The Dark Side of Deterministic Signatures

In accordance with standards like RFC 8032 and FIPS 186-5, this section describes the Edwards-Curve Digital Signature Algorithm (EdDSA), emphasizing its deterministic nature and verification procedure. Adversaries can use EdDSA's deterministic signature to recover the secret key by presenting two distinct public keys, according to a new double public key signing oracle attack that the authors have discovered. Because of this, EdDSA's strong unforgeability guarantees are effectively broken, allowing for arbitrary message signing. This vulnerability's wide range and importance are highlighted by the fact that many popular cryptographic libraries are among the affected implementations.