Closed kdenhartog closed 4 years ago
kdenhartog
commented
5 years ago @J08nY would it be possible to review the signing implementations in here as well? I saw you did the PR in elliptic
I suspect that if this library is affected tweetnacl-js likely is as well.
J08nY
commented
5 years ago I had a quick look through the Ed25519 code here and in tweetnacl-js and they do not look vulnerable. They however do the additional reduction of the digest modulo the order, before performing scalar multiplication. This is not specified in EdDSA exactly because if it is done and a timing leak of bit-length/some bits of the nonce is present, a HNP-like attack is possible. However I think that since there are no obvious bit-length leakages in the scalar multiplication (the loop bound if constant and the formulas look complete), then this is okay.
Removing the additional reduction modulo the order would slow down the signing to double the duration, but would be generally safer in presence of leakages.
Hey I came across the Minerva vulnerability this weekend and was curious if any aspect of stablelib was susceptible to this? I don't consider myself an expert enough on my own to review this myself, but I wanted to bring it to your attention to see what your take was @dchest
@mikelodder7 maybe you could help with this?