Non-standard signature security definition conforming ed25519 malleability

Question

According to the paper “High-speed high-security signatures”…

Malleability. We also see no relevance of "malleability" to the standard definition of signature security.

Aside from the example, how is ed25519 malleable by the non-standard definition of signature security?

To be more specific:

I'd like to know about any malleability with signatures/keys. The example provided seems not to be a risk because the key must also change. If anything's been discovered since this paper, that would also be helpful. I'm concerned with ECDSA type malleabilities and wonder if there's anything “close”.

Answer 1

Ed25519 in the default implementation is malleable.

• It includes the public key $A$ in the hashed message, so it cannot be modified
• It includes $R$ in the hashed message, so it cannot be modified

• $S$ is encoded as a 256 bit. But since it's a scalar, $S^\prime = S + k \cdot l$ is equivalent to $S$ for any integral $k$ (where $l$ is the order of the subgroup, slightly larger than $2^{252}$).

  This means that $S$ is malleable if the implementation doesn't verify that $S < l$. I verified this malleability with the Ref10 implementation.

• There could be equivalent values for $S$, even when verifying that $0 \leq S < l$. The paper says:

  Malleability. We also see no relevance of “malleability” to the standard definition of signature security. For example, if we slightly modified the system then replacing $S$ by $−S$ and replacing $A$ by $−A$ (a slight variant of the “attack” of [75]) would convert one valid signature into another valid signature of the same message under a new public key; but it would still not accomplish the attacker’s goal, namely to forge a signature on a new message under a target public key. One such modification would be to omit $\underline{A}$ from the hashing; another such modification would be to have $\underline{A}$ encode only |A|, rather than A.

  The way I understand this is that there are no such equivalent values.

• $S$ malleability is implementation dependent. Other implementations or batch verification might have different properties.