RFC Errata
Found 6 records.
Status: Verified (3)
RFC 8032, "Edwards-Curve Digital Signature Algorithm (EdDSA)", January 2017
Source of RFC: IRTF
Errata ID: 5930
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Daniel Bleichenbacher
Date Reported: 2019-12-06
Verifier Name: Colin Perkins
Date Verified: 2021-05-24
Section 6 says:
def verify(public, msg, signature):
if len(public) != 32:
raise Exception("Bad public key length")
if len(signature) != 64:
Exception("Bad signature length")
It should say:
def verify(public, msg, signature):
if len(public) != 32:
raise Exception("Bad public key length")
if len(signature) != 64:
raise Exception("Bad signature length")
Notes:
Missing raise before Exception
Errata ID: 5519
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Susumu Endoh
Date Reported: 2018-10-10
Verifier Name: Colin Perkins
Date Verified: 2019-04-09
Section 5.1.7 says:
Decode the first half as a point R, and the second half as an integer S, in the range 0 <= s < L.
It should say:
Decode the first half as a point R, and the second half as an integer S, in the range 0 <= S < L.
Notes:
original document expression is ' 0 <= s < L', but it must be '0 <= S < L'. upper/lower case problem.
Errata ID: 6851
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Martin Thomson
Date Reported: 2022-02-15
Verifier Name: RFC Editor
Section 8.7 says:
As an API consideration, this means that any Initialize Update Finalize (IFU) verification interface is prone to misuse.
It should say:
As an API consideration, this means that any Initialize Update Finalize (IUF) verification interface is prone to misuse.
Notes:
Typo in acronym.
Status: Reported (3)
RFC 8032, "Edwards-Curve Digital Signature Algorithm (EdDSA)", January 2017
Source of RFC: IRTF
Errata ID: 5968
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Valeria Nikolaenko
Date Reported: 2020-01-28
Section 3.1 says:
3.1. Encoding An integer 0 < S < L - 1 is encoded in little-endian form as a b-bit string ENC(S).
It should say:
3.1. Encoding An integer 0 <= S <= L - 1 is encoded in little-endian form as a b-bit string ENC(S).
Notes:
The range of the scalar should include the end-points: 0 and L-1.
Errata ID: 6306
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Dmitry Khovratovich
Date Reported: 2020-10-15
Section 5.1.7 says:
Decode the first half as a
point R, and the second half as an integer S, in the range
0 <= s < L. Decode the public key A as point A'. If any of the
decodings fail (including S being out of range), the signature is
invalid.
2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the
64-octet digest as a little-endian integer k.
3. Check the group equation [8][S]B = [8]R + [8][k]A'. It's
sufficient, but not required, to instead check [S]B = R + [k]A'.
It should say:
Decode the first half R as a
point R', and the second half as an integer S, in the range
0 <= S < L. Decode the public key A as point A'. If any of the
decodings fail (including S being out of range), the signature is
invalid.
2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the
64-octet digest as a little-endian integer k.
3. Check the group equation [8][S]B = [8]R' + [8][k]A'. It's
sufficient, but not required, to instead check [S]B = R' + [k]A'.
Notes:
1) public key R' and its encoding R are confused
2) s changed to S (this errata has been reported already)
Errata ID: 6348
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: David Benjamin
Date Reported: 2020-12-02
Section 3.4 says:
Compute h = H(ENC(R) || ENC(A) || M), and check the group equation [2^c * S] B = 2^c * R + [2^c * h] A in E.
It should say:
Compute h = H(ENC(R) || ENC(A) || M), and check the group equation [2^c * S] B = [2^c] R + [2^c * h] A in E.
Notes:
Section 2 uses a separate notation, [n]X, for point multiplication, so this operation should use the brackets.
