodā€Šls=(r+H(R,A,M)a)\bmod ls=(r+H(R,A,M)a)modl

l is the order of the subgroup generated by point B.

Now we have the signature (R,s). As you can see, you can calculate any signature if you know a, the same thing as you know the private key k.

Verify the Signature

ifĀ 8sB==8R+8H(R,A,M)Aif\space 8sB == 8R+8H(R,A,M)AifĀ 8sB==8R+8H(R,A,M)A

​

Unsafe Implementations

Now, consider a kind of function implementations:

//PSEUDO CODE
func sign(message M, publicKey A){    
    R = rB
    S=(r+H(R,A,M)a) mod l
    return (R,S)    
}

This sign() allows a caller to input arbitrary message and public key. If he uses same M but different A, he can compute the integer a, the equivalence to private key k:

a=(Sāˆ’S′)[H(R,A,M)āˆ’H(R,A′,M)]āˆ’1ā€Šmodā€Šla=(S-S')[H(R,A,M)-H(R,A',M)]^{-1} \bmod la=(Sāˆ’S′)[H(R,A,M)āˆ’H(R,A′,M)]āˆ’1modl

Summary

This is an unsafe implementation. It doesn't mean it's a bug that can 100% be exploited now but may have some unpredicted effects in the future.

Developers should be familiar enough with the underlying cryptography to avoid it.

References

There are many libs with this problem, you can .

digital signature
Schnorr signature
twisted Edwards curves
RFC 8032
check this list
https://twitter.com/kostascrypto/status/1535579208960790528
https://datatracker.ietf.org/doc/html/rfc8032
šŸ‘æ
Page cover image