On Thu, Nov 10, 2022 at 02:29:38PM +0300, Benson Muite wrote:
> The above draft has expired. However, if there is still interest in
> it, the EdDSA specification will need to be updated based on findings
> in [1] and [2]. An erratum to [3] has been filed [4]. Libsodium seems
> to offer best checks for batch verification. Currently testing other
> libraries that offer support for EdDSA.
>
> 1) Chalkias, Garillot, and Nikolaenko "Taming the many EdDSAs"
> https://eprint.iacr.org/2020/1244
>
> 2) Brendel, Cremers, Jackson, and Zhao "The Provable Security of
> Ed25519: Theory and Practice" https://eprint.iacr.org/2020/823
>
> 3) https://datatracker.ietf.org/doc/html/rfc8032
>
> 4) https://www.rfc-editor.org/errata_search.php?rfc=8032_status=0
Note that the mention of "batch" in [1] is about batch verification,
which is unrelated to TLS batch signing. And as far as I know, the
problems with implementations only concern beyond-standard-model
security of Ed25519, which TLS does not rely upon (since TLS works
with ECDSA, which is much worse).
IIRC, the only check that RFC 8032 omits is checking that all of
X^2, Y^2 and X^2+Y^2 for both R and A are nonzero (for Ed448,
X^2+Y^2 is always nonzero).
However, there is unrelated security problem with the way the TLS batch
signing draft uses Ed25519 (and Ed448): There is leaf salt, but it does
not salt the innermost hash, degrading security.
-Ilari
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
