Insecure signature verification algorithm for ed25519 #426
Comments
|
Thanks for the warning for double-spending attacks ;) I'd have to look into our verifications to make sure this is not possible. |
|
About the exploitability of this issue: If a malicious attacker adds one of points of the subgroups of small order (i.e., non-identity torsion points) to a key image, up to 7 double spends could be performed for each authentic spend on the cothority: this is now prevented by the Ge25519HasSmallOrder function. This happens because multiplying the sum of a torsion point by a multiple of 8 and a "normal" point will return the same point, because multiplying small subgroup points by 8 returns the identity element. Without the function Ge25519HasSmallOrder, signatures verify on malicious key images derived from the authentic ones. |
|
Just for naming: I wonder how feasible such an attack would be, given that each transaction that is signed also has a Also, can you please elaborate what you call a |
|
Byzcoin using nonces is great because nonces provide extra protection: additionally, Byzcoin is using blscosi and not EdDSA as was previously used with cosi: thus transactions seem to remain safe from this attack. But Darcs are broken, because their identities are using ed25519: although instead of using EdDSA, Darcs are using a compatible Schnorr signature scheme, also implemented in Kyber. And Darcs are used everywhere, or even Schnorr (e.g., viewchanges, roster extension, authproxy, evoting, ...) |
|
As always, there is an issue for that: dedis/cothority#2186 |
|
It's not the same thing: issue dedis/cothority#2186 is suggesting the introduction of a new darc-identity that uses EdDSA. What I'm talking here is about fixing schnorr.Verify too, much like eddsa.Verify was being fixed by PR #427. Fortunately, my latest commit also fixes schnorr.Verify: the awesome cothority is a bit more secure now :) |
Added `edda.VerifyWithChecks` which checks if the scalars and points are canonical and ensures the points do not have a small order. Refer: RFC8032§5.1.7 and https://eprint.iacr.org/2020/823.pdf Builds on top of dedis#427 and closes dedis#426 and dedis#311. Co-authored-by: David Cerezo <david@calctopia.com> Co-authored-by: Linus Gasser <linus.gasser@epfl.ch>
Added `edda.VerifyWithChecks` which checks if the scalars and points are canonical and ensures the points do not have a small order. Refer: RFC8032§5.1.7 and https://eprint.iacr.org/2020/823.pdf Builds on top of #427 and closes #426 and #311. Co-authored-by: David Cerezo <david@calctopia.com> Co-authored-by: Linus Gasser <linus.gasser@epfl.ch>
As currently implemented, the verification algorithm is not strongly unforgeable under chosen message attacks (SUF-CMA), that is, an adversary can construct an alternative signature for a given signed message; moreover, it doesn't provide guarantees of malicious strong universal exclusive ownership (M-S-UEO) to prevent key substition attacks. Furthermore, it doesn't guarantee Message-Bound Signatures (MBS), i.e., there exist no two distinct messages for which the same signature would verify with respect to a given (potentially maliciously generated) public key.
Warning: failing to patch this vulnerability could lead to double-spending attacks on cothority.
Fixed by pull request #427
Supersede issue #311
The text was updated successfully, but these errors were encountered: