Cryptology ePrint Archive: Report 2020/384

A ”Final” Security Bug

Nguyen Thoi Minh Quan

Abstract: This article discusses a fixed critical security bug in Google Tink's Ed25519 Java implementation. The bug allows remote attackers to extract the private key with only two Ed25519 signatures. The vulnerability comes from the misunderstanding of what "final" in Java programming language means. The bug was discovered during security review before Google Tink was officially released. It reinforces the challenge in writing safe cryptographic code and the importance of the security review process even for the code written by professional cryptographers.

Category / Keywords: public-key cryptography / Ed25519, security bugs, remote attackers

Date: received 2 Apr 2020, last revised 3 Apr 2020

Contact author: msuntmquan at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20200409:124123 (All versions of this report)

Short URL: ia.cr/2020/384


[ Cryptology ePrint archive ]