View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0010139 | Taler | wallet-core | public | 2025-06-29 13:04 | 2025-06-29 17:26 |
Reporter | oec | Assigned To | |||
Priority | high | Severity | minor | Reproducibility | have not tried |
Status | new | Resolution | open | ||
Product Version | git (master) | ||||
Target Version | post-1.0 | ||||
Summary | 0010139: Check if nacl-fast.ts is affected by ed25519 verification malleability | ||||
Description | According to https://github.com/dchest/tweetnacl-js/issues/253, "ed25519 verification is malleable and accepts forged signatures": "tweetnacl ed25519 signature verification is malleable and does not have SUF-CMA (strong unforgeability under chosen message attacks). Malleability is problematic in blockchain context. MtGox was hacked because of it." It is not clear to me if this applies to the nacl-fast.ts implementation and its use in the context of wallet-core. This should be checked. | ||||
Tags | No tags attached. | ||||
|
This does not sound right. Not having SUF-CMA (and only EUF-CMA) will allow attackers to create different signatures of already seen messages. This probably does not affect taler at all. also AFAIR, EdDSA sigantures are always trivially malleable. Hence only EUF-CMA, which is a problem in blockchains as it will result in a different "transaction ID" |
|
Sorry my mistage. Of course common standardized EdDSA schemes are, in fact, SUF-CMA. The nacl implementation we use should follow the standard. It still holds that this malleability is (probably) not security relevant for us. |