What is Ed25519 “Double Public Key Signing Oracle” vulnerability

Ed25519 is a signature scheme where signatures are deterministic: given the same message, the same secret key, same public key, you always get the same signature (composed of two parts, traditionally called $R$ and S).

In the standard Ed25519 scheme (RFC 8032), the part $S$ depends on the secret key, the message, and the public key, but the part $R$ does not depend on the public key.

How the vulnerability arises

The vulnerability appears in implementations where the API for signing accepts the public key and secret key as separate inputs, without verifying that the public key corresponds to the secret key. In other words, someone can call the signing function with:

If the library uses the provided public key in the computation of $S$ but does not check that this public key is the true public key for that secret key, then an attacker can exploit that.

Specifically:

  1. The attacker picks two public keys $PK_1$ and $PK_2$ (different).
  2. The attacker uses the signing oracle (i.e. the library call) to get signatures on the same message “m”, but once using $PK_1$ and once using $PK_2$ with the same secret key.
  3. Since R is independent of the public key, the two signatures share the same $R$. But since $S$ depends on the public key, they give two different $S$ values.
  4. From these two signatures $(R, S_1)$ and $(R, S_2)$, one can compute the secret key. Essentially $S_1 - S_2$ reveals enough to recover the private key. (It’s a kind of XOR/difference leak because deterministic Ed25519 signs include a term in $S$ that is hash of $R,PK,m$ times the secret scalar.)

So the root problem is: allowing mismatched public key / secret key pairs in signature APIs and using the public key in the deterministic signature in a way that leaks info if public key is “wrong”.