EdDSA-Java Signature Malleability Vulnerability

A signature malleability vulnerability has been identified in EdDSA-Java (ed25519-java) versions through 0.3.0. The issue arises because the library's implementation of EdDSA does not properly validate the scalar component of signatures, allowing attackers to generate alternative valid signatures for the same message. This flaw violates the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property, enabling the creation of new signatures that are different from previously generated ones, while still being accepted as valid by the library.

Impact

The vulnerability allows for signature malleability, where an attacker can create different valid signatures for the same message, undermining the integrity of the signature verification process.

Reproduction

The vulnerability can be reproduced by using the EdDSA-Java library to sign a message and then verifying the signature using the same library. Due to the malleability issue, it is possible to generate a different valid signature for the same message that will also be accepted by the verification process. This can be done by manipulating the scalar component of the signature, taking advantage of the library's lack of proper range checks.

Remediation

Users can switch to the forked version of the library available at 'bloxbean/ed25519-java' which includes the necessary fix.