RFC Errata
RFC 8032, "Edwards-Curve Digital Signature Algorithm (EdDSA)", January 2017
Source of RFC: IRTF
Errata ID: 6306
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Dmitry Khovratovich
Date Reported: 2020-10-15
Held for Document Update by: Nick Sullivan
Date Held: 2025-01-18
Section 5.1.7 says:
Decode the first half as a
point R, and the second half as an integer S, in the range
0 <= s < L. Decode the public key A as point A'. If any of the
decodings fail (including S being out of range), the signature is
invalid.
2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the
64-octet digest as a little-endian integer k.
3. Check the group equation [8][S]B = [8]R + [8][k]A'. It's
sufficient, but not required, to instead check [S]B = R + [k]A'.
It should say:
Decode the first half R as a
point R', and the second half as an integer S, in the range
0 <= S < L. Decode the public key A as point A'. If any of the
decodings fail (including S being out of range), the signature is
invalid.
2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the
64-octet digest as a little-endian integer k.
3. Check the group equation [8][S]B = [8]R' + [8][k]A'. It's
sufficient, but not required, to instead check [S]B = R' + [k]A'.
Notes:
1) public key R' and its encoding R are confused
2) s changed to S (this errata has been reported already)
Held for Document Update: Errata 6306 suggests clarifying variable names in Section 5.1.7's decoding components to reduce ambiguity in signature verification processes. The adjustments are editorial but help improve implementation clarity, particularly for complex protocols that rely on accurate component identification. Suitable for future document updates. - CFRG co-chair