Initial impact report about this week's EdDSA Double-PubKey Oracle attack in 40 affected crypto libs

This page summarizes the projects mentioned and recommended in the original post on /r/crypto

Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
  • libsodium

    A modern, portable, easy to use crypto library.

    Feature request submitted to libsodium: https://github.com/jedisct1/libsodium/issues/1191

  • ed25519-unsafe-libs

    List of unsafe ed25519 signature libs

    original findings and audit report by MystenLabs' Cryptography Chief + continuously updated list of affected libs: https://github.com/MystenLabs/ed25519-unsafe-libs

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  • trezor-firmware

    :lock: Trezor Firmware Monorepo

    Trezor's hardware wallet firmware allows the affected api, but there was a deep dive by both the this attack's author (Kostas) and the Trezor team; they all eventually realized that current ed25519 signing invocations are fortunately safe. Thus, no worries at the moment, Trezor's current firmware is secure against this threat, but their engineers are working on deprecating the affected function to prevent any accidental future misuse - Github tracking issue https://github.com/trezor/trezor-firmware/issues/2338. I'd highlight that Trezor's response and cooperation was indeed blazing fast, good job guys!

  • ctf

    Ctf solutions from p4 team

    Funny part is that even in CTF challenges made around this problem challenge authors were introducing some intentional bugs to account for this scenario, because they thought it would be too unrealistic otherwise :D See for example: https://github.com/p4-team/ctf/tree/master/2018-12-08-hxp/crypto_uff

  • paseto

    Platform-Agnostic Security Tokens

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts