Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Native Ed25519 signatures in Safari are non-deterministic #77

Closed
paulmillr opened this issue Jan 23, 2025 · 7 comments
Closed

Native Ed25519 signatures in Safari are non-deterministic #77

paulmillr opened this issue Jan 23, 2025 · 7 comments

Comments

@paulmillr
Copy link

paulmillr commented Jan 23, 2025
edited by steveluscher
Loading

README says:

The Web Incubator Community Group has advocated for the addition of Ed25519 support to the Web Crypto API, and support has already landed in most modern JavaScript runtimes.

Does this look like "most modern JavaScript runtimes"?
@steveluscher steveluscher changed the title Misleading documentation for ed25519 Native Ed25519 signatures in Safari are non-deterministic Jan 23, 2025
@steveluscher
Copy link
Collaborator

Thank you for the pointer about Safari.

// Repro
(async () => {
  const { privateKey } = await crypto.subtle.generateKey("Ed25519", false, [
    "sign",
    "verify",
  ]);
  const message = new Uint8Array([1, 2, 3]);
  console.log(
    'A', new Uint8Array(await crypto.subtle.sign("Ed25519", privateKey, message))
  );
  console.log(
    'B', new Uint8Array(await crypto.subtle.sign("Ed25519", privateKey, message))
  );
  console.log(
    'C', new Uint8Array(await crypto.subtle.sign("Ed25519", privateKey, message))
  );
})();

@steveluscher
Copy link
Collaborator

Can you say a bit more about what problem randomized signatures would create?

@paulmillr
Copy link
Author

They are actually better and more secure, however, no one uses them, which could create compat issues. Even the spec has no test vectors

@steveluscher
Copy link
Collaborator

…which could create compat issues.

Which issues could you imagine?

@paulmillr
Copy link
Author

  1. Double spending may be possible if same msg is signed multiple times. This happened in XMR
  2. Test vectors for "signing" would fail. Maybe some integration tests?

Overall verifier doesn't know whether signature was deterministic or not, so they would not be able to distinguish those.

@steveluscher
Copy link
Collaborator

Got it. Solana doesn't use a transaction's signature to prevent double-spending, so hedged signatures won't present a problem there.

Thanks for the discussion! Good to see you again.

@steveluscher steveluscher closed this as not planned Won't fix, can't repro, duplicate, stale Jan 26, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 3, 2025

Because there has been no activity on this issue for 7 days since it was closed, it has been automatically locked. Please open a new issue if it requires a follow up.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 3, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@steveluscher @paulmillr