-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ed25519 verification is malleable and accepts forged signatures #253
Comments
Thanks! I've added a new Security Considerations section to README which describes this and some other properties. Since this library is supposed to be a 1-to-1 port of the original TweetNaCl (with some parts ported from other sources for performance reasons), I don't want to introduce potential breaking changes to it until at least 2.0 (if it ever happens). I will keep this issue open as a proposal for 2.0 if I decide that it no longer should be the TweetNaCl port and implement all the recent security improvements for the original NaCl. |
@dchest thanks for your work on tweetnacl-js. As I see you're busy on other projects, are there any plans to accept PRs/maintain this lib? What's the state of its maintenance? Also to @paulmillr: appreciate your work and used your library as well in some of my projects. My use case in one of them however requires the tiniest possible in size asymmetric encryption ("box") + sign/verify primitives. When compared to tweetnacl, your lib is still ~100% larger in bundle size (which is critical for my purposes), while I tried my best to minimize it. I would be more than grateful if either of you @paulmillr @dchest could suggest how to mitigate the described signature malleability problem in tweetnacl tho. I'd be happy to fork/and/or PR the fix, if that's not the "core" problem. I believe this will help others too. Or if there is any existing fork with fix it that I'm not aware of, I'll be happy to take a look.
How "big" is the fix actually? |
@nikitaeverywhere TweetNaCl-js achieved its goal of porting TweetNaCl to pure JavaScript and thus is the state of the "finished software". The expected maintenance is only fixing bugs and future JS compatibility issues if found. Maybe ES-module support in the future. Now that everything supports WASM, I'd recommend using WASM-compiled libsodium or something like it instead. Alternatively, WebCrypto APIs are starting to add 25519, so it may be an option. For Node, I believe there's OpenSSL-based native support for 25519. |
Can you clarify how you've measured it? Exporting this with esbuild gives similar-sized 2.3KLOC build as tweetnacl. export { ed25519, x25519 } from '@noble/curves/ed25519';
export { chacha20poly1305 } from '@noble/ciphers/chacha'; |
Got it, thanks for explaining @dchest. I've found a nicely refactored tweetnacl-ts library which solves es modules & tree shaking for me. Still, I'm thinking to refactor the "slower" implementation which will save another 8kb on a bundle size.
Thank you. My js requirements are very unique - I can't use browser APIs (which also means no WASM) and I need the most minimal library size possible. Given this tweetnacl (~ tweetnacl-ts) seems to be the best candidate out there. |
@paulmillr my requirements were:
I have around ~10-20kb of overhead to my own js above crypto libraries, and I've got the following results so far, just FYI:
This was the quick test by using tweetnacl imports: import { box_keyPair, sign_detached_verify, sign, box, box_open } from 'tweetnacl-ts';
import { xchacha20poly1305 } from '@noble/ciphers/chacha';
import { concatBytes } from '@noble/ciphers/utils';
import { ed25519 } from '@noble/curves/ed25519';
import { hkdf } from '@noble/hashes/hkdf';
import { sha512 } from '@noble/hashes/sha512'; ...which are then bundled with my code by esbuild (minified). The usage is somewhat simplified code from here for encrypt/decrypt, just with one algo, xchacha20poly1305, and sha512 instead of sha256 for hkdf to decrease the bundle size. I need to admit I'm not very advanced in primitive cryptography, so perhaps my task (sign/verify + encrypt/decrypt asymmetric) could include less cryptographic primitives – LMK if you think so :) |
@nikitaeverywhere it's actually 36KB vs 28KB, 30% increase - not 2x. Let's move here to not disturb Dmitry with offtopic https://gist.github.com/paulmillr/f655a39d7144481e1bc0a374fb65689d |
tweetnacl ed25519 signature verification is malleable and does not have SUF-CMA (strong unforgeability under chosen message attacks). Malleability is problematic in blockchain context. MtGox was hacked because of it.
The behavior defies RFC 8032, which prohibits S >= L. Folks in 2020/1244.pdf also mentioned similar stuff.
The text was updated successfully, but these errors were encountered: