Double Public Key Signing Function Oracle Attack on EdDSA Software Implementations

TL;DR

This paper reveals a vulnerability in EdDSA implementations where a public key signing oracle can lead to private key recovery, compromising signature unforgeability and suggesting mitigation strategies.

Contribution

It identifies a specific oracle attack on EdDSA, demonstrating how certain implementations are vulnerable and proposing security improvements.

Findings

Vulnerable EdDSA implementations can be exploited to recover private keys.

The attack allows forging valid signatures on arbitrary messages.

Mitigation strategies are proposed to secure signing APIs.

Abstract

EdDSA is a standardised elliptic curve digital signature scheme introduced to overcome some of the issues prevalent in the more established ECDSA standard. Due to the EdDSA standard specifying that the EdDSA signature be deterministic, if the signing function were to be used as a public key signing oracle for the attacker, the unforgeability notion of security of the scheme can be broken. This paper describes an attack against some of the most popular EdDSA implementations, which results in an adversary recovering the private key used during signing. With this recovered secret key, an adversary can sign arbitrary messages that would be seen as valid by the EdDSA verification function. A list of libraries with vulnerable APIs at the time of publication is provided. Furthermore, this paper provides two suggestions for securing EdDSA signing APIs against this vulnerability while it additionally discusses failed attempts to solve the issue.