• Stars
    star
    194
  • Rank 200,219 (Top 4 %)
  • Language
    Rust
  • License
    MIT License
  • Created over 2 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

List of unsafe ed25519 signature libs

ed25519-unsafe-libs

Double Public Key Signing Function Oracle Attack on Ed25519

A list of potentially unsafe ed25519 signature libraries that allow a public api where secret and public key can be provided independently as signing function inputs. Misuse of these public apis can result to private key exposure.

Îœost of the repositories in our analysis are enlisted in IANIX :: Things that use Ed25519.

Number of impacted libraries: 45
Number of libraries that fixed the issue after the announcement: 8
last updated: May 04, 2023

Proof of Concept implementations that demonstrate this potential exploit:

Talks:

  • Invited talk to USA's National Institute of Standards and Technology (NIST) Crypto Reading Club: slides - Taming the Many EdDSAs (pages 28-39), Konstantinos Chalkias, François Garillot, Valeria Nikolaenko (2023). Taming the Many EdDSAs & Ed25519 Signing Attacks.

News and social network coverage of this attack

  • NIST Crypto Reading Club "Taming the Many EdDSAs" (March 08, 2023)
  • The Daily Swig "Dozens of cryptography libraries vulnerable to private key theft" (June 28, 2022)
  • Risky Biz News "New crypto vulnerability: Tens of cryptography libraries have misimplemented the Ed25519 digital signature algorithm" (June 28, 2022)
  • SafeHeron blogpost "Analysis on Ed25519 Use Risks: Your Wallet Private Key Can Be Stolen" (June 17, 2022)
  • kryptera.se "Vulnerability in most ed25519 libraries" (in Swedish) (June 29, 2022)
  • Difesa e Sicurezza & Yoroi "Librerie crittografiche ed25519 potenzialmente non sicure" (in Italian) (July 1 & June 29, 2022)
  • Medium post by Prof Bill Buchanan OBE "Ed25519 is Great, But ..." (July 1, 2022)
  • Reddit r/crypto (best post of the month - June 18, 2022)
  • Reddit r/cryptography (June 17, 2022)
  • Interesting tweets:
    • tweet 1 (by Kostas Kryptos - "The original 26 vulnerable libs")
    • tweet 2 (by Kostas Kryptos - "Aftermath of the 40 vulnerable libs")
    • tweet 3 (by Catalin Cimpanu - "40 cryptography libraries are impacted by same Ed25519 misimplementation")
    • tweet 4 (by Kenny Paterson - "Potential for widespread EdDSA private key recovery, cf. http://kopenpgp.com where same vector exploited in OpenPGP libs")
    • tweet 5 (by Steven Galbraith - "A hazard for deterministic signatures: better check it is the correct public key!")
    • tweet 6 (by Riyaz Faizullabhoy - "If you’re using EdDSA in prod please take a look")
    • tweet 7 (by Bart Preneel - "Reminder that implementing cryptographic algorithms securely and correctly is hard").
  • CTF (capture the flag) challenges that feature this attack:

What is the issue?

Note that normally and according to the related rfc8032, EdDSA signatures are deterministic, and thus for the same input message to be signed, a unique signature output that includes two elements, a curve point R and a scalar S, is returned.

An algorithmic detail is that that signer's public key is involved in the deterministic computation of the S part of the signature only, but not in the R value. The latter implies that if an adversary could somehow use the signing function as an Oracle (that expects arbitrary public keys as inputs), then it is possible that for the same message one can get two signatures sharing the same R and only differ on the S part. Unfortunately, when this happens, one can easily extract the private key; this StackOverflow post post explains why this is feasible.

That said, public apis should NOT allow a decoupled private/public key-pair as signing input. To circumvent that, many implementations store the public key along with the private key (or seed) and consider the whole keypair as the secret OR they always re-derive the public key inside the signing function. Unfortunately, a large number of existing libraries fail to address this issue by allowing arbitrary public keys as inputs without checking if the input public key corresponds to the input private key.

