advisory: Double Public Key Signing Function Oracle Attack on Ed25519

blackheaven · blackheaven · commit 55cd96b96e48 · 2025-03-27T00:16:20.000+01:00
diff --git a/advisories/hackage/cryptonite/HSEC-2025-0002.md b/advisories/hackage/cryptonite/HSEC-2025-0002.md
@@ -0,0 +1,41 @@
+```toml
+[advisory]
+id = "HSEC-2025-0002"
+cwe = []
+keywords = ["crypto", "historical"]
+related = ["GHSA-w5vr-6qhr-36cc"]
+
+[[affected]]
+package = "cryptonite"
+[[affected.versions]]
+introduced = "0.1.0"
+
+[[references]]
+type = "ARTICLE"
+url = "https://portswigger.net/daily-swig/dozens-of-cryptography-libraries-vulnerable-to-private-key-theft"
+[[references]]
+type = "ADVISORY"
+url = "https://github.com/advisories/GHSA-w5vr-6qhr-36cc"
+[[references]]
+type = "EVIDENCE"
+url = "https://hackage.haskell.org/package/cryptonite-0.30/docs/src/Crypto.PubKey.Ed25519.html#ccryptonite_ed25519_sign"
+
+```
+
+# Double Public Key Signing Function Oracle Attack on Ed25519
+
+The standard specification of Ed25519 message signing involves providing the
+algorithm with a message and private key.
+
+The function will use the private key to compute the public key and sign the message.
+Some libraries provide a variant of the message signing function that also takes
+the pre-computed public key as an input parameter.
+
+Some libraries were allowing arbitrary public keys as inputs without checking
+if the input public key corresponds to the input private key.
+
+This shortcoming means that an attacker could use the signing function as an
+Oracle, perform crypto-analysis and ultimately get at secrets.
+For example, an attacker who can’t access the private key but can access
+the signing mechanism through an API call could use several public keys and
+messages to gradually build up insights into private key parameters.
