Niels Möller nisse@lysator.liu.se writes:
Hi,
I've received a bug report pointing out that misuse of the public key input to ed25519_sha512_sign (and ed448_shake256_sign) is dangerous: If you sign the same message twice using the same private key, but the public key inputs differ, that can be exploited to recover the private key from the two signatures, similar to a classic DSA nonce reuse.
A private key owner should not trust someone else's copy of its own public key, should they? It is not that different from using someone else's nonce value (or someone else's private key).
A complete explanation of how the attack works would be good to have documented, I suspect it is easy to fall into this trap.
- Document clearer that the public key argument *must* be the value produced by ed25519_sha512_public_key (e.g., immediately before the signing operation, or computed at key generation time and stored securely bundled with the private key).
+1. I'd leave it at documenting the last part of your suggestion here: when you generate a EdDSA key pair, you should store the public key alongside the private key, and use that copy whenever it is needed. Don't throw away the public key (or be ready to re-generate it), and don't trust someone else's version of your public key.
Requiring the public key to be identical to ed25519_sha512_public_key() is hard for an API user without always calling that function, which I'm not sure is necessary.
/Simon