ed25519-java icon indicating copy to clipboard operation
ed25519-java copied to clipboard
verified publisher icon str4d

ed25519-java signatures are malleable

Open huitseeker opened this issue 5 years ago • 3 comments

During an investigation of the security of EdDSA, published in: https://eprint.iacr.org/2020/1244

We have found a malleability issue in ed25519-java, specifically in v. 0.3.0.

The issue, detailed in the paper, is the well-known EdDSA malleability issue of checking that s is in the range [0, L), where L is the order of the larger group.

ed25519-java does not perform a check on the scalar to avoid signature malleability, whether through bit-checking or as a full arithmetic check.

The absence of this check is against specifications (RFC 8032, FIPS 196-5 draft) and costs the library the SUF-CMA property. The lack of this property means that the adversary can construct alternative signatures for a given signed message that will pass ed25519-java verification.

Here are the (hex-encoded) test vectors we used (the specific claim discussed in the issue is that ed25519-java passes vector #6, which has message finishing in ..ec40 and a signature finishing in ..a514, and vector #7, which has a message ending in ...ec40 and a signature finishing in ..8c22): https://github.com/novifinancial/ed25519-speccheck/blob/master/cases.json

The vectors were generated using the source you'll find at: https://github.com/novifinancial/ed25519-speccheck/blob/master/src/main.rs

Here is the way we ran this vector and the others of our set against ed25519-java: https://github.com/novifinancial/ed25519-speccheck/tree/master/scripts/ed25519-java

This is joint work with @kchalkias @valerini

huitseeker avatar Oct 22 '20 18:10 huitseeker

Fixed in I2P, March 2019 https://github.com/i2p/i2p.i2p/commit/d7d1dcb5399c61cf2916ccc45aa25b0209c88712#diff-658f7b1aa34b58d27796fccdb8b756c72702d64ae44703374960f1cb89a5a5c3

zzzi2p avatar Dec 30 '20 23:12 zzzi2p

Thanks a bunch!

On Wed, Dec 30, 2020 at 3:11 PM zzz [email protected] wrote:

Fixed in I2P, March 2019 i2p/i2p.i2p@d7d1dcb #diff-658f7b1aa34b58d27796fccdb8b756c72702d64ae44703374960f1cb89a5a5c3 https://github.com/i2p/i2p.i2p/commit/d7d1dcb5399c61cf2916ccc45aa25b0209c88712#diff-658f7b1aa34b58d27796fccdb8b756c72702d64ae44703374960f1cb89a5a5c3

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/str4d/ed25519-java/issues/82#issuecomment-752785602, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGDYOGRNM7ABIEFXXVM4U3TSXOXTHANCNFSM4S3SM6HQ .

-- Konstantinos Chalkias Cryptographer and Software Engineer ATG CATGCCGTAGAA GCA AATATATGCGAG GATGCTTAT TAG <- decrypt this!

kchalkias avatar Dec 30 '20 23:12 kchalkias

Thank you and the rest of the team for the great research, well-written paper, and the bug report above.

zzzi2p avatar Dec 31 '20 11:12 zzzi2p