Proof of Concept of the Chalkias Ed25519 Implementation Vulnerability in Python
Konstantinos Chalkias from MystenLabs has reported a major vulnerability in the implementation of the Ed25519 (EdDSA) signature method on a range of libraries [2, 3]. It should be noted the Ed25519 is a highly secure method, but it has been let down by the implementation of the method in around 40 libraries. This is a MAJOR implementation vulnerability and could allow attackers to steal private keys from wallets. It could also allow for the impersonation attacks using forged signatures.
So, let’s actually implement a proof of concept for this.
The Basics of Ed25519
My first task is to show how Ed25519 actually works. For this, Alice is going to sign something for Bob to check. She initially generates a random 32-byte secret key (sk) and then creates a public key of:
and where G is the base point of the curve. Alice then creates a SHA-512 hash of her private key:
The signature is made up of an r value and an s value. She create r from the upper 32 bytes of hash and the message (m):
And where “||” represents a concatenation of the byte array values. Next she matches r onto curve with:
