We found cryptography bugs in the elliptic library using Wyc...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/
• Blog Title: We found cryptography bugs in the elliptic library using Wycheproof
• Suggested Section: 🔮 Crypto & Stego -> Practical Crypto Implementation Bugs & Testing (e.g., "Elliptic-Curve Signature Malleability & ECDSA Hash Truncation Pitfalls" with Wycheproof harness techniques)

🎯 Content Summary

This post analyzes two cryptographic correctness vulnerabilities in the popular JavaScript elliptic-curve library elliptic (NPM), discovered by running the Wycheproof test suite (https://github.com/C2SP/wycheproof). elliptic is downloaded over 10 million times weekly and is used by ~3,000 projects. Both issues affect digital signature schemes: one enables EdDSA signature malleability (signature forgery for known messag...

🔧 Technical Details

EdDSA signature malleability via missing scalar range check (CVE-2024-48949)
For HashEdDSA implementations, the verifier must parse a signature sig = (R || s) into a point R and an integer s, then enforce 0 ≤ s < n, where n is the curve order. If this bound check is omitted, any integer s' with s' mod n == s is accepted as equivalent. An attacker who knows a valid pair (msg, sig) can compute alternate scalars s' = s + k·n and construct new signatures sig' = (R || s') that verify under non-strict implementations but are rejected by strict ones. This yields signature malleability: multiple distinct byte-level signatures validate for the same message and public key. To prevent this, EdDSA verifiers must explicitly reject any s where s ≥ n, e.g. in JavaScript: if (sig.S().gte(sig.eddsa.curve.n)) return false;🤖 Agent Actions

Summary:

• Expanded src/crypto-and-stego/cryptographic-algorithms/README.md with a dedicated “Elliptic-Curve Signature Implementation Bugs” section covering EdDSA scalar range enforcement, the ECDSA leading-zero truncation pitfall, mitigations, and practical Wycheproof-based testing guidance.
• Added concise code snippets that demonstrate proper range checks, hash truncation, and Wycheproof harness integration.
• Introduced a new “References” section citing the Trail of Bits blog post and the Wycheproof test suite.

Tests: Not run (not requested).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/

Content Categories: Based on the analysis, this content was categorized under "🔮 Crypto & Stego -> Practical Crypto Implementation Bugs & Testing (e.g., "Elliptic-Curve Signature Malleability & ECDSA Hash Truncation Pitfalls" with Wycheproof harness techniques)".

Repository Maintenance:

• MD Files Formatting: 909 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0