4 days ago elliptic
– a well-know JavaScript-based cryptography library – published the following security advisory: GHSA-vjh7-7g9h-fjfh
.
Summary
Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input.
Note that elliptic by design accepts hex strings as one of the possible input types.
First the good thing: If wallets strictly follow RFC 6979 (nonces are derived deterministically from the hashed message), their input-to-bytes conversion is not erroneous (but we never really know!), and doesn’t allow custom nonce injection, everything should be safe.
Well, sure one might dismiss this as merely an implementation error, but I truly believe this incident is far more nuanced and warrants deeper reflection on the actions we, as an ecosystem, must take. Cryptographic primitive libraries—not just the cryptographic theory—are the foundation of our security infrastructure. A single mistake can lead to devastating consequences, and we really cannot afford to take that risk lightly. Human error is inevitable tbh, and new vulnerabilities will continue to emerge.
That’s why I think we should start experimenting with hedged signatures in our ecosystem. @p_m describes this well in his blog post here. The TL;DR is:
Hedged signatures generate
k
deterministically, then incorporate randomness into it.
He also shares important references about the current usage:
- RFC 6979 actually describes hedging in section 3.6! Libraries also do: for example, libsecp256k1 had it since 2015
- BIP 340 authors also made a wise decision, incorporating hedging by default
- RFC 8032 ed25519 does not support hedged signatures, however, Signal made an effort and created XEdDSA. Then Apple followed Signal and added hedged ed25519 to both CryptoKit and its Safari implementation of webcrypto. The idea was formalized in the mailing list from 2017.
With this post, I aim to spark a discussion on how and where we should begin exploring the adoption of hedged signatures in our ecosystem. There is no doubt that they represent a meaningful advancement in security, and it is crucial that we consider their implementation thoughtfully.