Double Public Key Signing Function Oracle Attack on Ed25519

The standard specification of Ed25519 message signing involves providing the algorithm with a message and private key.

The function will use the private key to compute the public key and sign the message. Some libraries provide a variant of the message signing function that also takes the pre-computed public key as an input parameter.

Libraries that allow arbitrary public keys as inputs without checking if the input public key corresponds to the input private key are vulnerable to the following attack.

By using several public keys and messages, a malicious user with access to the signing mechanism may build up insights into the private key parameters resulting in access to the private key.

This shortcoming means that an attacker could use the signing function as an Oracle, perform crypto-analysis and ultimately get at secrets. For example, an attacker who can’t access the private key but can access the signing mechanism through an API call could use several public keys and messages to gradually build up insights into private key parameters.

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "human_link": "https://github.com/haskell/security-advisories/tree/main/advisories/published/2025/HSEC-2025-0002.md",
        "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2025/HSEC-2025-0002.json"
      },
      "package": {
        "ecosystem": "Hackage",
        "name": "cryptonite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "type": "CVSS_V3"
        }
      ]
    },
    {
      "database_specific": {
        "human_link": "https://github.com/haskell/security-advisories/tree/main/advisories/published/2025/HSEC-2025-0002.md",
        "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2025/HSEC-2025-0002.json"
      },
      "package": {
        "ecosystem": "Hackage",
        "name": "crypton"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.31"
            },
            {
              "fixed": "1.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "database_specific": {
    "home": "https://github.com/haskell/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
    "repository": "https://github.com/haskell/security-advisories"
  },
  "details": "# Double Public Key Signing Function Oracle Attack on Ed25519\n\nThe standard specification of Ed25519 message signing involves providing the\nalgorithm with a message and private key.\n\nThe function will use the private key to compute the public key and sign the message.\nSome libraries provide a variant of the message signing function that also takes\nthe pre-computed public key as an input parameter.\n\nLibraries that allow arbitrary public keys as inputs without checking if the\ninput public key corresponds to the input private key are vulnerable to the\nfollowing attack.\n\nBy using several public keys and messages, a malicious user with access to the\nsigning mechanism may build up insights into the private key parameters\nresulting in access to the private key.\n\nThis shortcoming means that an attacker could use the signing function as an\nOracle, perform crypto-analysis and ultimately get at secrets.\nFor example, an attacker who can\u2019t access the private key but can access\nthe signing mechanism through an API call could use several public keys and\nmessages to gradually build up insights into private key parameters.\n",
  "id": "HSEC-2025-0002",
  "modified": "2025-11-14T14:45:34Z",
  "published": "2025-11-14T14:45:34Z",
  "references": [
    {
      "type": "ARTICLE",
      "url": "https://portswigger.net/daily-swig/dozens-of-cryptography-libraries-vulnerable-to-private-key-theft"
    },
    {
      "type": "ARTICLE",
      "url": "https://github.com/MystenLabs/ed25519-unsafe-libs"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-w5vr-6qhr-36cc"
    },
    {
      "type": "EVIDENCE",
      "url": "https://hackage.haskell.org/package/cryptonite-0.30/docs/src/Crypto.PubKey.Ed25519.html#sign"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/haskell-crypto/cryptonite/blob/cryptonite-v0.30/cbits/ed25519/ed25519.c#53"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/kazu-yamamoto/crypton/blob/48fb9df2de5ee752196724b081f4d3cdb57576ed/cbits/ed25519/ed25519.c#L53"
    },
    {
      "type": "FIX",
      "url": "https://github.com/kazu-yamamoto/crypton/pull/47"
    }
  ],
  "related": [
    "GHSA-w5vr-6qhr-36cc"
  ],
  "schema_version": "1.5.0",
  "summary": "Double Public Key Signing Function Oracle Attack on Ed25519"
}

GHSA-W5VR-6QHR-36CC

Vulnerability from github – Published: 2023-08-14 21:10 – Updated: 2025-07-28 15:53

Summary

`ed25519-dalek` Double Public Key Signing Function Oracle Attack

Details

Versions of ed25519-dalek prior to v2.0 model private and public keys as separate types which can be assembled into a Keypair, and also provide APIs for serializing and deserializing 64-byte private/public keypairs.

Such APIs and serializations are inherently unsafe as the public key is one of the inputs used in the deterministic computation of the S part of the signature, but not in the R value. An adversary could somehow use the signing function as an oracle that allows arbitrary public keys as input can obtain two signatures for the same message sharing the same R and only differ on the S part.

Unfortunately, when this happens, one can easily extract the private key.

Revised public APIs in v2.0 of ed25519-dalek do NOT allow a decoupled private/public keypair as signing input, except as part of specially labeled "hazmat" APIs which are clearly labeled as being dangerous if misused.

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "ed25519-dalek"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-50237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-497"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-14T21:10:29Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Versions of `ed25519-dalek` prior to v2.0 model private and public keys as separate types which can be assembled into a `Keypair`, and also provide APIs for serializing and deserializing 64-byte private/public keypairs.\n\nSuch APIs and serializations are inherently unsafe as the public key is one of the inputs used in the deterministic computation of the `S` part of the signature, but not in the `R` value. An adversary could somehow use the signing function as an oracle that allows arbitrary public keys as input can obtain two signatures for the same message sharing the same `R` and only differ on the `S` part.\n\nUnfortunately, when this happens, one can easily extract the private key.\n\nRevised public APIs in v2.0 of `ed25519-dalek` do NOT allow a decoupled private/public keypair as signing input, except as part of specially labeled \"hazmat\" APIs which are clearly labeled as being dangerous if misused.",
  "id": "GHSA-w5vr-6qhr-36cc",
  "modified": "2025-07-28T15:53:32Z",
  "published": "2023-08-14T21:10:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50237"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MystenLabs/ed25519-unsafe-libs"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dalek-cryptography/ed25519-dalek"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0093.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "`ed25519-dalek` Double Public Key Signing Function Oracle Attack"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

hsec-2025-0002

Vulnerability from osv_haskell

Double Public Key Signing Function Oracle Attack on Ed25519

GHSA-W5VR-6QHR-36CC

Tags

Sightings

Nomenclature