RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 8032, "Edwards-Curve Digital Signature Algorithm (EdDSA)", January 2017

Source of RFC: IRTF

Errata ID: 6306
Status: Reported
Type: Technical
Publication Format(s) : TEXT

Reported By: Dmitry Khovratovich
Date Reported: 2020-10-15

Section 5.1.7 says:

       Decode the first half as a
       point R, and the second half as an integer S, in the range
       0 <= s < L.  Decode the public key A as point A'.  If any of the
       decodings fail (including S being out of range), the signature is
       invalid.

   2.  Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the
       64-octet digest as a little-endian integer k.

   3.  Check the group equation [8][S]B = [8]R + [8][k]A'.  It's
       sufficient, but not required, to instead check [S]B = R + [k]A'.

It should say:

       Decode the first half R as a
       point R', and the second half as an integer S, in the range
       0 <= S < L.  Decode the public key A as point A'.  If any of the
       decodings fail (including S being out of range), the signature is
       invalid.

   2.  Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the
       64-octet digest as a little-endian integer k.

   3.  Check the group equation [8][S]B = [8]R' + [8][k]A'.  It's
       sufficient, but not required, to instead check [S]B = R' + [k]A'.

Notes:

1) public key R' and its encoding R are confused
2) s changed to S (this errata has been reported already)

Report New Errata