Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Presentation

Taming the Many EdDSAs

March 8, 2023

Presenters

Konstantinos Chalkias - Mysten Labs
François Garillot - Protocol Labs
Valeria Nikolaenko - A16z Crypto

Description

Abstract. In this talk we will discuss the security of concrete instantiations of EdDSA by identifying exploitable inconsistencies between standardization recommendations and Ed25519 implementations.  We will mainly focus on current ambiguity regarding signature verification equations, binding and malleability guarantees, and incompatibilities between randomized batch and single verification.  Based on our work [1] that appeared at SRR 2020, we will give a formulation of the Ed25519 signature scheme that achieves the highest level of security, explaining how each step of the algorithm links with the formal security properties.

We will also discuss optimizations that allow for more efficient secure implementations.  Moreover, we explain how we designed the set of edge-case test-vectors and run them by some of the most popular Ed25519 libraries.  The results allowed us to understand the security level of those implementations and showed that most libraries do not comply with the latest standardization recommendations.  The methodology allows to test compatibility of different Ed25519 implementations which is of practical importance for consensus-driven applications.

Finally, we will present another set of potential attack vectors related to misuse of Ed25519 APIs during key generation, storage and signing based on work [2] that exposed a potential vulnerability that could effectively leak Ed25519 private keys, due to how public keys are provided or computed in the signing function; this vulnerability affected more than 50 Ed25519 libs.

Suggested readings: [1] ia.cr/2020/1244; [2] GitHub:MystenLabs/ed25519-unsafe-libs

Presented at

Crypto Reading Club talk on 2023-Mar-08

Parent Project

See: Crypto Reading Club

Related Topics

Security and Privacy: cryptography

Created February 14, 2023, Updated March 09, 2023