On cofactored verification of EdDSA signatures
EdDSA is a Schnorr signature scheme instantiated on top of Edwards curves, which admit fast, constant-time arithmetic, but suffer from the presence of a non-trivial cofactor, where the order of the group of points is a large prime times a small integer (4 or 8). Current standards permit for points p...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Polish Academy of Sciences
2025-06-01
|
| Series: | International Journal of Electronics and Telecommunications |
| Subjects: | |
| Online Access: | https://journals.pan.pl/Content/135261/15_5032_L_Cinal_sk.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849434453677441024 |
|---|---|
| author | Adrian Cinal Oliwer Sobolewski |
| author_facet | Adrian Cinal Oliwer Sobolewski |
| author_sort | Adrian Cinal |
| collection | DOAJ |
| description | EdDSA is a Schnorr signature scheme instantiated on top of Edwards curves, which admit fast, constant-time arithmetic, but suffer from the presence of a non-trivial cofactor, where the order of the group of points is a large prime times a small integer (4 or 8). Current standards permit for points present in the signature (commitment and/or public key) to have a component in the small-order subgroup of the group of points. This is done by sanctioning two variants of the signature verification equation and specifying precedence of one over the other. This last point, however, seems to be widely misunderstood and the two variants are given equal footing, allowing different “compliant” implementations to use different verification algorithms. This in turn lets malicious actors create signatures which are accepted by some parties, but rejected by others, threatening, e.g., consensus in a blockchain network setting. We add to the discussion on practical consequences of such discrepancies by formulating the consensus problem in the context of load-shedding attacks. We argue that the standards are in fact very specific about the set of valid signatures, despite lacking in explicitness and emphasis. We further show that two mainstream cryptographic libraries, namely, OpenSSL and CIRCL, accidentally (and in a manner not immediately apparent when inspecting the code) use the correct variant of the verification equation for one parameter set of EdDSA, but incorrect for another. In OpenSSL, this is traced back to careless copying of refcode. We conclude by proposing remedies to the chaotic status quo described. |
| format | Article |
| id | doaj-art-47c56d9039f74b4d83f3add0442fdcfe |
| institution | Kabale University |
| issn | 2081-8491 2300-1933 |
| language | English |
| publishDate | 2025-06-01 |
| publisher | Polish Academy of Sciences |
| record_format | Article |
| series | International Journal of Electronics and Telecommunications |
| spelling | doaj-art-47c56d9039f74b4d83f3add0442fdcfe2025-08-20T03:26:38ZengPolish Academy of SciencesInternational Journal of Electronics and Telecommunications2081-84912300-19332025-06-01vol. 71No 2453461https://doi.org/10.24425/ijet.2025.153592On cofactored verification of EdDSA signaturesAdrian Cinal0Oliwer Sobolewski1Department of Cryptology, NASK National Research Institute, Warsaw, PolandDepartment of Cryptology, NASK National Research Institute, Warsaw, PolandEdDSA is a Schnorr signature scheme instantiated on top of Edwards curves, which admit fast, constant-time arithmetic, but suffer from the presence of a non-trivial cofactor, where the order of the group of points is a large prime times a small integer (4 or 8). Current standards permit for points present in the signature (commitment and/or public key) to have a component in the small-order subgroup of the group of points. This is done by sanctioning two variants of the signature verification equation and specifying precedence of one over the other. This last point, however, seems to be widely misunderstood and the two variants are given equal footing, allowing different “compliant” implementations to use different verification algorithms. This in turn lets malicious actors create signatures which are accepted by some parties, but rejected by others, threatening, e.g., consensus in a blockchain network setting. We add to the discussion on practical consequences of such discrepancies by formulating the consensus problem in the context of load-shedding attacks. We argue that the standards are in fact very specific about the set of valid signatures, despite lacking in explicitness and emphasis. We further show that two mainstream cryptographic libraries, namely, OpenSSL and CIRCL, accidentally (and in a manner not immediately apparent when inspecting the code) use the correct variant of the verification equation for one parameter set of EdDSA, but incorrect for another. In OpenSSL, this is traced back to careless copying of refcode. We conclude by proposing remedies to the chaotic status quo described.https://journals.pan.pl/Content/135261/15_5032_L_Cinal_sk.pdfcryptographic standardscryptographic implementationsconsensuscofactor |
| spellingShingle | Adrian Cinal Oliwer Sobolewski On cofactored verification of EdDSA signatures International Journal of Electronics and Telecommunications cryptographic standards cryptographic implementations consensus cofactor |
| title | On cofactored verification of EdDSA signatures |
| title_full | On cofactored verification of EdDSA signatures |
| title_fullStr | On cofactored verification of EdDSA signatures |
| title_full_unstemmed | On cofactored verification of EdDSA signatures |
| title_short | On cofactored verification of EdDSA signatures |
| title_sort | on cofactored verification of eddsa signatures |
| topic | cryptographic standards cryptographic implementations consensus cofactor |
| url | https://journals.pan.pl/Content/135261/15_5032_L_Cinal_sk.pdf |
| work_keys_str_mv | AT adriancinal oncofactoredverificationofeddsasignatures AT oliwersobolewski oncofactoredverificationofeddsasignatures |