View Issue Details

IDProjectCategoryView StatusLast Update
0010139Talerwallet-corepublic2025-06-29 17:26
Reporteroec Assigned To 
PriorityhighSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Product Versiongit (master) 
Target Versionpost-1.0 
Summary0010139: Check if nacl-fast.ts is affected by ed25519 verification malleability
DescriptionAccording to https://github.com/dchest/tweetnacl-js/issues/253,
"ed25519 verification is malleable and accepts forged signatures":
"tweetnacl ed25519 signature verification is malleable and does not have SUF-CMA (strong unforgeability under chosen message attacks). Malleability is problematic in blockchain context. MtGox was hacked because of it."

It is not clear to me if this applies to the nacl-fast.ts implementation and its use in the context of wallet-core.

This should be checked.
TagsNo tags attached.

Activities

schanzen

2025-06-29 17:15

administrator   ~0025378

Last edited: 2025-06-29 17:16

This does not sound right. Not having SUF-CMA (and only EUF-CMA) will allow attackers to create different signatures of already seen messages.
This probably does not affect taler at all.

also AFAIR, EdDSA sigantures are always trivially malleable. Hence only EUF-CMA, which is a problem in blockchains as it will result in a different "transaction ID"

schanzen

2025-06-29 17:26

administrator   ~0025379

Sorry my mistage. Of course common standardized EdDSA schemes are, in fact, SUF-CMA. The nacl implementation we use should follow the standard.
It still holds that this malleability is (probably) not security relevant for us.

Issue History

Date Modified Username Field Change
2025-06-29 13:04 oec New Issue
2025-06-29 17:15 schanzen Note Added: 0025378
2025-06-29 17:16 schanzen Note Edited: 0025378
2025-06-29 17:26 schanzen Note Added: 0025379