Of course, this does not mean that all applications with dependencies to these libraries are prone to key exposure attacks; actually, most are probably safe due to usually not publicly exposing the affected api to their users and coupling their pub/priv key pair just before the sign invocation. On the other hand, even when these apis are not exposed, there are applications with different TCB threat model strategies on how the private and public keys are managed and stored. That said, to prevent this attack, developers should also enforce an integrity protection protocol for the public keys as well.

Here, we enlist some affected libraries along with the related code-references.

Ed25519 api misuse resulting to key extraction Fig 1. An example api misuse in the ed25519-dalek Rust crate.

Affected libraries

Fixed libraries

False Positives (probably safe)

Libraries originally reported as vulnerable, but removed from the list based on community feedback.

More Repositories

1

sui

Sui, a next-generation smart contract platform with high throughput, low latency, and an asset-oriented programming model powered by the Move programming language
Rust
5,992
star
2

awesome-move

Code and content from the Move community.
1,355
star
3

fastcrypto

Common cryptographic library used in software at Mysten Labs.
Rust
236
star
4

narwhal

Narwhal & Tusk are a high throughput mempool & consensus, used in the Sui smart contract platform
Rust
153
star
5

move-book

The Move Book and The Move Reference
Move
122
star
6

capybot

Automated trading bot
TypeScript
58
star
7

mysticeti

Mysticeti: Low-Latency DAG Consensus with Fast Commit Path
Rust
45
star
8

apps

Home for applications created by MystenLabs
Move
45
star
9

mysten-infra

Common infrastructure used by multiple Mysten projects
Rust
36
star
10

sui-genesis

Genesis state for various sui networks
29
star
11

truncator

Compress cryptographic outputs via mining
Rust
23
star
12

deepbookv3

Deepbook V3
Move
21
star
13

walrus-sites

Walrus Sites: Decentralized Websites using Sui and Walrus.
Rust
19
star
14

blackjack-sui

BlackJack with Sui and Move!
TypeScript
17
star
15

satoshi-coin-flip

A Move implementation of a time locked Satoshi coin flip game.
Move
16
star
16

dapol

DAPOL+ Proof of Liabilities using Bulletproofs and Sparse Merkle trees
Rust
16
star
17

research

Research papers
Python
15
star
18

suins-contracts

The SuiNS Smart Contracts & Documentation repository
Move
14
star
19

capybot-monitor

A Jupyter Notebook to monitor the status of a Capybot
Python
13
star
20

evm-sui-bridge

Solidity
12
star
21

solvency-proofs

Cryptographic Solvency Proofs (schemes, standards, links, edu material)
11
star
22

Sui-Unity

Unity project to test SuiDotnet interface
C#
10
star
23

sui-axelar

Move
9
star
24

example-walrus-sites

A demo for a dApp on Walrus Sites, with minting and per-NFT sites.
HTML
9
star
25

mysten-sim

Deterministic executor + network sim for tokio-based systems.
Rust
6
star
26

polydiv

Faster Polynomial Division
Rust
6
star
27

sui-fantasy

Move
5
star
28

sui-doctor

Tool for automatic diagnosis of configuration problems
Python
5
star
29

sui-circulation-api

Simple API returning info about SUI circulation amounts
CSS
4
star
30

controlled-treasury

An example smart contract to manage a controlled treasury with flexible risk-management controls
Move
4
star
31

multisig-move

Move
4
star
32

sui-dev-newsletter

The Sui developer newsletter repository
Python
4
star
33

plinko-poc

TypeScript
3
star
34

sui-native-randomness

Move
3
star
35

telemetry-subscribers

Common utilities for Tokio-based application telemetry, including tracing, logging, spans
Rust
2
star
36

react-native-zklogin-poc

TypeScript
2
star
37

sui-nft-rental

Move
1
star
38

suifrens-display-system

Library that demonstrates how SuiFren images are constructed and rendered 🦈
TypeScript
1
star
39

BugPub

The First Web3 Bug Bounty Marketplace
TypeScript
1
star
40

historical-jwks-zklogin

Rust
1
star