[curves] XEdDSA specification

Trevor Perrin trevp at trevp.net
Sun Oct 23 21:44:46 PDT 2016

On Sun, Oct 23, 2016 at 6:55 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> Failing to specify a non-malleable form has resulted in
> vulnerabilities in multiple protocols and systems.
> For example, some users of openssl will blacklist certificates by
> their hash. But you can take a valid ecdsa signature, change it to
> another valid one under the same key, thus change the certificate
> hash-- and bypass the blacklist. OpenSSL CVEed their fix for
> DER-parser originated signature malleability related to blacklisting,
> but still has the ecdsa algebraic one (adding half the order to s to
> flip the sign of R).

Good example.  I knew of the bitcoin issue but not that one.  If you
have a reference for that, or knew of other examples, that would be

This is irrelevant to protocols that use signatures correctly.  Also,
the checks in existing spec match some existing Ed25519 code and are
simple.  But you may be right that a spec for general use should
prefer stricter checks, to make things safer for careless users.


More information about the Curves mailing list