On Thu, Nov 10, 2022 at 02:29:38PM +0300, Benson Muite wrote: > The above draft has expired. However, if there is still interest in > it, the EdDSA specification will need to be updated based on findings > in [1] and [2]. An erratum to [3] has been filed [4]. Libsodium seems > to offer best checks for batch verification. Currently testing other > libraries that offer support for EdDSA. > > 1) Chalkias, Garillot, and Nikolaenko "Taming the many EdDSAs" > https://eprint.iacr.org/2020/1244 > > 2) Brendel, Cremers, Jackson, and Zhao "The Provable Security of > Ed25519: Theory and Practice" https://eprint.iacr.org/2020/823 > > 3) https://datatracker.ietf.org/doc/html/rfc8032 > > 4) https://www.rfc-editor.org/errata_search.php?rfc=8032&rec_status=0
Note that the mention of "batch" in [1] is about batch verification, which is unrelated to TLS batch signing. And as far as I know, the problems with implementations only concern beyond-standard-model security of Ed25519, which TLS does not rely upon (since TLS works with ECDSA, which is much worse). IIRC, the only check that RFC 8032 omits is checking that all of X^2, Y^2 and X^2+Y^2 for both R and A are nonzero (for Ed448, X^2+Y^2 is always nonzero). However, there is unrelated security problem with the way the TLS batch signing draft uses Ed25519 (and Ed448): There is leaf salt, but it does not salt the innermost hash, degrading security. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls